Ucs root zertifikat getauscht: office365 connector synct nicht mehr zu MS365 // changed ucs root vertificate: office365 connector does not sync new user to MS365

UCS - Univention Corporate Server
, , , , , ,
3

Follow-Up:

Weil das UCS-Root Zertifikat abzulaufen drohte, mussten wir
es erneuern, dabei gingen wir nach folgenden Anleitungen vor:

Because the UCS root certificate would expire in the near future, we had
to renw it, we followed these guides:

Nach Folgen der obigen Anleitung hatten wir am Ende noch folgenden
Fehler:

After that we got the following error messages:

error_description": “AADSTS700027: Client assertion contains an invalid
signature. [Reason - The key was not found., Thumbprint of key used by
client: ‘9550E6C48A16F89C448029757241BC23721F64A8’, Please visit the
Azure Portal, Graph Explorer or directly use MS Graph to see configured
keys for app Id ‘b65f0555-80e6-4f7b-af23-342b3b706e0f’. Review the
documentation at Microsoft Graph national cloud deployments - Microsoft Graph | Microsoft Learn to
determine the corresponding service endpoint and
Get application - Microsoft Graph v1.0 | Microsoft Learn
to build a query request URL, such as
https://graph.microsoft.com/beta/applications/b65f0555-80e6-4f7b-af23-342b3b706e0f’].\r\nTrace
ID: 8aa6c0a0-f650-4030-8ea0-27cfa7a92d00\r\nCorrelation ID:
4754c740-01fb-4947-8eba-588c13a2524b\r\nTimestamp: 2022-05-23 04:25:39Z”,

Im Ergebnis konnten keine Accounts mehr nach MS365 gesynct
werden, die Anmeldung an MS365 funktionierte aber noch.

As a consequence we could not sync user accounts to MS365 any more, the
federated login to MS365 still worked, though.

Unter /etc/unvention-office365/defaultADconnetion/ waren weder das
Zertifikat noch die *.json Dateien (ids,manifest,tokens) aktualisiert.

We found that neither the certificate nore the *.json files under
/etc/unvention-office365/defaultADconnetion/ were new.

Warum ist das der Fall? Why is that the case?

Dann haben wir das Zertifikat (simplesamlphp) nach
/etc/univention-office365/defaultADconnection/ kopiert
und via opnssl den Fingerprint ausgelesen und in die Datei
/etc/univention-office365/defaultADconnection/cert.fp geschrieben.

We then copied the certificate (simplesamlphp) to
/etc/unvention-office365/defaultADconnetion/ and via openssl read it’s
fingerprint and wrote that to /etc/univention-office365/defaultADconnection/cert.fp

Daraufhin haben wir folgende Fehlermeldung erhalten:
Then we got the following error messages:

Fehler:
23.05.22 06:25:40.816 LDAP ( PROCESS ) : connecting to ldap://pdc.intern.xxx.de:7389
23.05.22 06:25:42.869 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘defaultADconnection’
23.05.22 06:25:42.869 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘xxxADconnection’
23.05.22 06:25:42.872 LISTENER ( ERROR ) : o365(I): office365-user.:136 Found AD connections in UCR: {‘defaultADconnection’: ‘aa300aa6-3e3b-410a-8948-eb3a2f397b19’, ‘xxxADconnection’: ‘uninitialized’}
23.05.22 06:25:42.872 LISTENER ( ERROR ) : o365(I): office365-user.:137 Found initialized AD connections: set([‘defaultADconnection’])
23.05.22 06:25:42.872 LISTENER ( ERROR ) : o365(I): office365-user.:144 office 365 user listener active with filter=‘(&(objectClass=posixAccount)(objectClass=univentionOffice365)(uid=*))’
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:164 listener observing attributes: [‘displayName’, ‘employeeType’, ‘givenName’, ‘l’, ‘mail’, ‘mailAlternativeAddress’, ‘mailPrimaryAddress’, ‘mobile’, ‘postalCode’, ‘sn’, ‘st’, ‘street’, ‘telephoneNumber’]
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:165 listener is also observing: [‘krb5KDCFlags’, ‘krb5PasswordEnd’, ‘krb5ValidEnd’, ‘passwordexpiry’, ‘sambaAcctFlags’, ‘sambaKickoffTime’, ‘shadowExpire’, ‘shadowLastChange’, ‘shadowMax’, ‘univentionMicrosoft365Team’, ‘univentionOffice365ADConnectionAlias’, ‘univentionOffice365Enabled’, ‘userPassword’, ‘userexpiry’]
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:166 attributes mapping UCS->AAD: {‘telephoneNumber’: ‘telephoneNumber’, ‘employeeType’: ‘jobTitle’, ‘mailPrimaryAddress’: ‘otherMails’, ‘mobile’: ‘mobile’, ‘roomNumber’: ‘physicalDeliveryOfficeName’, ‘l’: ‘city’, ‘st’: ‘usageLocation’, ‘mailAlternativeAddress’: ‘otherMails’, ‘street’: ‘streetAddress’, ‘sn’: ‘surname’, ‘postalCode’: ‘postalCode’, ‘mail’: ‘otherMails’, ‘givenName’: ‘givenName’, ‘displayName’: ‘displayName’}
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:167 attributes to sync anonymized:
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:168 attributes to never sync:
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:169 attributes to statically set in AAD: {}
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:170 attributes to sync: [‘displayName’, ‘employeeType’, ‘givenName’, ‘l’, ‘mail’, ‘mailAlternativeAddress’, ‘mailPrimaryAddress’, ‘mobile’, ‘postalCode’, ‘sn’, ‘st’, ‘street’, ‘telephoneNumber’]
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:171 attributes to sync from multiple sources: {‘otherMails’: [‘mailPrimaryAddress’, ‘mailAlternativeAddress’, ‘mail’]}
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): api_helper.get_http_proxies:42 proxy settings: {}
23.05.22 06:25:43.035 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘defaultADconnection’
23.05.22 06:25:43.035 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘xxxADconnection’
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(I): office365-group.:49 Found adconnections in UCR: {‘defaultADconnection’: ‘aa300aa6-3e3b-410a-8948-eb3a2f397b19’, ‘xxxADconnection’: ‘uninitialized’}
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(I): office365-group.:50 Found initialized adconnections: [‘defaultADconnection’]
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(I): office365-group.:60 office 365 group listener active with filter=‘(&(objectClass=posixGroup))’
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(D): listener.init:113 adconnection_alias=‘defaultADconnection’
23.05.22 06:25:43.040 LISTENER ( ERROR ) : o365(I): api_helper.get_http_proxies:42 proxy settings: {}
23.05.22 06:25:43.044 LISTENER ( ERROR ) : o365(I): graph._check_token_validity:169 The access token for defaultADconnection looks similar to: eyJ0eXAiOi-trimmed-7o8HkHe8qg. It is valid until 2022-05-03 17:55:54
23.05.22 06:25:43.076 LISTENER ( ERROR ) : o365(D): graph._call_graph_api:216 GraphAPI: POST Sign in to your account 23.05.22 06:25:43.379 LISTENER ( ERROR ) : o365(I): graph._call_graph_api:252 status: 401 (FAIL) (POST Sign in to your account)
23.05.22 06:25:43.379 LISTENER ( ERROR ) : o365(D): graph._call_graph_api:273 retries left: -1
23.05.22 06:25:43.380 LISTENER ( ERROR ) : import of filename=/usr/lib/univention-directory-listener/system/office365-group.py failed Traceback (most recent call last): File “/usr/lib/univention-directory-listener/system/office365-group.py”, line 88, in ol = Office365Listener(listener, name,
dict(listener=attributes_copy), ldap_cred, None, conn)
File
“/usr/lib/python2.7/dist-packages/univention/office365/listener.py”,
line 125, in init
self.ah = Graph(self.ucr, name, self.adconnection_alias, logger=logger)
File
“/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py”,
line 58, in init
self.access_token_json = self._login(connection_alias)
File
“/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py”,
line 131, in _login
retry=0
File
“/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py”,
line 279, in _call_graph_api
raise self._generate_error_message(response, “Unable to (re-)login”)
univention.office365.api.exceptions.GraphError: Unable to (re-)loginHTTP
response status: 401

