Bug 43332 – univention.uldap.access.rename() wrong DN syntax handling

Bug 43332 - univention.uldap.access.rename() wrong DN syntax handling


Summary:	univention.uldap.access.rename() wrong DN syntax handling

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	univention-lib
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2
Assigned To:	Florian Best
QA Contact:	Philipp Hahn

URL:
Keywords:	interim-2

Depends on:	37337
Blocks:	43430 43431
	Show dependency tree / graph

Reported:	2017-01-12 18:35 CET by Florian Best
Modified:	2017-04-04 18:30 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2017-01-12 18:35:54 CET

univention.uldap.access.rename() splits a DN at ','. This is wrong for DN's which contain a escaped ',' e.g. cn=foo\, bar,baz.
This causes that a move() is not possible.

Revealed by test script:
http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-0/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/8/testReport/63_udm-containers/17_container_cn_rename_uppercase_with_special_characters/test/

[2017-01-12 06:27:40.642628] Creating container/cn object with /usr/sbin/udm-test container/cn create --position dc=AutoTest091,dc=local --set 'name=ävk(ê>$,[ö'
[2017-01-12 06:27:41.203620] Modifying container/cn object with /usr/sbin/udm-test container/cn modify --dn 'cn=ävk(ê\>$\,[ö,dc=AutoTest091,dc=local' --set 'name=äVK(ê>$,[ö'
[2017-01-12 06:27:41.439104] Cleanup after exception: <class 'univention.testing.udm.UCSTestUDM_ModifyUDMObjectFailed'> returncode=3
[2017-01-12 06:27:41.439149] stdout=LDAP Error: Invalid DN syntax: invalid new RDN
[2017-01-12 06:27:41.439159] stderr=
[2017-01-12 06:27:41.439170] module=container/cn
[2017-01-12 06:27:41.439181] kwargs={'dn': 'cn=\xc3\xa4vk(\xc3\xaa\\>$\\,[\xc3\xb6,dc=AutoTest091,dc=local', 'name': '\xc3\xa4VK(\xc3\xaa>$,[\xc3\xb6'}
[2017-01-12 06:27:41.439193] Performing UCSTestUDM cleanup...
[2017-01-12 06:27:41.631236] UCSTestUDM cleanup done
(2017-01-12 06:27:41.631280) Traceback (most recent call last):
(2017-01-12 06:27:41.631297)   File "17_container_cn_rename_uppercase_with_special_characters", line 65, in <module>
(2017-01-12 06:27:41.631309)     first_level_container = test_container(parent=None, add_user=False)
(2017-01-12 06:27:41.631320)   File "17_container_cn_rename_uppercase_with_special_characters", line 36, in test_container
(2017-01-12 06:27:41.631333)     udm.modify_object('container/cn', dn=cn, name=cn_name_new)
(2017-01-12 06:27:41.631343)   File "/usr/lib/pymodules/python2.7/univention/testing/udm.py", line 244, in modify_object
(2017-01-12 06:27:41.631355)     raise UCSTestUDM_ModifyUDMObjectFailed({'module': modulename, 'kwargs': kwargs, 'returncode': child.returncode, 'stdout': stdout, 'stderr': stderr})
(2017-01-12 06:27:41.631368) univention.testing.udm.UCSTestUDM_ModifyUDMObjectFailed: returncode=3
(2017-01-12 06:27:41.631377) stdout=LDAP Error: Invalid DN syntax: invalid new RDN
(2017-01-12 06:27:41.631385) stderr=
(2017-01-12 06:27:41.631393) module=container/cn

Comment 1 Florian Best

2017-01-12 18:42:54 CET

r75728 | Changelog Bug #43332

univention-python (10.0.2-1):
r75726 | Bug #43332: fix DN syntax when renamed object contains ","

Comment 2 Philipp Hahn

2017-01-20 14:07:53 CET

OK: r75728 r75726

OK:
 udm container/cn create --set name='foo bar'
 udm container/cn modify --dn 'cn=foo bar,$LB' --set name='foo, bar'
OK: /usr/share/ucs-test/63_udm-containers/17_container_cn_rename_uppercase

Comment 3 Florian Best

2017-01-23 16:27:30 CET

The test case revealed one more error during move:

