I already have some users in my office 365 before setting up UCS AD with their own passwords.
Then I added UCS server with the usernames same as in office365 with their corresponding email ids but I could see that in users office 365 tab, I could not see their email ids and also can’t login to that ones using SSO. The newly created accounts with the new emails in UCS are being created in office365, but what about the existing old ones.
New user accounts are created but old accounts in office365 can’t able to activate sso
03.11.17 08:28:51.213 LISTENER ( ERROR ) : o365(D): office365-user.handler:263 new is enabled.
03.11.17 08:28:51.214 LISTENER ( ERROR ) : o365(D): office365-user.handler:270 new_enabled and not old_enabled -> NEW or REACTIVATED (uid=sudesh,cn=users,dc=urolime,dc=local)
03.11.17 08:28:51.214 LISTENER ( ERROR ) : o365(D): listener.create_user:98 udm_attrs={'mail': 'sudesh@devopsin.com', 'givenName': 'sudesh', 'displayName': 'sudesh a', 'mailPrimaryAddress': 'sudesh@devopsin.com', 'sn': 'a'}
03.11.17 08:28:51.215 LISTENER ( ERROR ) : o365(I): azure_handler._create_object:278 Creating user with properties: {'passwordProfile': {'password': '******', 'forceChangePasswordNextLogin': False}, 'accountEnabled': True, 'surname': 'a', 'mailNickname': 'sudesh', 'userPrincipalName': 'sudesh@devopsin.com', 'immutableId': 'ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi', 'otherMails': ['sudesh@devopsin.com'], 'displayName': 'sudesh a', 'givenName': 'sudesh', 'usageLocation': 'US'}
03.11.17 08:28:51.216 LISTENER ( ERROR ) : o365(D): azure_auth.get_access_token:341 Loading token from disk...
03.11.17 08:28:51.217 LISTENER ( ERROR ) : o365(D): azure_auth.get_access_token:348 Token valid until 2017-11-03T09:22:47.
03.11.17 08:28:51.219 LISTENER ( ERROR ) : o365(D): azure_handler.call_api:180 GET https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6&%24filter=immutableId+eq+%27ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi%27 data: None
03.11.17 08:28:51.521 LISTENER ( ERROR ) : o365(I): azure_handler.call_api:212 status: 200 (OK) (GET https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6&%24filter=immutableId+eq+%27ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi%27)
03.11.17 08:28:51.524 LISTENER ( ERROR ) : o365(D): azure_auth.get_access_token:348 Token valid until 2017-11-03T09:22:47.
03.11.17 08:28:51.525 LISTENER ( ERROR ) : o365(D): azure_handler.call_api:180 POST https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6 data: {'passwordProfile': {'password': '******', 'forceChangePasswordNextLogin': False}, 'accountEnabled': True, 'surname': u'a', 'mailNickname': u'sudesh', 'userPrincipalName': u'sudesh@devopsin.com', 'immutableId': u'ODMzMmIwZDYtNTRkYy0xMDM3LTgyNWQtODUyY2I2NzFhOTNi', 'otherMails': ['sudesh@devopsin.com'], 'displayName': u'sudesh a', 'givenName': u'sudesh', 'usageLocation': u'US'}
03.11.17 08:28:54.761 LISTENER ( ERROR ) : o365(I): azure_handler.call_api:212 status: 400 (FAIL) Code: Request_BadRequest (POST https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6)
03.11.17 08:28:54.763 LISTENER ( ERROR ) : o365(E): azure_handler.__init__:143 An error occurred while processing the write request.
Traceback (most recent call last):
File "/usr/lib/univention-directory-listener/system/office365-user.py", line 272, in handler
new_user = ol.create_user(new)
File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 138, in create_user
self.ah.create_user(attributes)
File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 300, in create_user
obj_id={"key": "immutableId", "value": attributes["immutableId"]})
File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 291, in _create_object
return self.call_api("POST", url, attributes)
File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 227, in call_api
raise ApiError(response)
univention.office365.azure_handler.ApiError: An error occurred while processing the write request.
03.11.17 08:28:54.768 LISTENER ( WARN ) : handler: office365-user (failed)
To join a UCS user with an existing o365 user you have to save the Azure-users objectId in the UCS-users UniventionOffice365ObjectID attribute.
There is no automatic way to do this. You can contact our support however, and they will help you with the process.