request url:
Sign in to your account

In unserer Not haben wir dann eine neue, zusätzliche ADconnection
eingerichtet

In order to fix this, we established an additional, new ADconnection:

manage_adconnections:
/usr/share/univention-office365/scripts/manage_adconnections create neueverbindung

Dann haben wir den Office-365-Connector mit Hilfe des
Einrichtungsassistenten komplett neu aus der UMC-Oberfläche installiert.
Nur das simplesamlphp haben wir nicht noch mal installiert, es
funktionierte ja.

Then we used the Setup Wizard from the UMC web interface and completely
re-installed the Office-365-Connector. We did not re-install the
sinplsaml though, because this part was still working.

User-syncen ging immer noch nicht (gleiche Fehlermeldung).

We still could not sync new users to MS365.

Dann haben wir die *.json Dateien aus /etc/univention-office365/neueverbindung nach /etc/univention-office365/defaultADconnection kopiert und noch ein /etc/init.d/univention-directory-listener restart ausgeführt.

Then we copied th *.json files from
/etc/univention-office365/neueverbindung to
/etc/univention-office365/defaultADconnection and did a
/etc/init.d/univention-directory-listener restart.

Der Office-365-Connector synct nun wieder Accounts nach
MS365, allerdings erhalten wir noch diese Fehlermeldung:

Now we are able to sync Accounts to MS365 but we get this error message:

24.05.22 14:49:12.082 LISTENER ( ERROR ) : o365(I): office365-user.new_or_reactivate_user:267 User creation success. userPrincipalName: u’n.test@xxx.de’ objectId: u’36d33686-e321-49d2-9f90-a133b6dde570’ dn: uid=X.XXXXXXXX,cn=users,dc=intern,dc=xxx,dc=de adconnection: defaultADconnection
24.05.22 14:49:12.082 LISTENER ( ERROR ) : o365(I): office365-user.new_or_reactivate_user:272 Need to add user to group cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de. UNIVENTION_DEBUG_BEGIN : uldap.searchDn filter=(&(objectClass=posixGroup)(uniqueMember=cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de)) base= scope=sub unique=0 required=0 UNIVENTION_DEBUG_END : uldap.searchDn filter=(&(objectClass=posixGroup)(uniqueMember=cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de)) base= scope=sub unique=0 required=0
24.05.22 14:49:12.084 LISTENER ( ERROR ) : o365(I): office365-user.new_or_reactivate_user:276 Need to create azure group cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de for defaultADconnection first.

Die Gruppe Domian Users existiert in Azure AD seit 1/13/2020, 4:46:57
PM. The group Domain Users exists in Azure AD since 1/13/2020, 4:46:57 PM.

  • Fragen / Questions:

  • Warum werden die *.json -Dateien in
    /etc/univention-office365/defaultADconnection nicht
    aktualisiert?

    Why were the *.json files in
    /etc/univention-office365/defaultADconnection not renewed?

  • Wie kann man die *.json Dateien aktualisieren, ohne eine
    neue ADconnection anzulegen?

    How to renew these *.json files without adding a new ADconnection?

Für Antworten auf diese Fragen wäre ich dankbar. Any help appreciated.

Gregor