Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
Control: fixed -1 2.8~git20230203.10abe45+dfsg-5 Control: close -1 On Do 10 Aug 2023 17:53:55 CEST, Mike Gabriel wrote: Control: reassign -1 src:gosa Control: found -1 2.8~git20230203.10abe45+dfsg-4 On Fr 04 Aug 2023 13:29:00 CEST, Guido Berhoerster wrote: On Fri, 21 Jul 2023 11:34:21 +0200 Guido Berhoerster wrote: I must have done something wrong before, with the newstudent template applied gosa creates the following on bullseye, which looks more correct/as expected: I just noticed that a "posixUser" class is only added if one clicks on the "POSIX" tab at least once (even without changing anything). That explains the difference. Not sure if that is intended behavior, it is surprising to say the least. -- Guido Berhoerster Also reassigning this to GOsa. The hook script execution will probably be fixed with upcoming upload of gosa 2.8~git20230203.10abe45+dfsg-5. This issue has been resolved with 2.8~git20230203.10abe45+dfsg-5, but the bug closure statement was missing from d/changelog. This has now been added post-upload. Closing this bug report manually. https://salsa.debian.org/debian-edu-pkg-team/gosa/-/commit/b9b197bfea3ac541aebf84fd84f7f4c46acea879 Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgp244SxQ4SLS.pgp Description: Digitale PGP-Signatur
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
Control: clone -1 -2 Control: retitle -1 Adding users fails in postcreate command Control: severity -1 important Control: found -1 2.8~git20230203.10abe45+dfsg-1+deb12u1 Control: retitle -2 Adding users fails due to broken class_groups.inc Control: severity -2 critical Control: found -2 2.8~git20230203.10abe45+dfsg-1+deb12u1 On Do 10 Aug 2023 17:53:55 CEST, Mike Gabriel wrote: Control: reassign -1 src:gosa Control: found -1 2.8~git20230203.10abe45+dfsg-4 On Fr 04 Aug 2023 13:29:00 CEST, Guido Berhoerster wrote: On Fri, 21 Jul 2023 11:34:21 +0200 Guido Berhoerster wrote: I must have done something wrong before, with the newstudent template applied gosa creates the following on bullseye, which looks more correct/as expected: I just noticed that a "posixUser" class is only added if one clicks on the "POSIX" tab at least once (even without changing anything). That explains the difference. Not sure if that is intended behavior, it is surprising to say the least. -- Guido Berhoerster Also reassigning this to GOsa. The hook script execution will probably be fixed with upcoming upload of gosa 2.8~git20230203.10abe45+dfsg-5. This bug is actually two bugs. One is about the failures of command hooks with GOsa² 2.8.x (it worked ok in GOsa² 2.7.5). The other is about an entirely new implementation of the class_groups.inc in plugins/admin/groups/. Thus, cloning this bug into a second one accordingly... Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpQmB6kdYjkS.pgp Description: Digitale PGP-Signatur
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
Control: reassign -1 src:gosa Control: found -1 2.8~git20230203.10abe45+dfsg-4 On Fr 04 Aug 2023 13:29:00 CEST, Guido Berhoerster wrote: On Fri, 21 Jul 2023 11:34:21 +0200 Guido Berhoerster wrote: I must have done something wrong before, with the newstudent template applied gosa creates the following on bullseye, which looks more correct/as expected: I just noticed that a "posixUser" class is only added if one clicks on the "POSIX" tab at least once (even without changing anything). That explains the difference. Not sure if that is intended behavior, it is surprising to say the least. -- Guido Berhoerster Also reassigning this to GOsa. The hook script execution will probably be fixed with upcoming upload of gosa 2.8~git20230203.10abe45+dfsg-5. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpszYow21Bxc.pgp Description: Digitale PGP-Signatur
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
On Fri, 21 Jul 2023 11:34:21 +0200 Guido Berhoerster wrote: > I must have done something wrong before, with the newstudent > template applied gosa creates the following on bullseye, which > looks more correct/as expected: I just noticed that a "posixUser" class is only added if one clicks on the "POSIX" tab at least once (even without changing anything). That explains the difference. Not sure if that is intended behavior, it is surprising to say the least. -- Guido Berhoerster
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
After some more debugging I have found that: - creating a user based on the newstudent/newteacher template actually succeeds and that the resulting user has a posixAccount class - what actually fails is automatic group creation - creating an independent group also fails - adding a user to an existing group (created using ldapvi) fails So in short group creation and adding to groups is broken due to the above "groupOfNames" vs "posixGroup" class and "member" vs "memberUid" issues. Two suspicious changes in this regard are https://github.com/gosa-project/gosa-core/pull/34 and https://github.com/gosa-project/gosa-core/commit/79aa7fe63b#diff-2e1c800f3c3627ecb4b32cd634e508d10290c25afeb072a73fb5c58a7bdc2150L61 Unfortunately I have been unable to revert these due to a ton of conflicts, in order to do so it is necessary to revert on master first and then rebase the diff on top of develop since the latter is the base of our package but has truncated git history. -- Guido Berhoerster
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
I must have done something wrong before, with the newstudent template applied gosa creates the following on bullseye, which looks more correct/as expected: dn: uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no sn: Mustermann givenName: Max uid: mamus cn: Max Mustermann homeDirectory: /skole/tjener/home0/mamus loginShell: /bin/bash uidNumber: 1003 gidNumber: 1003 gecos: Max Mustermann krbPwdPolicyReference: cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,d c=no objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: gosaAccount objectClass: posixAccount objectClass: shadowAccount objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux krbLoginFailedCount: 0 krbTicketFlags: 128 krbPasswordExpiration: 1970010100Z dn: cn=mamus,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no cn: mamus description: Gruppe des Benutzers Max Mustermann gidNumber: 1003 objectClass: top objectClass: posixGroup -- Guido Berhoerster