Hints:
UniventionOffice365ObjectID can not be edited from the UMC web site, but from the command line.objectId can be found on the Azure website among the users attributes.Greetings
Daniel Tröder
Do you mean like this
univention-directory-manager users/user modify --dn uid=arunp,cn=users,dc=xxxx,dc=local --set UniventionOffice365ObjectID="6252440f-2aac-42cf-9c0b-3605a2823f5e"
Yes - I think that should do the trick.
Test it with a test-user you created through the Azure/Office 365 admin interface. After setting the UniventionOffice365ObjectID attribute change any of the synced attributes and observe /var/log/univention/listener.log.
You can compare your result with a o365 user you created through UMC.
udm users/user list --filter uid=my365testuser | grep -i office365
You can safely ignore UniventionOffice365Data.
Tried the same but causing these errors
06.03.18 01:43:07.971 LISTENER ( PROCESS ) : o365: Creating user with properties: {'passwordProfile': {'password': '******', 'forceChangePasswordNextLogin': False}, 'accountEnabled': True, 'surname': 'c', 'mailNickname': 'sachin', 'userPrincipalName': 'sachin@xxxxx.com', 'immutableId': 'MjgyMjBkMDItYjU1NS0xMDM3LThmNjctZTcwYTY1NmVhZjli', 'otherMails': 'sachin@xxxxx.com', 'displayName': 'sachin', 'givenName': 'sachin', 'usageLocation': 'US'}
06.03.18 01:43:08.340 LISTENER ( PROCESS ) : o365: status: 200 (OK) (GET https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6&%24filter=immutableId+eq+%27MjgyMjBkMDItYjU1NS0xMDM3LThmNjctZTcwYTY1NmVhZjli%27)
06.03.18 01:43:11.462 LISTENER ( PROCESS ) : o365: status: 400 (FAIL) Code: Request_BadRequest (POST https://graph.windows.net/71f78fec-7013-49a4-aba0-747f99e381ec/users?api-version=1.6)
06.03.18 01:43:11.464 LISTENER ( ERROR ) : o365: An error occurred while processing the write request.
Traceback (most recent call last):
File "/usr/lib/univention-directory-listener/system/office365-user.py", line 272, in handler
new_user = ol.create_user(new)
File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 138, in create_user
self.ah.create_user(attributes)
File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 300, in create_user
obj_id={"key": "immutableId", "value": attributes["immutableId"]})
File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 291, in _create_object
return self.call_api("POST", url, attributes)
File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 227, in call_api
raise ApiError(response)
univention.office365.azure_handler.ApiError: An error occurred while processing the write request.
06.03.18 01:43:11.475 LISTENER ( WARN ) : handler: office365-user (failed)
06.03.18 01:48:21.279 LISTENER ( PROCESS ) : updating 'uid=sachin,cn=users,dc=ad,dc=xxxxxx,dc=com' command d
06.03.18 01:48:21.282 LISTENER ( PROCESS ) : samba4-idmap: removing entry for S-1-5-21-3046349026-1776158987-1028525861-1119
06.03.18 01:48:21.306 LISTENER ( PROCESS ) : updating 'cn=Domain Users,cn=groups,dc=ad,dc=xxxxx,dc=com' command m
It still tries to create instead of modify the user. There is an additional step necessary: synchronized Azure users are identified by a unique ID from LDAP: the entryUUID. It must be set on the Azure object.
Unfortunately that is not possible anymore in the new Azure portal. But it can be done using the listener code. Here is what I had to do, to write the entryUUID of user “test1” into its corresponding Azure user object:
$ univention-ldapsearch uid=test1 entryUUID | egrep ^entryUUID | cut -f 2 -d ' '
fae2ee28-83ff-1037-9b63-1112f663baab
$ python -c 'import base64
from univention.office365.azure_handler import AzureHandler
from univention.config_registry import ConfigRegistry
ucr = ConfigRegistry()
ucr.load()
ah = AzureHandler(ucr, "foo")
azure_uid = "682cb910-ac39-482b-87b4-eaa9fee6366e"
entry_uuid = "fae2ee28-83ff-1037-9b63-1112f663baab"
print(ah.modify_user(azure_uid, {"immutableId": base64.encodestring(entry_uuid).rstrip()}))'
This should print:
<Response [204]>
… it might produce a traceback, as there is a bug there, that has been fixed, but the fix has not been published yet… we’ll see…
After that you should be able to sync changes to the user.