# udm container/ou create --set 'name=âeg;=_,~~3'
Object created: ou=âeg\;\=_\,~~3,dc=school,dc=local
# udm container/ou create --set 'name=ômt+€|,"-8'
Object created: ou=ômt\+€|\,\"-8,dc=school,dc=local
# udm container/ou move --dn "ou=âeg\;\=_\,~~3,$(ucr get ldap/base)" --position "ou=ômt\+€|\,\"-8,(ucr get ldap/base)"
Object modified: ou=âeg\;\=_\,~~3,dc=school,dc=local
# univention-ldapsearch -LLL 'ou=*' dn | ldapsearch-wrapper  | ldapsearch-decode64 

→ object was moved to a wrong position/renamed.

univention-directory-manager-modules (12.0.12-1):
r76019 | Bug #43332: fix moving of objects containing ","

Comment 4 Florian Best

2017-01-24 14:48:20 CET

The tests reveal another error if you modify the name of a container/ou which has objects underneath of it:

# eval "$(ucr shell)"
# udm container/ou create --position "$ldap_base" --set 'name=ŝnfĉüß-|~ê'
Object created: ou=ŝnfĉüß-|~ê,dc=school,dc=local
# udm users/user create --position "ou=ŝnfĉüß-|~ê,$ldap_base" --set username=Xcn3zxg5ouz --set password=univention --set firstname=oyri1fxljy --set lastname=g3r74gcaon
Object created: uid=Xcn3zxg5ouz,ou=ŝnfĉüß-|~ê,dc=school,dc=local
# udm container/ou modify --dn "ou=ŝnfĉüß-|~ê,$ldap_base" --set 'name=ŝNFĉüß-|~ê'
Object modified: ou=ŝNFĉüß-|~ê,ou=temporary_move_container_1485258882.38,dc=school,dc=local
→ It shows the DN of a temporary OU containter

univention-directory-manager-modules (12.0.12-2):
r76054 | Bug #43332: fix return value of object.move() which supports subtree_move and has sub objects

Comment 5 Philipp Hahn

2017-01-27 18:55:50 CET

OK: r75728 r75726 r76019 r76054

OK:
LB=$(ucr get ldap/base)
udm container/cn create --set name='a'
udm container/cn modify --dn "cn=a,$LB" --set name='b,c'
# 4.1: LDAP Error: Invalid DN syntax: invalid new RDN
# 4.2: Object modified: cn=b\,c,$LB

OK:
LB=$(ucr get ldap/base)
udm container/cn create --set name='a,b'
udm container/cn create --set name='x,y'
udm container/cn move --dn "cn=a\,b,$LB" --position "cn=x\,y,$LB"
# 4.1: ldap Error: Invalid DN syntax: invalid new RDN
# 4.2: Object modified: cn=a\,b,$LB

OK:
LB=$(ucr get ldap/base)
udm container/cn create --set name='a,b'
udm container/cn create --position "cn=a\,b,$LB" --set name='x,y'
udm container/cn modify --dn "cn=a\,b,$LB" --set name='p,q'
# 4.1: LDAP Error: Invalid DN syntax: invalid new RDN
# 4.2: Object modified: cn=p\,q,dc=phahn-dev,dc=intranet

OK:
LB=$(ucr get ldap/base)
udm container/cn create --set name='a,b'
udm container/cn create --position "cn=a\,b,$LB" --set name='x,y'
udm container/cn modify --dn "cn=a\,b,$LB" --set name='A,B'


OK: please fix those too: r76143 r76144
$ git grep -n "[Dd][Nn].*\.find([\"'],[\"'])"
management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py:412:              
                                        raise univention.admin.uexceptions.invalidOperation(_('Unable to move object %(name)s (%(type)s) in subtree, trying to revert changes.') % {'name': subolddn[:subolddn.find(',')], 'type': univention.admin.modules.identifyOne(subolddn, suboldattrs)})
management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py:456:              
                                raise univention.admin.uexceptions.invalidOperation(_('Unable to move object %(name)s (%(type)s) in subtree, trying to revert changes.') % {'name': subolddn[:subolddn.find(',')], 'type': univention.admin.modules.identifyOne(subolddn, suboldattrs)})
management/univention-directory-manager-modules/modules/univention/admin/handlers/groups/group.py:818:          # newuids = map(lambda x: x[x.find('=') + 1: x.find(',')], newmembers)

Comment 6 Stefan Gohmann

2017-04-04 18:30:01 CEST

UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".