Bug 44032 – 10univention-ldap-server.inst does univention-ldapsearch without correct credentials

Bug 44032 - 10univention-ldap-server.inst does univention-ldapsearch without correct credentials


Summary:	10univention-ldap-server.inst does univention-ldapsearch without correct cred...

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-03-22 18:29 CET by Janek Walkenhorst
Modified:	2020-07-03 20:52 CEST (History)
CC List:	1 user (show)

See Also:	43841
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janek Walkenhorst

2017-03-22 18:29:01 CET

10univention-ldap-server.inst contains

	S4_DCS="$(univention-ldapsearch "(&(objectclass=univentionDomainController)(univentionService=Samba 4))" cn | sed -n 's/^cn: \(.*\)/\1/p')"

which is not using the correct credentials to talk to the LDAP server, like every other command does, e.g.:
		/usr/share/univention-admin-tools/univention-dnsedit "$@" --ignore-exists \

This leads to the error message: "No such file or directory" in:

Configure /usr/lib/univention-install/10univention-ldap-server.inst
2017-03-22 16:07:04.383094416+01:00 (in joinscript_init)
/etc/machine.secret: No such file or directory
Adding SRV record "ldap tcp 0 100 7389 ucs-5995.orga.intranet." to zone orga.intranet...
done
Adding ZONE record "root@orga.intranet. 1 28800 10800 604800 108001 ucs-5995.orga.intranet." to zone 10.200.12...
Object created: cn=ucs-5995,cn=dc,cn=computers,dc=orga,dc=intranet

and probably breaks the "if"-condition

Comment 1 Florian Best

2017-03-23 19:43:59 CET

svn r72057 changed "univention-ldapsearch -x" to "univention-ldapsearch" but this is not the cause, right?

Comment 2 Janek Walkenhorst

2017-03-24 10:41:05 CET

(In reply to Florian Best from comment #1)
> svn r72057 changed "univention-ldapsearch -x" to "univention-ldapsearch" but
> this is not the cause, right?
no, it is that it is not using the correct credentials to talk to the LDAP server, like every other command does, e.g.:
 […] "$@" […]

Comment 3 Florian Best

2017-03-24 11:01:09 CET

What about those then?:

