UCS Office365 issue

office-365

#1

I already have some users in my office 365 before setting up UCS AD with their own passwords.

Then I added UCS server with the usernames same as in office365 with their corresponding email ids but I could see that in users office 365 tab, I could not see their email ids and also can’t login to that ones using SSO. The newly created accounts with the new emails in UCS are being created in office365, but what about the existing old ones.


Problem: Connection fails when activating SSO for Office 365 the Powershell script
#2

New user accounts are created but old accounts in office365 can’t able to activate sso

03.11.17 08:28:51.213  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:263  new is enabled.
03.11.17 08:28:51.214  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:270  new_enabled and not old_enabled -> NEW or REACTIVATED (uid=sudesh,cn=users,dc=urolime,dc=local)
03.11.17 08:28:51.214  LISTENER    ( ERROR   ) : o365(D): listener.create_user:98  udm_attrs={'mail': 'sudesh@devopsin.com', 'givenName': 'sudesh', 'displayName': 'sudesh a', 'mailPrimaryAddress': 'sudesh@devopsin.com', 'sn': 'a'}
03.11.17 08:28:51.215  LISTENER    ( ERROR   ) : o365(I): azure_handler._create_object:278  Creating user with properties: {'passwordProfile': {'password': '******', 'forceChangePasswordNextLogin': False}, 'accountEnabled': True, 'surname': 'a', 'mailNickname': 'sudesh', 'userPrincipalName': 'sudesh@devopsin.com', 'immutableId': 'ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi', 'otherMails': ['sudesh@devopsin.com'], 'displayName': 'sudesh a', 'givenName': 'sudesh', 'usageLocation': 'US'}
03.11.17 08:28:51.216  LISTENER    ( ERROR   ) : o365(D): azure_auth.get_access_token:341  Loading token from disk...
03.11.17 08:28:51.217  LISTENER    ( ERROR   ) : o365(D): azure_auth.get_access_token:348  Token valid until 2017-11-03T09:22:47.
03.11.17 08:28:51.219  LISTENER    ( ERROR   ) : o365(D): azure_handler.call_api:180  GET https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6&%24filter=immutableId+eq+%27ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi%27 data: None
03.11.17 08:28:51.521  LISTENER    ( ERROR   ) : o365(I): azure_handler.call_api:212  status: 200 (OK) (GET https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6&%24filter=immutableId+eq+%27ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi%27)
03.11.17 08:28:51.524  LISTENER    ( ERROR   ) : o365(D): azure_auth.get_access_token:348  Token valid until 2017-11-03T09:22:47.
03.11.17 08:28:51.525  LISTENER    ( ERROR   ) : o365(D): azure_handler.call_api:180  POST https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6 data: {'passwordProfile': {'password': '******', 'forceChangePasswordNextLogin': False}, 'accountEnabled': True, 'surname': u'a', 'mailNickname': u'sudesh', 'userPrincipalName': u'sudesh@devopsin.com', 'immutableId': u'ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi', 'otherMails': ['sudesh@devopsin.com'], 'displayName': u'sudesh a', 'givenName': u'sudesh', 'usageLocation': u'US'}
03.11.17 08:28:54.761  LISTENER    ( ERROR   ) : o365(I): azure_handler.call_api:212  status: 400 (FAIL) Code: Request_BadRequest (POST https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6)
03.11.17 08:28:54.763  LISTENER    ( ERROR   ) : o365(E): azure_handler.__init__:143  An error occurred while processing the write request.
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 272, in handler
    new_user = ol.create_user(new)
  File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 138, in create_user
    self.ah.create_user(attributes)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 300, in create_user
    obj_id={"key": "immutableId", "value": attributes["immutableId"]})
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 291, in _create_object
    return self.call_api("POST", url, attributes)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 227, in call_api
    raise ApiError(response)
univention.office365.azure_handler.ApiError: An error occurred while processing the write request.
03.11.17 08:28:54.768  LISTENER    ( WARN    ) : handler: office365-user (failed)


#3

To join a UCS user with an existing o365 user you have to save the Azure-users objectId in the UCS-users UniventionOffice365ObjectID attribute.

There is no automatic way to do this. You can contact our support however, and they will help you with the process.

Hints:

  • The UCS-users UniventionOffice365ObjectID can not be edited from the UMC web site, but from the command line.
  • The Azure-users objectId can be found on the Azure website among the users attributes.