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
>From Daniel: uid=maxmus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no sn: Mustermann givenName: Maxim uid: maxmus homePostalAddress:; ^M\ cn: Maxim Mustermann postalAddress:; ^M\ objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: gosaAccount - postalAddress + homePostalAddress are buggy - posixAccount is missing - gidNumber is missing and more, see the Student account template: uid=newstudent,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: gosaAccount objectClass: gosaUserTemplate objectClass: posixAccount objectClass: shadowAccount sn: NewStudent givenName: NewStudent uid: newstudent cn: NewStudent NewStudent homeDirectory: /skole/tjener/home0/%uid loginShell: /bin/bash uidNumber: 1002 gidNumber: 1002 gecos: NewStudent NewStudent Using gosa on Debian bullseye to create a student produces this: # mamus, people, Students, skole.skolelinux.no dn: uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no sn: Mustermann givenName: Max uid: mamus cn: Max Musterschueler objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: gosaAccount So apart from the homePostalAddress and postalAddress which shouldn't be relevant to the problem at hand it seems identical to bookworm. The student template seems to be identical as well: # newstudent, people, Students, skole.skolelinux.no dn: uid=newstudent,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: gosaAccount objectClass: gosaUserTemplate objectClass: posixAccount objectClass: shadowAccount sn: NewStudent givenName: NewStudent uid: newstudent cn: NewStudent NewStudent homeDirectory: /skole/tjener/home0/%uid loginShell: /bin/bash uidNumber: 1002 gidNumber: 1002 gecos: NewStudent NewStudent -- Guido Berhoerster
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
Creating a student "musmar" results in the following LDAP operations with the following errors: Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1273 op=5 ADD dn="uid=musmar,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no" Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1273 op=5 RESULT tag=105 err=0 qtime=0.04 etime=0.012248 text= … Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1279 op=2 MOD dn="uid=musmar,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no" Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1279 op=2 MOD attr=objectClass homeDirectory loginShell uidNumber gecos shadowMin shadowMax shadowWarning shadowInactive shadowLastChange shadowExpire Jun 30 12:58:36 tjener.intern slapd[10952]: Entry (uid=musmar,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no): object class 'posixAccount' requires attribute 'gidNumber' Jun 30 12:58:36 tjener.intern slapd[10952]: entry failed schema check: object class 'posixAccount' requires attribute 'gidNumber' Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1279 op=2 RESULT tag=103 err=65 qtime=0.04 etime=0.000137 text=object class 'posixAccount' requires attribute 'gidNumber' … Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1282 op=2 MOD dn="uid=musmar,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no" Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1282 op=2 MOD attr=objectClass Jun 30 12:58:36 tjener.intern slapd[10952]: conn=1282 op=2 RESULT tag=103 err=0 qtime=0.04 etime=0.003284 text= … Jun 30 12:58:37 tjener.intern slapd[10952]: conn=1297 op=4 MOD dn="cn=students,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no" Jun 30 12:58:37 tjener.intern slapd[10952]: conn=1297 op=4 MOD attr=member Jun 30 12:58:37 tjener.intern slapd[10952]: Entry (cn=students,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no), attribute 'member' not allowed Jun 30 12:58:37 tjener.intern slapd[10952]: entry failed schema check: attribute 'member' not allowed Jun 30 12:58:37 tjener.intern slapd[10952]: conn=1297 op=4 RESULT tag=103 err=65 qtime=0.05 etime=0.71 text=attribute 'member' not allowed … Jun 30 12:58:37 tjener.intern slapd[10952]: conn=1303 op=2 MOD dn="uid=musmar,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no" Jun 30 12:58:37 tjener.intern slapd[10952]: conn=1303 op=2 MOD attr=objectClass Jun 30 12:58:37 tjener.intern slapd[10952]: conn=1303 op=2 RESULT tag=103 err=0 qtime=0.06 etime=0.005112 text= Daniel pointed out two separate issues based on the above: 1. a missing "gidNumber" attribute on the "posixAccount" 2. the group "students is a "posixGroup" and requires a "memberUid" instead of a "member" attribute @Daniel: Could you please look into fixing this in gosa? -- Guido Berhoerster
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
The postcreate command error might be related to bug #1039698. -- Guido Berhoerster
Bug#1039699: Adding students/teachers with gosa fails due to LDAP and postcreate command errors
Package: debian-edu-config Version: 2.12.32 Adding a student or teacher in gosa fails with the following LDAP errors (e.g. adding a student "mam" here): LDAP-Operation fehlgeschlagen Objekt: cn=mam,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no Fehler: Object class violation (no structural object class provided, während der Arbeit mit cn=mam,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no auf dem LDAP-Server ldaps://ldap.intern) LDAP-Operation fehlgeschlagen Objekt: cn=students,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no Fehler: Object class violation (attribute 'member' not allowed, während der Arbeit mit cn=students,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no auf dem LDAP-Server ldaps://ldap.intern)· Furthermore, the postcreate command fails: Kann POSTCREATE Kommando (/usr/share/debian-edu-config/tools/gosa-create 'mam') für Modul posixAccount nicht ausführen! -- Guido Berhoerster