$ grep univention-ldapsearch $(find -name '*.inst') | grep -v -e '$@' -e '-y'
./base/univention-heimdal/15univention-heimdal-kdc.inst:samba4dcs=$(univention-ldapsearch -LLL "(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn | sed -ne 's|^cn: ||p')
./mail/univention-mail-cyrus-murder/81univention-mail-cyrus-murder.inst:        murders=$(univention-ldapsearch  univentionService="Cyrus Murder" uid | grep ^uid:| awk {'print $2'})
./management/univention-appcenter/30univention-appcenter.inst:  univention-ldapsearch -LLL -o ldif-wrap=no -b cn=Subschema -s base attributeTypes | grep -Fq "NAME 'univentionAppID'"
./nagios/univention-nagios-ad-connector/31univention-nagios-ad-connector.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then
./nagios/univention-nagios-virtualization/31univention-nagios-libvirtd-kvm.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then
./nagios/univention-nagios-virtualization/31univention-nagios-libvirtd-xen.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then
./nagios/univention-nagios-virtualization/31univention-nagios-uvmmd.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then
./nagios/univention-nagios-s4-connector/31univention-nagios-s4-connector.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then
./nagios/univention-nagios-samba/31univention-nagios-samba.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then
./services/univention-dansguardian/79univention-dansguardian.inst:      if ! univention-ldapsearch -LLL -s base -b "cn=UNIVENTION_DANSGUARDIAN,cn=nagios,$ldap_base" dn 2>/dev/null >/dev/null ; then
./services/univention-dansguardian/79univention-dansguardian.inst:              if [ "$(univention-ldapsearch -LLL -b "$ldap_hostdn" univentionNagiosEnabled | sed -ne 's/univentionNagiosEnabled: //p')" = "1" ] ; then
./services/univention-dhcp/25univention-dhcp.inst:if [ 2 -ne "$(univention-ldapsearch -LLL -b 'cn=Subschema' -s base objectClasses | ldapsearch-wrapper | egrep -c "objectClasses: \( [0-9.]+ NAME '(dhcpTSigKey|dhcpFailOverPeer)'")" ]
./services/univention-dhcp/25univention-dhcp.inst:      count="$(univention-ldapsearch -LLL -b "$ldap_base" "(objectClass=univentionDhcpSubnet)" dn | grep -c ^dn)"
./services/univention-dhcp/25univention-dhcp.inst:              data="$(univention-ldapsearch -LLL -o ldif-wrap=no -s base -b "$dn")" || continue
./services/univention-dhcp/25univention-dhcp.inst:      if ! univention-ldapsearch -LLL -b "$SERVICE" "(&(objectClass=univentionDhcpSubnet)(cn=$network))" dn | grep ^dn
./services/univention-pkgdb/50univention-pkgdb.inst:if [ -z "$(univention-ldapsearch -LLL relativeDomainName=_pkgdb._tcp relativeDomainName)" ]; then
./services/univention-printserver/79univention-printserver.inst:done < <(univention-ldapsearch -LLL "(&(univentionPrinterUseClientDriver=*)(univentionPrinterSpoolHost=$(hostname -f)))" dn | ldapsearch-wrapper | sed -n 's/dn: //p')
./services/univention-printserver/79univention-printserver.inst:        if ! univention-ldapsearch -s base -b "cn=UNIVENTION_CUPS,cn=nagios,$ldap_base" dn 2>/dev/null >/dev/null ; then
./services/univention-printserver/79univention-printserver.inst:                if [ "$(univention-ldapsearch -b "$ldap_hostdn" univentionNagiosEnabled | sed -ne 's/univentionNagiosEnabled: //p')" = "1" ] ; then
./services/univention-samba4/96univention-samba4.inst:          IPs=$(univention-ldapsearch "(&(relativeDomainname=$hostname)(zoneName=$domainname))" aRecord aAAARecord \
./services/univention-samba4/96univention-samba4.inst:  s4connector_dc_candidates=$(univention-ldapsearch "(&(univentionService=S4 Connector)(objectClass=univentionDomainController))" cn | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p')
./services/univention-samba4/96univention-samba4.inst:  if univention-ldapsearch -LLL univentionservice=UCS@school dn | grep -q ^dn; then
./services/univention-samba4/96univention-samba4.inst:  group_dn="$(univention-ldapsearch "(&(objectClass=univentionGroup)(cn=$name))" | ldapsearch-wrapper | sed -ne 's|dn: ||p')"
./services/univention-samba4/96univention-samba4.inst:  group_dn="$(univention-ldapsearch "(&(objectClass=univentionGroup)(cn=$name)(!(univentionGroupType=-2147483643)))" | ldapsearch-wrapper | sed -ne 's|dn: ||p')"
./services/univention-samba4/96univention-samba4.inst:          if univention-ldapsearch sambaSID='S-1-5-9' cn | ldapsearch-wrapper | grep -q '^cn:'; then
./services/univention-squid-kerberos/98univention-squid-samba4.inst:if ! univention-ldapsearch -LLL "(univentionService=S4 Connector)" dn | grep -q ^dn:; then

Comment 4 Florian Best

2017-03-24 11:32:21 CET

The machine.secret is created some lines below. That's why this fails but the ones from below in comment #3 doesn't.

univention-ldap (13.0.6-1):
r78255 | Bug #44032: add missing "$@" for univention-ldapsearch in joinscript

Comment 5 Florian Best

2017-03-24 11:44:26 CET

Added a changelog entry in the OpenLDAP section:

changelog-4.2-0.xml:
r78258 | Changelog Bug #44032

Comment 6 Florian Best

2017-03-24 12:03:21 CET

univention-ldapsearch doesn't support the arguments from "$@"! Revert everything:
Reset TM as this is also the case in UCS 4.1-4.

changelog-4.2-0.xml:
r78262 | Revert "Changelog Bug #44032"

univention-ldap (13.0.6-2):
r78263 | Revert "Bug #44032: add missing "$@" for univention-ldapsearch in joinscript"

Comment 7 Ingo Steuwer

2020-07-03 20:52:02 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.