kudos @stoeckigt

How To: Analyze Connector Pickle Files From Rejects

You have some rejects from either S4-connector or AD-connector and you have the pickle files at /var/lib/univention-connector/s4 or /var/lib/univention-connector/ad.

Step 1

Pick one of the pickle files to analyze. They are usually named similar as 1555510558.415445.

Step 2

Create a Python named check_pickle.py script as follows or download check_pickle.py (393 Bytes)
:

#!/usr/bin/env python
#-*- coding: utf-8 -*-
import sys
import pickle
import difflib
import pprint

def compare_dicts(d1, d2):
	return ('\n' + '\n'.join(difflib.ndiff(
		pprint.pformat(d1).splitlines(),
		pprint.pformat(d2).splitlines())))

with open(sys.argv[1]) as pf:
	obj = pickle.load(pf)

#	obj[0] ## is DN 
#	obj[1] ## is new
#	obj[2] ## is old
	print(compare_dicts(obj[1], obj[2]))

Step 3

Run the Python code against the pickle file:

root@ucs:~# python check_pickle.py 1555510558.415445 

  {'abteilung': ['Technische User'],
   'aktiv': ['TRUE'],
   'cn': ['iblind'],
   'createTimestamp': ['20171023092005Z'],
   'creatorsName': ['uid=b34567,cn=users,dc=multi,dc=ucs'],
   'department': ['Technische User'],
   'displayName': ['iblind'],
-  'entryCSN': ['20190417141517.741380Z#000000#000#000000'],
?                       ^^^  ^   ^^ ^

+  'entryCSN': ['20190416150739.727370Z#000000#000#000000'],
?                       ^  ^ ++  ^^ ^

   'entryDN': ['uid=iblind,cn=users,dc=multi,dc=ucs'],
   'entryUUID': ['19e26cd6-4c1f-1337-9dce-ab46008a28c9'],
   'gecos': ['iblind'],
-  'gidNumber': ['5001'],
?                  ^^^

+  'gidNumber': ['9354'],
?                 ++ ^

   'hasSubordinates': ['FALSE'],
   'homeDirectory': ['/home/iblind'],
-  'krb5KDCFlags': ['254'],
?                     ^^

+  'krb5KDCFlags': ['126'],
?                    + ^

   'krb5KeyVersionNumber': ['1'],
   'krb5MaxLife': ['86400'],
   'krb5MaxRenew': ['604800'],
   'krb5PasswordEnd': ['20190608000000Z'],
   'krb5PrincipalName': ['iblind@MULTI.UCS'],
   'loginShell': ['/bin/bash'],
   'modifiersName': ['cn=admin,dc=multi,dc=ucs'],
-  'modifyTimestamp': ['20190417141517Z'],
?                              ^^^  ^

+  'modifyTimestamp': ['20190416150739Z'],
?                              ^  ^ ++

   'objectClass': ['Person',
                   'organizationalPerson',
                   'automount',
                   'top',
                   'inetOrgPerson',
                   'univentionSolaris',
                   'person',
                   'univentionPWHistory',
                   'shadowAccount',
                   'univentionSAMLEnabled',
                   'posixAccount',
                   'univentionObject',
                   'krb5KDCEntry',
                   'sambaSamAccount',
                   'univentionMail',
                   'krb5Principal'],
   'ou': ['Technische User'],
   'pwhistory': ['$1$NUGSJnB[...]lTefji.'],
-  'sambaAcctFlags': ['[UD         ]'],
?                        ^

+  'sambaAcctFlags': ['[U          ]'],
?                        ^

-  'sambaPrimaryGroupSID': ['S-1-5-21-4176167760-2226027309-3285381612-513'],
   'sambaPwdLastSet': ['1552172400'],
   'sambaSID': ['S-1-5-21-4177157794-2226027309-3285381612-19732'],
-  'shadowExpire': ['1'],
   'shadowLastChange': ['17965'],
   'shadowMax': ['90'],
   'sn': ['iblind'],
   'structuralObjectClass': ['inetOrgPerson'],
   'subschemaSubentry': ['cn=Subschema'],
   'title': ['LDAP-Kennung'],
   'uid': ['iblind'],
   'uidNumber': ['9366'],
   'univentionIsSolarisObject': ['1'],
   'univentionObjectType': ['users/user'],
-  'userPassword': ['{crypt}!$1$ZbhVf.Fy$xZbPhrdiz69j3PnV8WfWe/']}
?                           -

+  'userPassword': ['{crypt}$1$ZbhVf.Fy$xZbPhrdiz69j3PnV8WfWe/']}

To interpret the output check for lines starting with “+” or “-”. Depending on the type of reject it means a change did not go through.