Greetings
Daniel Tröder


Azure AD Connect oder UCS Microsoft Office 365 Konnektor
#4

Do you mean like this

univention-directory-manager users/user modify --dn uid=arunp,cn=users,dc=xxxx,dc=local --set UniventionOffice365ObjectID="6252440f-2aac-42cf-9c0b-3605a2823f5e"

#5

Yes - I think that should do the trick.

Test it with a test-user you created through the Azure/Office 365 admin interface. After setting the UniventionOffice365ObjectID attribute change any of the synced attributes and observe /var/log/univention/listener.log.

You can compare your result with a o365 user you created through UMC.
udm users/user list --filter uid=my365testuser | grep -i office365
You can safely ignore UniventionOffice365Data.


#6

Tried the same but causing these errors

06.03.18 01:43:07.971  LISTENER    ( PROCESS ) : o365: Creating user with properties: {'passwordProfile': {'password': '******', 'forceChangePasswordNextLogin': False}, 'accountEnabled': True, 'surname': 'c', 'mailNickname': 'sachin', 'userPrincipalName': 'sachin@xxxxx.com', 'immutableId': 'MjgyMjBkMDItYjU1NS0xMDM3LThmNjctZTcwYTY1NmVhZjli', 'otherMails': 'sachin@xxxxx.com', 'displayName': 'sachin', 'givenName': 'sachin', 'usageLocation': 'US'}
06.03.18 01:43:08.340  LISTENER    ( PROCESS ) : o365: status: 200 (OK) (GET https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6&%24filter=immutableId+eq+%27MjgyMjBkMDItYjU1NS0xMDM3LThmNjctZTcwYTY1NmVhZjli%27)
06.03.18 01:43:11.462  LISTENER    ( PROCESS ) : o365: status: 400 (FAIL) Code: Request_BadRequest (POST https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6)
06.03.18 01:43:11.464  LISTENER    ( ERROR   ) : o365: An error occurred while processing the write request.
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 272, in handler
    new_user = ol.create_user(new)
  File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 138, in create_user
    self.ah.create_user(attributes)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 300, in create_user
    obj_id={"key": "immutableId", "value": attributes["immutableId"]})
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 291, in _create_object
    return self.call_api("POST", url, attributes)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 227, in call_api
    raise ApiError(response)
univention.office365.azure_handler.ApiError: An error occurred while processing the write request.
06.03.18 01:43:11.475  LISTENER    ( WARN    ) : handler: office365-user (failed)
06.03.18 01:48:21.279  LISTENER    ( PROCESS ) : updating 'uid=sachin,cn=users,dc=ad,dc=xxxxxx,dc=com' command d
06.03.18 01:48:21.282  LISTENER    ( PROCESS ) : samba4-idmap: removing entry for S-1-5-21-3046349026-1776158987-1028525861-1119
06.03.18 01:48:21.306  LISTENER    ( PROCESS ) : updating 'cn=Domain Users,cn=groups,dc=ad,dc=xxxxx,dc=com' command m


#7

It still tries to create instead of modify the user. There is an additional step necessary: synchronized Azure users are identified by a unique ID from LDAP: the entryUUID. It must be set on the Azure object.

Unfortunately that is not possible anymore in the new Azure portal. But it can be done using the listener code. Here is what I had to do, to write the entryUUID of user “test1” into its corresponding Azure user object:

$ univention-ldapsearch uid=test1 entryUUID | egrep ^entryUUID | cut -f 2 -d ' '
fae2ee28-83ff-1037-9b63-1112f663baab

$ python -c 'import base64
from univention.office365.azure_handler import AzureHandler
from univention.config_registry import ConfigRegistry
ucr = ConfigRegistry()
ucr.load()
ah = AzureHandler(ucr, "foo")
azure_uid = "682cb910-ac39-482b-87b4-eaa9fee6366e"
entry_uuid = "fae2ee28-83ff-1037-9b63-1112f663baab"
print(ah.modify_user(azure_uid, {"immutableId": base64.encodestring(entry_uuid).rstrip()}))'

This should print:

<Response [204]>

… it might produce a traceback, as there is a bug there, that has been fixed, but the fix has not been published yet… we’ll see…

After that you should be able to sync changes to the user.


HowTo: Anbindung existierender GAPPs und O365 Instanzen