Bug 31606 – various UCR variables may beak slapd.conf

Bug 31606 - various UCR variables may beak slapd.conf


Summary:	various UCR variables may beak slapd.conf

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Duplicates:	14877 19768 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-06-03 10:29 CEST by Janis Meybohm
Modified:	2020-07-03 20:54 CEST (History)
CC List:	5 users (show)

See Also:	32654 19768
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janis Meybohm

2013-06-03 10:29:54 CEST

It is possible to silently prevent slapd from starting by using comma and whitespace to separate IP addresses in ldap/acl/read/ips.

A simple strip() could prevent that from happening:

# diff -Nur 70univention-ldap-server_acl-master-end.orig 70univention-ldap-server_acl-master-end
--- 70univention-ldap-server_acl-master-end.orig        2013-06-03 10:27:49.000000000 +0200
+++ 70univention-ldap-server_acl-master-end     2013-06-03 10:28:01.000000000 +0200
@@ -142,7 +142,7 @@
        ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
        if ldap_acl_read_anonymous_ips:
                for ip in ldap_acl_read_anonymous_ips.split(','):
-                       print '   by peername.ip=%s read' % ip
+                       print '   by peername.ip=%s read' % ip.strip()
 else:
        print '   by * read'

Comment 1 Moritz Muehlenhoff

2013-09-11 14:34:09 CEST

conffiles/etc/ldap/slapd.conf.d/30univention-ldap-server_head should also be made more robust by using inline Python instead of @%@VARIABLE@%@ (allowing sane fallback values if a variable is unset).

Currently slapd won't start if e.g. ldap/debug/level is unset:

root@master:~# ucr unset ldap/debug/level
Unsetting ldap/debug/level
Multifile: /etc/ldap/slapd.conf
root@master:~# /etc/init.d/slapd start
Check database: ...done.
Starting ldap server(s): slapd ...failed.
5225b186 /etc/ldap/slapd.conf: line 64: keyword <loglevel> missing <level> argument slapschema: bad configuration file!.

Comment 2 Florian Best

2017-02-09 17:54:56 CET

The same applies for various other options in the slapd.conf template: The variable are set in postinst and referenced with @%@foo@%@. Examples:

cachesize   @%@ldap/cachesize@%@
idlcachesize   @%@ldap/idlcachesize@%@
threads         @%@ldap/threads@%@

Comment 3 Florian Best

2017-02-09 17:55:06 CET

The same applies for various other options in the slapd.conf template: The variable are set in postinst and referenced with @%@foo@%@. Examples:

cachesize   @%@ldap/cachesize@%@
idlcachesize   @%@ldap/idlcachesize@%@
threads         @%@ldap/threads@%@

Comment 4 Florian Best

2017-02-09 17:55:13 CET

*** Bug 19768 has been marked as a duplicate of this bug. ***

Comment 5 Florian Best

2017-02-09 17:55:44 CET

*** Bug 14877 has been marked as a duplicate of this bug. ***

Comment 6 Ingo Steuwer

2020-07-03 20:54:32 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.