Samba AD -> UCS -> O365 attribute syncronization issue

, ,
#1

Hi,

We have a Samba AD domain to which we’ve added a UCS instance for the main purpose of connecting it to Office 365.
We are still experimenting to see whether we could use it or not.

We reached a point where we can successfully sync an AD user to O365 but some of the AD attributes are not propagated to O365:

  title
  department
  manager

We found out that the main reason for this is it’s missing from the UCS LDAP directory.

For the title attr. we found that it doesn’t get syncronized to UCS however, in UCS it’s called employeeType.
If I propagate the employeeType attr. in UCS and the mapping is correct it gets syncronized to O365.

If I add the manager attr. to UCS LDAP, the azure_handler throws an error message:
univention.office365.azure_handler.UnkownTypeError: Attribute ‘manager’ not in azure_attribute_types mapping.

Can anyone help us out how can we sync the following attributes to O365?

  title
  department
  manager

Thanks in advance,
Balint

#2

It must be configured to which Azure attribute the LDAP attribute should be mapped to:

$ ucr set office365/attributes/mapping/manager=jobTitle
$ service univention-directory-listener restart

Greetings
Daniel

#3

Hi Daniel,

Thank you for your reply.

The mapping is there, but we need manager to be mapped to manager:

$ ucr get office365/attributes/mapping/manager
manager

When restarting the listener, I can see in the log that it’s aware of the attributes and their mapping:

LISTENER    ( ERROR   ) : o365(I): office365-user.<module>:166  attributes mapping UCS->AAD: {'telephoneNumber': 'telephoneNumber', 'employeeType': 'jobTitle', 'mailPrimaryAddress': 'otherMails', 'title': 'Title', 'mobile': 'mobile', 'roomNumber': 'physicalDeliveryOfficeName', 'l': 'city', 'st': 'usageLocation', 'mailAlternativeAddress': 'otherMails', 'manager': 'manager', 'street': 'streetAddress', 'sn': 'surname', 'postalCode': 'postalCode', 'mail': 'otherMails', 'givenName': 'givenName', 'displayName': 'displayName'}
LISTENER    ( ERROR   ) : o365(I): office365-user.<module>:170  attributes to sync: ['displayName', 'employeeType', 'givenName', 'l', 'mail', 'mailAlternativeAddress', 'mailPrimaryAddress', 'manager', 'mobile', 'postalCode', 'roomNumber', 'sn', 'st', 'street', 'telephoneNumber']

When I force a resync with univention-directory-listener-ctrl resync office365-user
I get the following error in /var/log/univention/listener.log

LISTENER    ( ERROR   ) : o365(I): azure_handler._modify_objects:341  Modifying user with object_id u'77adf762-073e-481c-9db6-2dc4fada4ae2' and modifications 
{'accountEnabled': True, 'surname': 'XXX', 'mailNickname': 'XXX', 'jobTitle': 'XXX', 'userPrincipalName': 'user@example.com', 
'immutableId': 'XXX', 'manager': 'cn=manager,cn=Users,dc=example,dc=com', 'otherMails': 'user@example.com', 'displayName': 'XXX', 
'givenName': 'XXX', 'usageLocation': 'US'}...
LISTENER    ( ERROR   ) : o365(D): azure_auth.get_access_token:359  Token valid until 2019-05-08T12:51:25.
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 319, in handler
    new_or_reactivate_user(ol, dn, new, old)
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 241, in new_or_reactivate_user
    new_user = ol.create_user(new)
  File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 138, in create_user
    self.ah.create_user(attributes)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 312, in create_user
    obj_id={"key": "immutableId", "value": attributes["immutableId"]})
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 299, in _create_object
    modifications=attributes)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 345, in _modify_objects
    return self.call_api("PATCH", url, modifications)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 189, in call_api
    data = self._prepare_data(data)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 664, in _prepare_data
    if azure_attribute_types[k] == list and not isinstance(v, list) and isinstance(v, collections.Iterable):

univention.office365.azure_handler.UnkownTypeError: Attribute 'manager' not in azure_attribute_types mapping.
#4

Hello,

the manager attribute is currently not supported - sorry.

It is not a simple string but a link to another user or contact object: https://docs.microsoft.com/de-de/graph/api/resources/user?view=graph-rest-1.0
You can create and sync the referenced user in UCS, but you’ll have to add the link manually through the Azure webseite. Or you use another attribute, that is of type string.

If it’s an option for your organization, you can contact the Univention sales department (sales@univention.de) and ask for a quote to have the feature coded.

Greetings
Daniel

#5

Hi Daniel,

Thank you for your reply!
We’ll consider our options and will be contacting the sales department if needed.

Regards,
Balint

Mastodon