Bug 48984 - LDAP-ACLs deny access for Memberservers stored in a different container than cn=memberserver,cn=computers
LDAP-ACLs deny access for Memberservers stored in a different container than ...
Status: NEW
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: App Center maintainers
App Center maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-13 14:14 CET by Christina Scheinig
Modified: 2019-05-22 15:16 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2019031121000775, 2019052121000574
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2019-03-13 14:14:38 CET
HowTo reproduce:
make a new container underneath cn=computers and move the memberserver there. 
set the ucrv ldap/hostdn='cn=member,cn=memberserver2,cn=computers,dc=schein,dc=ig'

After that, it is not possible to install an app 
via appcenter:
Interner Server-Fehler in "appcenter/docker/remote/progress".
Request: appcenter/docker/remote/progress

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 253, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/appcenter/__init__.py", line 371, in remote_progress
    return client.umc_command('appcenter/docker/progress', {'progress_id': remote_progress_id}).result
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 435, in umc_command
    return self.request('POST', 'command/%s' % (path,), data, headers)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 515, in request
    return self.send(request)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 544, in send
    raise HTTPError(request, response, self.hostname)
HTTPError: 591 on member (command/appcenter/docker/progress): {"status": 591, "message": "Interner Server-Fehler in \"appcenter/docker/progress\".", "traceback": "Interner Server-Fehler in \"appcenter/docker/progress\".\nRequest: appcenter/docker/progress\n\nTraceback (most recent call last):\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/base.py\", line 253, in execute\n    function.__func__(self, request, *args, **kwargs)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 318, in _response\n    result = _multi_response(self, request)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n    return function(self, request)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 440, in _response\n    return list(function(self, iterator, *nones))\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 286, in _fake_func\n    yield function(self, *args)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/mixins.py\", line 149, in progress\n    ret = progress_obj.poll()\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 309, in _thread\n    result = _multi_response(self, request)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n    return function(self, request)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 440, in _response\n    return list(function(self, iterator, *nones))\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 286, in _fake_func\n    yield function(self, *args)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/appcenter/__init__.py\", line 431, in invoke_docker\n    result['success'] = action.call(app=app, username=self.username, password=self.password, **kwargs)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py\", line 220, in call\n    return obj.call_with_namespace(namespace)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py\", line 226, in call_with_namespace\n    result = self.main(namespace)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py\", line 73, in main\n    return self.do_it(args)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/install_base.py\", line 109, in do_it\n    self._do_it(app, args)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_install.py\", line 63, in _do_it\n    ret = super(Install, self)._do_it(app, args)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py\", line 84, in _do_it\n    self._register_app(app, args)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/register.py\", line 418, in _register_app\n    ldap_object = get_app_ldap_object(app, lo, pos, or_create=True)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 278, in get_app_ldap_object\n    return ApplicationLDAPObject(app, lo, pos, or_create)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 178, in __init__\n    self._reload(app, create_if_not_exists)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 193, in _reload\n    self._create_obj(app)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 229, in _create_obj\n    obj = create_object_if_not_exists('appcenter/app', self._lo, self._pos, **attrs)\n  File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 101, in create_object_if_not_exists\n    obj.create()\n  File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 539, in create\n    dn = self._create(response=response, serverctrls=serverctrls)\n  File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 1178, in _create\n    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)\n  File \"/usr/lib/pymodules/python2.7/univention/admin/uldap.py\", line 787, in add\n    raise univention.admin.uexceptions.permissionDenied\npermissionDenied", "location": "https://member/univention/command"}

