Unable to retrieve parents for relation groupmember: uid attribute not found

  • Hi,

    we are running Zarafa (on Univention) since 2011. We successfully upgraded both systems over the last years, from the manual installation to zarafa4ucs and very recently to kopano4ucs, following the the migration manual.

    However, since the last upgrade from Zarafa 7.2.3 to Kopano 8.1.2, I have the following 2 warnings in /var/log/kopano/server.log:

    1. Unable to retrieve parents for relation groupmember
    [warning] Unable to retrieve parents for relation groupmember: uid attribute not found.
    [warning] Previous message logged 100 times
    1. Object not found unknown user
    [warning] Object not found unknown user "Mailverteiler PPL": Mailverteiler PPL not found in LDAP

    …where “Mailverteiler PPL” is an user group with an assigned email address.

    Could somebody help me to resolve these 2 warnings?

    Thanks, Jürgen.

  • I had the same issue with Kopano on UCS and got rid of the relation groupmember warnings by setting ldap_groupmembers_attribute to “uniqueMember” and “ldap_groupmembers_attribute_type” to “dn”:

    ucr set kopano/cfg/ldap/ldap_groupmembers_attribute_type="dn"
    ucr set kopano/cfg/ldap/ldap_groupmembers_attribute="uniqueMember"
    systemctl reload kopano-server

    Using DNs for group member relations actually is AD style but works with UCS. Not being able to use plain uid/login attribute here seems to be a bug in Kopano.

  • Kopano

    Hi @tobydox ,

    by default the following values are used (also on Univention).

    # Optional, default = member
    # Active directory: member
    # LDAP: memberUid
    ldap_groupmembers_attribute = memberUid
    # Optional, default = text
    # Active directory: dn
    # LDAP: text
    ldap_groupmembers_attribute_type = text

    Don’t these values exist on Univention?

  • The default values do exist on Univention but the AD-style properties are populated as well so luckily we’re able to work around this issue in Kopano.

    Kopano seems to perform different searches if ldap_groupmembers_attribute_type is dn or text (https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/plugins/LDAPUserPlugin.cpp?at=9eba40545760adbc15efd7e583bf0c1bea11a4a9#2548 ) so there’s probably a bug in LDAP-style attribute type handling (line 2551 and following).

  • Kopano

    Hi @tobydox ,

    I just gave this a try on a local test installation and even with the default settings I do not get such an error message. Which makes me think that the issue is probably one of your group members not resolving anymore (here the behaviour for dn could be different and thats why the error went away).

    I gave some pointers to find the offending object in https://help.univention.com/t/kopano-server-logs-warning-every-few-minutes/6045.

  • Hi @fbartels ,

    this is a fresh UCS installation with a fresh domain. Only the Kopano installation is based on a migrated Zarafa setup (where we updated the unique user attribute in the database to match the newly created users in the new domain). The debug logs also indicate that this happens for all groups so this is not a specific problem. The problem here is that Kopano queries the attribute “uid” for groups (which don’t have this attribute):

    [  20006] plugin: getParentObjectsForObject Relation: Group member
    [  20006] plugin: ldaptiming [00000.00] ("dc=example,dc=com" "(&(|(&(objectClass=posixGroup)(&(kopanoAccount=1)(objectClass=kopano-group)))(objectClass=kopano-dynamicgroup))(gidNumber=5080))" uid ), results: 1
    [warning] Unable to retrieve parents for relation groupmember: uid attribute not found.
  • Kopano

    @tobydox how did you create your user then? was it an Univention system before as well?

    Like I said in a normal Univention environment those errors are not given for a group, which makes me think you have missed some attributes when creating users/groups.

    On the other hand changing those attributes would allow also some other functionalities (like groups in groups, see https://github.com/zarafa4ucs/zarafa4ucs/issues/53). I have just committed this change into the Kopano4UCS git, but will still need to have another look if it has any side effects before the next app update.

  • This was a freshly installed UCS 4.2 system with users created automated via UDM:

    udm users/user create --position cn=users,dc=example,dc=com --set username=$LOGIN --set lastname=$SURNAME --set password=$(pwgen -y -n 12) \
    --set firstname=$GIVENNAME --set sambaRID=$RID --set uidNumber=$UIDNUMBER \
    --set mailPrimaryAddress=$MAIL --set kopano-role=user --set e-mail=$MAIL --set displayName="$GIVENNAME $SURNAME" \
    --option samba --option person --option posix --option mail

    Groups were created manually using UMC. The old Zarafa installation was running on a Zentyal server but this shouldn’t matter thanks to the identical unique LDAP attributes ;-)

  • Hi,

    it seems that these warnings are only related to UCS-Zarafa installations that were updated to UCS-Kopano. We are using this combination for several years now and managed all users via the UCS webinterface only. Probably “uid” attributes for groups have been created in earlier versions?


  • Kopano

    @groupnet said in Unable to retrieve parents for relation groupmember: uid attribute not found:

    Probably “uid” attributes for groups have been created in earlier versions

    no, in my case it is a system that I just recently installed. and https://github.com/zarafa4ucs/zarafa4ucs/issues/53 indicates that the same values have been used in Zarafa as well.