Univention Bugzilla – Bug 42114
UMC-Server should provide access to specific commands for anonymous users
Last modified: 2017-04-04 18:29:19 CEST
The UMC-Server should be able to serve requests for unauthenticated clients. This is helpful when creating services like the Self-Service, which doesn't need to ship WSGI scripts.
When starting the UMC-Webserver I saw: """ENGINE WARNING: Use of engine.autoreload_on is deprecated and will be removed in a future version. Use engine.autoreload.on instead. """ I adapt the config respectively.
*** Bug 37665 has been marked as a duplicate of this bug. ***
*** Bug 41084 has been marked as a duplicate of this bug. ***
*** Bug 28742 has been marked as a duplicate of this bug. ***
*** Bug 40894 has been marked as a duplicate of this bug. ***
I experienced the following UMC-Server crash: 16.02.17 13:35:47.986 AUTH ( INFO ) : Trying to authenticate user 'Administrator' 16.02.17 13:35:48.010 AUTH ( ERROR ) : Canonicalization of username failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/auth.py", line 132, in __canonicalize_username result = lo.search(filter_format('(&(%s=%s)(objectClass=person))', (attr, username)), attr=['uid'], unique=True) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 439, in search raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Invalid credentials 16.02.17 13:35:48.065 AUTH ( INFO ) : Authentication for 'Administrator' was successful 16.02.17 13:35:48.086 LOCALE ( INFO ) : Locale or domain missing. Stopped loading of translation 16.02.17 13:35:48.088 MAIN ( ERROR ) : Could not get uid for 'Administrator': Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 188, in _search_user_dn ldap_dn = self.lo.searchDn(ldap.filter.filter_format('(&(uid=%s)(objectClass=person))', (self._username,))) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 455, in searchDn raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access 16.02.17 13:35:48.089 MAIN ( ERROR ) : The LDAP DN for user Administrator could not be found (lo=<univention.admin.uldap.access instance at 0x7fb39a0b10e0>) 16.02.17 13:35:48.109 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 243, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action func(self) File "/usr/sbin/univention-management-console-server", line 156, in _restart self._start() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 210, in run notifier.loop() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 286, in loop step() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 278, in step __min_timer = dispatch.dispatcher_run() File "/usr/lib/pymodules/python2.7/notifier/dispatch.py", line 72, in dispatcher_run if not disp(): File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 154, in _simple_threads_dispatcher task.announce() File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 135, in announce self._callback( self, self._result ) File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__ return self._function( *tmp, **self._kwargs ) File "/usr/lib/pymodules/python2.7/univention/management/console/auth.py", line 152, in __authentication_result self.signal_emit('authenticated', auth_result, request) File "/usr/lib/pymodules/python2.7/notifier/signals.py", line 75, in signal_emit self.__signals[ signal ].emit( *args ) File "/usr/lib/pymodules/python2.7/notifier/signals.py", line 41, in emit cb( *args ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 886, in _authentication_finished self.initalize_processor(request) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 927, in initalize_processor self.processor.set_credentials(**self.__credentials) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 171, in set_credentials self._reload_acls_and_permitted_commands() File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 175, in _reload_acls_and_permitted_commands self._reload_acls() File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 179, in _reload_acls self.acls = LDAP_ACLs(self.lo, self._username, ucr['ldap/base']) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 349, in __init__ self._read_from_ldap() File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 365, in _read_from_ldap userdn = self.lo.searchDn(filter_format('(&(objectClass=person)(uid=%s))', [self.username]), unique=True)[0] File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 455, in searchDn raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access
This has been implemented by adding a attribute allow_unauthenticated="true" to the <command> of the XML definition of a module. As now unauthenticated users can contact the UMC-Server directly in non-AUTH requests I needed to implement some more error handling to protect against DoS and UMC-Server crashes. univention-management-console (9.0.42-1): r77084 | Bug #42114: prevent server crashes in the authentication finished callback r77066 | Bug #42114: ignore flavor argument r77030 | Bug #42114: fixup error in sanization if PatternSanitizer is used r77028 | Bug #42114: remove __all__ r77001 | Bug #42114: fix py-support in preinst r77000 | Bug #42114: fix py-support in preinst r76999 | Bug #42114: respond with 401 Unauthorized for known UMC commands when not being logged in r76413 | Bug #42114: fix ldap filter escaping r76370 | Bug #42114: fix executing anonymous commands r75937 | Bug #42114: fix crash of UMC-Server due to __processes not defined in subclass r75623 | Bug #42114: make it possible to define required commands for a flavor/module to have access to for viewing the module r73183 | Bug #42114: general thread error handling r73039 | Bug #42114: error handling of LDAP server down r72529 | Bug #42114: Fix some pyflakes warnings r72453 | Bug #42114: fix up svn r71911, revert svn r72429 r72429 | Bug #42114: Make the UMC-Server more robust against crashes by unauthenticated clients r72417 | Bug #42114: Make the UMC-Server more robust against crashes by unauthenticated clients r72411 | Bug #42114: Make the UMC-Server more robust against crashes by unauthenticated clients r72038 | Bug #42114: rename 'prevent_unauthenticated' into 'allow_anonymous' r71977 | Bug #42114: rename 'prevent_unauthenticated' into 'allow_anonymous' r71952 | Bug #42114: prevent memory leak and denial of service r71951 | Bug #42114: make it possible to execute commands without authentication r71911 | Bug #42114: make it possible to execute commands without authentication r71972 | Bug #42114: allow anonymous commands to be send to the UMC-Server
*** Bug 43653 has been marked as a duplicate of this bug. ***
circular import may be introduced: >>> import univention.management.console.base Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 124, in <module> from univention.management.console.protocol.message import Response, MIMETYPE_JSON File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/__init__.py", line 187, in <module> from session import * File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 67, in <module> from ..base import Base ImportError: cannot import name Base
*** Bug 43712 has been marked as a duplicate of this bug. ***
(In reply to Jürn Brodersen from comment #9) > circular import may be introduced: > > >>> import univention.management.console.base > Traceback (most recent call last): > File "<stdin>", line 1, in <module> > File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", > line 124, in <module> > from univention.management.console.protocol.message import Response, > MIMETYPE_JSON > File > "/usr/lib/pymodules/python2.7/univention/management/console/protocol/ > __init__.py", line 187, in <module> > from session import * > File > "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session. > py", line 67, in <module> > from ..base import Base > ImportError: cannot import name Base This is the same in UCS 4.1 so I don't think we need to fix it. It's no problem for the UMC modules.
What I tested: umc-command -U Administrator -P univention setup/lang/locales -o 'pattern=*' ->STATUS : 200 -> OK umc-command --no-auth setup/lang/locales -o 'pattern=*' ->STATUS : 401 -> OK umc-command --no-auth passwordreset/get_reset_methods -o username=foo ->STATUS : 200 -> OK umc-command -U Administrator -P univention passwordreset/get_reset_methods -o username=foo ->STATUS : 200 -> OK -> NOT anonymous modules work only logged in -> OK -> anonymous modules work logged in and logged out -> OK -> All OK -> Verified
REOPENED → Please add a changelog entry.
r77418 | Changelog Bug #42114 Bug #42132
(In reply to Florian Best from comment #14) > r77418 | Changelog Bug #42114 Bug #42132 OK -> Verified
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".