or via univention-app install guacamole
Going to install Guacamole (0.9.13-univention14)
Password for Administrator:
Creating data directories for guacamole...
Copying /var/cache/univention-appcenter/appcenter.software-univention.de/4.3/guacamole_20180525181438.schema
Registering UCR for guacamole
Marking guacamole=0.9.13-univention14 as installed
File: /etc/univention/service.info/services/univention-appcenter.cfg
File: /usr/share/univention-portal/apps.json
Setting ports for apache proxy
Multifile: /etc/apache2/sites-available/000-default.conf
Multifile: /etc/apache2/sites-available/default-ssl.conf
Going to remove Guacamole (0.9.13-univention14)
No hostdn for guacamole found. Nothing to remove
Configuring guacamole=0.9.13-univention14
File: /etc/univention/service.info/services/univention-appcenter.cfg
Multifile: /etc/apache2/sites-available/000-default.conf
Multifile: /etc/apache2/sites-available/default-ssl.conf
File: /usr/share/univention-portal/apps.json
Reloading apache2 configuration (via systemctl): apache2.service.
Search LDAP binddn  done
Running 03univention-directory-listener.inst skipped (already executed)
Running 04univention-ldap-client.inst skipped (already executed)
Running 08univention-apache.inst skipped (already executed)
Running 11univention-pam.inst skipped (already executed)
Running 18python-univention-directory-manager.inst skipped (already executed)
Running 20univention-directory-policy.inst skipped (already executed)
Running 20univention-join.inst skipped (already executed)
Running 26univention-nagios-common.inst skipped (already executed)
Running 30univention-appcenter.inst skipped (already executed)
Running 30univention-nagios-client.inst skipped (already executed)
Running 33univention-portal.inst skipped (already executed)
Running 34univention-management-console-server.inst skipped (already executed)
Running 35univention-appcenter-docker.inst skipped (already executed)
Running 35univention-management-console-module-appcenter.inst skipped (already executed)
Running 35univention-management-console-module-diagnostic.inst skipped (already executed)
Running 35univention-management-console-module-join.inst skipped (already executed)
Running 35univention-management-console-module-lib.inst skipped (already executed)
Running 35univention-management-console-module-mrtg.inst skipped (already executed)
Running 35univention-management-console-module-quota.inst skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.inst skipped (already executed)
Running 35univention-management-console-module-setup.inst skipped (already executed)
Running 35univention-management-console-module-sysinfo.inst skipped (already executed)
Running 35univention-management-console-module-top.inst skipped (already executed)
Running 35univention-management-console-module-ucr.inst skipped (already executed)
Running 35univention-management-console-module-updater.inst skipped (already executed)
Running 36univention-management-console-module-apps.inst skipped (already executed)
Running 81univention-nfs-server.inst skipped (already executed)
Running 92univention-management-console-web-server.inst skipped (already executed)
Running 98univention-pkgdb-tools.inst skipped (already executed)

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 73, in main
    return self.do_it(args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install_base.py", line 109, in do_it
    self._do_it(app, args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_install.py", line 63, in _do_it
    ret = super(Install, self)._do_it(app, args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 84, in _do_it
    self._register_app(app, args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/register.py", line 418, in _register_app
    ldap_object = get_app_ldap_object(app, lo, pos, or_create=True)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 278, in get_app_ldap_object
    return ApplicationLDAPObject(app, lo, pos, or_create)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 178, in __init__
    self._reload(app, create_if_not_exists)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 193, in _reload
    self._create_obj(app)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 229, in _create_obj
    obj = create_object_if_not_exists('appcenter/app', self._lo, self._pos, **attrs)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 101, in create_object_if_not_exists
    obj.create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 539, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1178, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 787, in add
    raise univention.admin.uexceptions.permissionDenied
permissionDenied
Traceback (most recent call last):
  File "/usr/bin/univention-app", line 91, in <module>
    main()
  File "/usr/bin/univention-app", line 78, in main
    ret = args.func(args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 73, in main
    return self.do_it(args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install_base.py", line 109, in do_it
    self._do_it(app, args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_install.py", line 63, in _do_it
    ret = super(Install, self)._do_it(app, args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 84, in _do_it
    self._register_app(app, args)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/register.py", line 418, in _register_app
    ldap_object = get_app_ldap_object(app, lo, pos, or_create=True)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 278, in get_app_ldap_object
    return ApplicationLDAPObject(app, lo, pos, or_create)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 178, in __init__
    self._reload(app, create_if_not_exists)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 193, in _reload
    self._create_obj(app)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 229, in _create_obj
    obj = create_object_if_not_exists('appcenter/app', self._lo, self._pos, **attrs)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 101, in create_object_if_not_exists
    obj.create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 539, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1178, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 787, in add
    raise univention.admin.uexceptions.permissionDenied
univention.admin.uexceptions.permissionDenied
Comment 1 Christina Scheinig univentionstaff 2019-05-22 15:16:42 CEST
I increased the affected feeling, because the customers cannot install apps on such servers.

It still happens with  UCS 4.4