Bug 28645 - LDAP Filter des faillog Listener-Moduls matched auf alle Objekte
LDAP Filter des faillog Listener-Moduls matched auf alle Objekte
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: PAM
UCS 2.2
Other Linux
: P5 normal (vote)
: UCS 5.0
Assigned To: Philipp Hahn
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-25 19:35 CEST by Arvid Requate
Modified: 2021-05-25 15:57 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2012-09-25 19:35:36 CEST
Der im faillog Listener-Modul deklarierte LDAP-Filter

  filter='objectClass=shadowAccount'

scheint nicht zu greifen: Im Listener-code liefert der Call

  cache_entry_ldap_filter_match(handler->filters, dn, &entry);

für den 'faillog' handler im Test immer 1, z.B. auch für DNS-Einträge. Mit 

  filter='(objectClass=shadowAccount)'

funktioniert der Filter hingegen.
Comment 1 Moritz Muehlenhoff univentionstaff 2013-05-31 10:43:17 CEST
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2.

As such, this bug is moved to the new target milestone.
Comment 2 Philipp Hahn univentionstaff 2014-04-10 18:48:15 CEST
Also see Bug #28646, which is for fixing the filter evaluation code in the Listener.
I don't close this bug as a duplicate of it, as this bug is specific for the faillog listener module.
Comment 3 Stefan Gohmann univentionstaff 2015-02-24 21:13:17 CET
This issue has been filed against UCS 2.2.

UCS 2.2 is out of maintenance and many UCS components have vastly changed in
later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug".
In this case please provide detailed information on how this issue is affecting
you.
Comment 4 Philipp Hahn univentionstaff 2020-07-04 08:42:04 CEST
[feature/ucs5] e8e843b336 Bug #28645 PAM: Fix LDAP filter syntax
 base/univention-pam/debian/changelog | 6 ++++++
 base/univention-pam/faillog.py       | 2 +-
 doc/changelog/changelog-5.0-0.xml    | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)
Comment 5 Florian Best univentionstaff 2020-08-10 08:38:33 CEST
REOPEN:
it must also match for the object classes 'sambaSamAccount', 'krb5Principal', 'krb5KDCEntry' because it uses users.user.unmapLocked().
(Maybe this is also a wrong function since UCS 4.3.)

Fixed a typo in the changelog entry:
-                                       Fix LDAP filter syntax in &ucsUDL; module <filename>failllog.py</filename> (<u:bug>28645</u:bug>)
+                                       Fix LDAP filter syntax in &ucsUDL; module <filename>faillog.py</filename> (<u:bug>28645</u:bug>)
Comment 6 Philipp Hahn univentionstaff 2021-03-09 16:05:54 CET
(In reply to Florian Best from comment #5)
> REOPEN:
> it must also match for the object classes 'sambaSamAccount',
> 'krb5Principal', 'krb5KDCEntry' because it uses users.user.unmapLocked().
> (Maybe this is also a wrong function since UCS 4.3.)

As discussed with Arvid: The original module intended to work with shadow accounts. As we no longer separate between POSIX / Samba / Kerberos accounts this would only be relevant for legacy accounts, where only some of those types were used.
The called functions
  unmapLocked()
  +- isSambaLocked()  # optional
  |  +- sambaSamAccount.sambaAcctFlags
  +- isKerberosLocked()  # optional
  |  +- krb5KDCEntry.krb5KDCFlags
  +- isLDAPLocked()  # commented out
     +- ppolicy.pwdAccountLockedTime

So strictly speaking the module is triggered by *optional* attributes from Samba and krb5 to change a *required* attribute of Shadow. So the filter might look strange, but is otherwise correct.
Comment 7 Florian Best univentionstaff 2021-03-09 16:11:13 CET
Then it's okay for me. I already did the tests.
Comment 8 Florian Best univentionstaff 2021-05-25 15:57:58 CEST
UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".