[pve-devel] [PATCH access-control] jobs: realm sync: fix scheduled LDAP syncs not applying attributes correctly

[pve-devel] [PATCH access-control] jobs: realm sync: fix scheduled LDAP syncs not applying attributes correctly

[Christoph Heiss]

This was reported by a user in the forum [0].

The cause was that the user-* standard options were not registered when
the sync was called from the scheduler, resulting in the following
error:

  pvescheduler[2849]: skipping attribute mapping 'cn'->'comment' for user 'test@samba0' - no such standard option 'user-comment'

Fix this by simply importing the PVE::API2::User module, thus ensuring
the options get registered.

[0] https://forum.proxmox.com/threads/ldap-integration-comment-email-first-name-lastname.143490/

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
 src/PVE/Jobs/RealmSync.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/PVE/Jobs/RealmSync.pm b/src/PVE/Jobs/RealmSync.pm
index 91235d5..4c77e55 100644
--- a/src/PVE/Jobs/RealmSync.pm
+++ b/src/PVE/Jobs/RealmSync.pm
@@ -13,6 +13,9 @@ use PVE::Tools ();
 
 use PVE::API2::Domains ();
 
+# load user-* standard options
+use PVE::API2::User ();
+
 use base qw(PVE::Job::Registry);
 
 sub type {
-- 
2.43.1

Re: [pve-devel] [PATCH access-control] jobs: realm sync: fix scheduled LDAP syncs not applying attributes correctly

[Fiona Ebner]

Am 19.03.24 um 14:48 schrieb Christoph Heiss:
> This was reported by a user in the forum [0].
> 
> The cause was that the user-* standard options were not registered when
> the sync was called from the scheduler, resulting in the following
> error:
> 
>   pvescheduler[2849]: skipping attribute mapping 'cn'->'comment' for user 'test@samba0' - no such standard option 'user-comment'
> 
> Fix this by simply importing the PVE::API2::User module, thus ensuring
> the options get registered.
> 
> [0] https://forum.proxmox.com/threads/ldap-integration-comment-email-first-name-lastname.143490/
> 
> Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>

Fixes: cb93636 ("LDAP sync: improve validation of synced attributes")
Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
Tested-by: Fiona Ebner <f.ebner@proxmox.com>

Thank you for the fix!

The schema for the user- properties could also be moved somewhere that
can be accessed by both API2::User module and Auth::LDAP module and
included there directly. That would be more future-proof, but as a quick
fix, this is fine too.

Re: [pve-devel] [PATCH access-control] jobs: realm sync: fix scheduled LDAP syncs not applying attributes correctly

[Christoph Heiss]

On Tue, Mar 19, 2024 at 03:57:34PM +0100, Fiona Ebner wrote:
> Am 19.03.24 um 14:48 schrieb Christoph Heiss:
> > This was reported by a user in the forum [0].
> >
> > The cause was that the user-* standard options were not registered when
> > the sync was called from the scheduler, resulting in the following
> > error:
> >
> >   pvescheduler[2849]: skipping attribute mapping 'cn'->'comment' for user 'test@samba0' - no such standard option 'user-comment'
> >
> > Fix this by simply importing the PVE::API2::User module, thus ensuring
> > the options get registered.
> >
> > [0] https://forum.proxmox.com/threads/ldap-integration-comment-email-first-name-lastname.143490/
> >
> > Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
>
> Fixes: cb93636 ("LDAP sync: improve validation of synced attributes")
> Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
> Tested-by: Fiona Ebner <f.ebner@proxmox.com>

Thanks for the review & testing!

>
> Thank you for the fix!
>
> The schema for the user- properties could also be moved somewhere that
> can be accessed by both API2::User module and Auth::LDAP module and
> included there directly. That would be more future-proof, but as a quick
> fix, this is fine too.

That was actually my approach too, and I already started working on a
series for exactly this.

But since this definitely requires some care to catch all sites and
further avoid getting it then stuck in review limbo, I thought sending a
quick fix should help this get resolved faster, for now at least. :^)