Univention Bugzilla – Bug 50625
Interner Server-Error in "schoolusers/query (student)".
Last modified: 2021-11-19 13:32:23 CET
Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 358, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 261, in execute function._func_(self, request, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 123, in wrapper_func return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolusers/_init_.py", line 91, in query attr=['givenName', 'sn', 'shadowLastChange', 'shadowMax', 'uid']) File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line 261, in _users_ldap ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 757, in search raise univention.admin.uexceptions.noObject(_err2str(msg)) noObject: No such object We had this issue in an earlier UCSSchool Version, there it was this file: /usr/share/pyshared/ucsschool/lib/schoolldap.py The customer has students in two different classes without putting them in the corresponding groups for multiple school users. Therefor the module cannot be used anymore.
My understand here is that the issue is based on inconsistencies in the user information (user is member of a class group of a school the user is not assigned to). Therefore I assume that this occures not that often.
Unfortunately it appears in just one customer environment "quite" often so it continuously generates support tickets. I patched this now 4th time and I am tired doing it. For the customer it would be great, and for me too, if just the traceback shows which user causes and also blocks opening the module. The patch I applied was just a try/ except block around "ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr)" Now the code changed and the patch does not work anymore. :-/
So patch still seem to work if I patch the right file. --- /usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py.orig-support 2020-06-25 10:43:27.318997444 +0200 +++ /usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py 2020-06-25 10:46:05.341899641 +0200 @@ -258,7 +258,11 @@ '&', [parse(subfilter) for subfilter in search_filter_list] ))) - ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr) + try: + ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr) + except Exception: + raise Exception(userdn) if len(ldap_objs) == 1: users.append(ldap_objs[0]) # else:
To make this clear, the important part for me (support) and for the customer is still showing the traceback but with the user who causes the problem. The customer can remove the user himself and gets everything to work again. It is just supporting the customer, helping himself! Feel free to clone this issue in a separate bug, just adding the user in the traceback, as the patch does.
As an alternative you could write a script which identifies broken user objects and removes them. And as far as I looked at the code, such script already exists?: /usr/share/univention-directory-manager-tools/proof_uniqueMembers The patch - as is - will probably not added to the product. So can you tell if this only happens for a specific teacher/admin? Is there a specific group/class which is selected, where this regulary happens? Which one?
Better readable traceback: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 358, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 261, in execute function._func_(self, request, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 123, in wrapper_func return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolusers/_init_.py", line 91, in query attr=['givenName', 'sn', 'shadowLastChange', 'shadowMax', 'uid']) File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line 261, in _users_ldap ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 757, in search raise univention.admin.uexceptions.noObject(_err2str(msg)) noObject: No such object FYI: you want this patch! (/usr/lib/python2.7/dist-packages/univention/admin/uldap.py) diff --git a/management/univention-directory-manager-modules/modules/univention/admin/uldap.py b/management/univention-directory-manager-modules/modules/univention/admin/uldap.py index e6846d09de..1ad355fcca 100644 --- a/management/univention-directory-manager-modules/modules/univention/admin/uldap.py +++ b/management/univention-directory-manager-modules/modules/univention/admin/uldap.py @@ -668,7 +668,7 @@ class access(object): try: return self.lo.search(filter, base, scope, attr, unique, required, timeout, sizelimit, serverctrls=serverctrls, response=response) except ldap.NO_SUCH_OBJECT as msg: - raise univention.admin.uexceptions.noObject(_err2str(msg)) + raise univention.admin.uexceptions.noObject('%s: %s' % (_err2str(msg), base)) except ldap.INAPPROPRIATE_MATCHING as msg: raise univention.admin.uexceptions.insufficientInformation(_err2str(msg)) except (ldap.TIMEOUT, ldap.TIMELIMIT_EXCEEDED) as msg:
(In reply to Florian Best from comment #7) > Better readable traceback: > > Traceback (most recent call last): > File > "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", > line 358, in __error_handling > six.reraise(etype, exc, etraceback) > File > "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", > line 261, in execute > function._func_(self, request, *args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/univention/management/console/modules/ > decorators.py", line 181, in _response > return function(self, request) > File > "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", > line 123, in wrapper_func > return func(*args, **kwargs) > File > "/usr/lib/pymodules/python2.7/univention/management/console/modules/ > schoolusers/_init_.py", line 91, in query > attr=['givenName', 'sn', 'shadowLastChange', 'shadowMax', 'uid']) > File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line > 261, in _users_ldap > ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr) > File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line > 757, in search > raise univention.admin.uexceptions.noObject(_err2str(msg)) > noObject: No such object > > FYI: you want this patch! > > (/usr/lib/python2.7/dist-packages/univention/admin/uldap.py) > diff --git > a/management/univention-directory-manager-modules/modules/univention/admin/ > uldap.py > b/management/univention-directory-manager-modules/modules/univention/admin/ > uldap.py > index e6846d09de..1ad355fcca 100644 > --- > a/management/univention-directory-manager-modules/modules/univention/admin/ > uldap.py > +++ > b/management/univention-directory-manager-modules/modules/univention/admin/ > uldap.py > @@ -668,7 +668,7 @@ class access(object): > try: > return self.lo.search(filter, base, scope, attr, > unique, required, timeout, sizelimit, serverctrls=serverctrls, > response=response) > except ldap.NO_SUCH_OBJECT as msg: > - raise > univention.admin.uexceptions.noObject(_err2str(msg)) > + raise univention.admin.uexceptions.noObject('%s: %s' > % (_err2str(msg), base)) > except ldap.INAPPROPRIATE_MATCHING as msg: > raise > univention.admin.uexceptions.insufficientInformation(_err2str(msg)) > except (ldap.TIMEOUT, ldap.TIMELIMIT_EXCEEDED) as msg: I really appreciate your suggestions! But I need a quick fix, showing the username for the customer. I don't really know what he is doing and why, but this helps and satisfies him at the moment. Or there is no traceback anymore and everything works fine WITH his misconfiguration.
