Problem: S4-Connector Rejects about DN: cn=Console Logon

Knowledge Base Community
, , ,
#1

Kudos @Pepe

Problem:

univention-s4connector-list-rejected shows very frequently rejects as follows:

UCS rejected

    1:   UCS DN: cn=Console Logon,cn=Builtin,dc=domain,dc=intranet
          S4 DN: cn=console logon,cn=builtin,DC=domain,DC=intranet
         Filename: /var/lib/univention-connector/s4/1532257834.494789


S4 rejected

    1:    S4 DN: CN=Console Logon,CN=Builtin,DC=domain,DC=intranet
         UCS DN: cn=console logon,cn=builtin,dc=domain,dc=intranet

        last synced USN: 25042

Removing the reject only helps for a short time and the reject happens again later.

Investigation:

02.07.2018 14:36:13,611 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=Console Logon,cn=Builtin,DC=schein,DC=me
02.07.2018 14:36:13,669 LDAP        (PROCESS): sync from ucs: [         group] [    modify] cn=console logon,cn=builtin,DC=schein,DC=me
02.07.2018 14:36:13,670 LDAP        (ERROR  ): sync_from_ucs: traceback during modify object: cn=console logon,cn=builtin,DC=schein,DC=me
02.07.2018 14:36:13,670 LDAP        (ERROR  ): sync_from_ucs: traceback due to modlist: [(2, 'groupType', [u'-2147483643'])]
02.07.2018 14:36:13,679 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1530534969.868665
02.07.2018 14:36:13,681 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 898, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2736, in sync_from_ucs
    self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': 'error in module samldb: Unwilling to perform during LDB_MODIFY (53)', 'desc': 'Server is unwilling to perform'}

02.07.2018 14:36:14,819 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=console logon,cn=builtin,dc=rewe-digital,dc=com
02.07.2018 14:36:14,840 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
02.07.2018 14:36:14,840 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1599, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1366, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 582, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1206, in _modify
    self._ldap_pre_modify()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 514, in _ldap_pre_modify
    self.check_ad_group_type_change()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 976, in check_ad_group_type_change
    raise univention.admin.uexceptions.adGroupTypeChangeLocalToAny
adGroupTypeChangeLocalToAny

Solution

It appears this group is to be ignored by the connector (see bug) but is not set in the filter rules.

To add and this group as a new entry to the connector/s4/mapping/group/ignorelist do the following:

ucr set connector/s4/mapping/group/ignorelist="Console Logon, $(ucr get connector/s4/mapping/group/ignorelist)"
systemctl restart univention-s4-connector

You might use UMC to add this entry to the UCS registry, too.

Can't remove a UCS/S4 Reject
S4 connector rejected (again)
UCS-S4-Reject: Console Login
Mastodon