S4sync &UMC LDAP search filter error (OU name with brackets)


#1

Hi, an OU was created in UMC with brackets in the name. This seemed to sync over to the samba4 directory OK. Subsequently, trying to view this OU in the LDAP browser in UMC gave the below error. Likewise, it appears that moving any computer objects within, or trying to rename or delete the OU gives the same search filter error.

I assume its to do with escaping the brackets in the name?

To try and fix, renamed the OU in samba4 ADUC and moved the computer object within back to the computers container, however those changes are not syncing from S4 to OpenLDAP again I think due to the escaping issue in the name causing a searchfilter error (see log at bottom).

What’s my next move to try and fix this and get back in sync? Can I edit the OpenLDAP tree directly with an LDAP editor to rename the OU? Or do I need to use UCS tools to interact with the directory and not cause more issues?

UMC Error:

Execution of command 'udm/nav/object/query navigation' has failed:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 82, in _run
    tmp = self._function()
  File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__
    return self._function( *tmp, **self._kwargs )
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/__init__.py", line 1035, in _thread
    for module, obj in list_objects(container, object_type=object_type):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 1074, in list_objects
    yield (module, module.get(dn))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 87, in _decorated
    return method(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 135, in _decorated
    result = func(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 507, in get
    obj.open()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/computers/windows.py", line 395, in open
    univention.admin.handlers.simpleComputer.open( self )
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1273, in open
    result=self.lo.search(base=self.lo.base, filter=searchFilter, attr=['dn'])
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 363, in search
    raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter))
ldapError: Bad search filter: (&(objectclass=univentionGroup)(uniqueMember=cn=LAPTOP-NAME,ou=Laptops \\(roaming\\),dc=fakedomain,dc=address,dc=com,dc=au))

Connector-s4.log:


04.07.2016 08:53:38,231 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=LAPTOP-NAME,CN=Computers,DC=fakedomain,DC=address,DC=com,DC=au
04.07.2016 08:53:38,237 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [      move] cn=LAPTOP-NAME,cn=computers,DC=fakedomain,DC=address,DC=com,DC=au
04.07.2016 08:53:38,402 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
04.07.2016 08:53:38,402 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1454, in sync_to_ucs
    result = self.move_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1255, in move_in_ucs
    ucs_object.open()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/computers/windows.py", line 395, in open
    univention.admin.handlers.simpleComputer.open( self )
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1273, in open
    result=self.lo.search(base=self.lo.base, filter=searchFilter, attr=['dn'])
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 363, in search
    raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter))
ldapError: Bad search filter: (&(objectclass=univentionGroup)(uniqueMember=cn=LAPTOP-NAME,ou=laptops \\(roaming\\),dc=fakedomain,dc=address,dc=com,dc=au))


#2

I took a punt, and was able to use apache directory studio to connect to openldap on port 7389 and move the computer object back to the cn=computers container and remove the OU with the brackets.

Looking at the S4 sync logs it appears that’s cleaned up those errors although there’s some other errors (about locked records) in the log that I might open a new topic for.

So for the moment it seems I need to be very careful with the character used in LDAP names. Should I submit a bug?


#3

Hey,

glad to see you were able to solve this yourself already. Modifying the LDAP directory directly (either via external applications or directly on the server with the standard tools like “ldapadd”, “ldapmodrdn” etc.) is safe. The synchronization layer is located in the LDAP server itself, meaning that no matter which method is chosen for the modification the Univention connector will pick up on the change.

I haven’t found any bugs related to such a problem in Univention’s bug tracker (there is one about brackets, but that’s about a comma in the RDN, not about square brackets; it’s a different issue). Opening a new one would definitely be good.

Kind regards,
mosu