I tried to reproduce the problem by creating a user who is part of schoolA-class and schoolB-class, but not in schoolB, which led to Warnings in the diagnose module (904). I was still able to open the school users module and did not get any traceback. Could you provide more information about the broken user/ groups, e.g. `udm users/user list --filter "uid=brokenuser"` or example-ldifs? Thanks in advance! UCS: 4.4-4 errata652 Installed: cups=2.2.1 samba4=4.10 squid=3.5 ucsschool=4.4 v5
I implemented the patch and wrote a help article on how an ucs@school user should look like https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630 [twenzel/50625_include_username_in_log] 26e3acd9b Bug #50625: Patch QA -> try to raise an error, which will lead to an error in the umc school users module.
To reproduce the error do the following: udm groups/group modify --dn "cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=realm1,dc=intranet" --append users="uid=nemo,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=realm1,dc=intranet" Object modified: cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=realm1,dc=intranet After that run: umc-command -U Administrator -P univention schoolusers/query -e -o "{'class':'cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=realm1,dc=intranet', 'pattern':'', 'school':'DEMOSCHOOL'}" ---> 22.07.20 12:41:59.009 DEBUG_INIT Response: COMMAND data length : 1508 message length: 1432 --- ARGUMENTS: schoolusers/query MIMETYPE : application/json STATUS : 591 MESSAGE : Interner Server-Fehler in "schoolusers/query". ERROR : {u'traceback': u'Traceback (most recent call last):\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 359, in __error_handling\n six.reraise(etype, exc, etraceback)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 262, in execute\n function.__func__(self, request, *args, **kwargs)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response\n return function(self, request)\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 123, in wrapper_func\n return func(*args, **kwargs)\n File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolusers/__init__.py", line 91, in query\n attr=[\'givenName\', \'sn\', \'shadowLastChange\', \'shadowMax\', \'uid\'])\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line 261, in _users_ldap\n ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr)\n File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 757, in search\n raise univention.admin.uexceptions.noObject(_err2str(msg))\nnoObject: No such object\n', u'command': u'schoolusers/query'} RESULT : {u'status': 591, u'headers': {u'Vary': u'Content-Language', u'Content-Language': u'de-DE'}, u'message': u'Interner Server-Fehler in "schoolusers/query".', u'result': None, u'error': {u'traceback': u'Traceback (most recent call last):\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 359, in __error_handling\n six.reraise(etype, exc, etraceback)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 262, in execute\n function.__func__(self, request, *args, **kwargs)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response\n return function(self, request)\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 123, in wrapper_func\n return func(*args, **kwargs)\n File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolusers/__init__.py", line 91, in query\n attr=[\'givenName\', \'sn\', \'shadowLastChange\', \'shadowMax\', \'uid\'])\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line 261, in _users_ldap\n ldap_objs = ldap_connection.search(search_filter, base=userdn, attr=attr)\n File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 757, in search\n raise univention.admin.uexceptions.noObject(_err2str(msg))\nnoObject: No such object\n', u'command': u'schoolusers/query'}} The affected code runs only if the query contains a 'class'/group to search in. The code occurs, because the group contains users that do not exist or might not accessible to the caller due to LDAP restrictions and faulty configured users with multiple schools as mentioned before. After applying the patch, the following error is thrown in the UMC: Interner Server-Fehler in "schoolusers/query (student)". Request: schoolusers/query (student) Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 359, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 262, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 123, in wrapper_func return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolusers/__init__.py", line 91, in query attr=['givenName', 'sn', 'shadowLastChange', 'shadowMax', 'uid']) File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line 318, in _users_ldap "For more information visit https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630".format(userdn)) noObject: User with DN: uid=nemo,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=realm1,dc=intranet is broken.Please make sure to add the user to it's mandatory school-groups.For more information visit https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630 I would change the error message to contain the group_dn something more general, like User with DN: $DN was not found in the group $CLASS_DN. Please make sure it is a valid UCS@school user and is member of all necessary groups. For more information visit https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630 After that you can squash+merge+build
@christina: We just extended the message in the traceback now. If you feel that this type of exception should be caught in the UMC and displayed with a more user friendly message please clone this bug and send a feature request to Michel.
