Problem: permissionDenied reject on a school slave

Knowledge Base Community
, , ,
#1

Problem:

You find a traceback like this on a school slave in the /var/log/univention/connector-s4.log

04.01.2019 10:39:42,517 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=staff,cn=users,dc=schein,dc=ig
04.01.2019 10:39:42,774 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
04.01.2019 10:39:42,775 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 583, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1222, in _modify
    self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 823, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

Investigation:

This can happen to global users as staff members.
In school environments the changes of objects within an OU are written back to the master. Objects outside the OU cannot be written back restricted by ldap acls.
Therfore the permissionDenied occurs.

Solution:

In this special case the user was created long before 4.3 and some “new” attributes served with 4.3 were not saved.
E.g.

The following empty properties have been set to default values. The values are applied when saving.
    Account - Deactivation - Account is deactivated: false
    [Advanced Settings] - Mail - E-mail Quota (MB): 0

After saving these default values, the reject has dissolved.

Note: To make sure all objects have their default values check this article.

#2
Mastodon