- Changed the message - fixup, merged to 4.4 & build -> set to RESOLVED [4.4] 10812a5cb Bug #50625: yaml version [4.4] 6f312d74b Bug #50625: Changelog and yaml [4.4] 2fd60035a Bug #50625: Raise error with user and group dn for broken school groups in umc Package: ucs-school-lib Version: 12.1.15A~4.4.0.202007221326 Branch: ucs_4.4-0 Scope: ucs-school-4.4
Implemented changes: OK root@dc0:~# umc-command -U Administrator -P univention schoolusers/query -e -o "{'class':'cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=realm1,dc=intranet', 'pattern':'', 'school':'DEMOSCHOOL'}" 23.07.20 08:27:15.567 DEBUG_INIT Response: COMMAND data length : 1784 message length: 1708 --- ARGUMENTS: schoolusers/query MIMETYPE : application/json STATUS : 591 MESSAGE : Interner Server-Fehler in "schoolusers/query". ERROR : {u'traceback': u'Traceback (most recent call last):\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 359, in __error_handling\n six.reraise(etype, exc, etraceback)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 262, in execute\n function.__func__(self, request, *args, **kwargs)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response\n return function(self, request)\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 141, in wrapper_func\n return func(*args, **kwargs)\n File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolusers/__init__.py", line 91, in query\n attr=[\'givenName\', \'sn\', \'shadowLastChange\', \'shadowMax\', \'uid\'])\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line 318, in _users_ldap\n " For more information visit https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630".format(userdn, group))\nnoObject: User with DN: uid=nemo,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=realm1,dc=intranet was not found in the group cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=realm1,dc=intranet. Please make sure it is a valid UCS@school user and is member of all necessary groups. For more information visit https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630\n', u'command': u'schoolusers/query'} RESULT : {u'status': 591, u'headers': {u'Vary': u'Content-Language', u'Content-Language': u'de-DE'}, u'message': u'Interner Server-Fehler in "schoolusers/query".', u'result': None, u'error': {u'traceback': u'Traceback (most recent call last):\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 359, in __error_handling\n six.reraise(etype, exc, etraceback)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 262, in execute\n function.__func__(self, request, *args, **kwargs)\n File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response\n return function(self, request)\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 141, in wrapper_func\n return func(*args, **kwargs)\n File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolusers/__init__.py", line 91, in query\n attr=[\'givenName\', \'sn\', \'shadowLastChange\', \'shadowMax\', \'uid\'])\n File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_base.py", line 318, in _users_ldap\n " For more information visit https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630".format(userdn, group))\nnoObject: User with DN: uid=nemo,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=realm1,dc=intranet was not found in the group cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=realm1,dc=intranet. Please make sure it is a valid UCS@school user and is member of all necessary groups. For more information visit https://help.univention.com/t/how-an-ucs-school-user-should-look-like/15630\n', u'command': u'schoolusers/query'}} Changelog&Advisory: OK The traceback shows more useful information now.
UCS@school 4.4 v5 has been released (errata update to the release). http://docs.software-univention.de/changelog-ucsschool-4.4v5-de.html#changelog:ucsschool:2020-07-30 If this error occurs again, please clone this bug.