Bug 56903 – broken syntax of slapd.conf after a config change

Bug 56903 - broken syntax of slapd.conf after a config change


Summary:	broken syntax of slapd.conf after a config change

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-12-07 12:43 CET by Finn David
Modified:	2024-02-06 10:35 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.229
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2023120521000092
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Finn David

2023-12-07 12:43:53 CET

There was a failure of the LDAP server because slapd.conf was created “defective” after a config change. The problem was that there was a line break in the middle of a filter in slapd.conf. The last line of the filter was *just* the closing bracket. The following lines of the filter were all correctly indented with spaces, except the last line with the brackets.


# helpdesk access: grant access to specified groups for password reset
access to
    dn.sub="dc=univention,dc=intranet"
    filter="(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(|(uid=Administrator)(uid=B.surname)(uid=…
))"


Indenting with spaces is important, but parentheses behave differently:
 
    )))“
slapd starts
 
    ))“
slapd won't start
 
    )“
slapd starts

Comment 1 Finn David

2023-12-07 12:47:15 CET

ldap/server/type: master
ldap/acl/user/passwordreset/protected/uid: <empty>
ldap/acl/user/passwordreset/protected/gid: Domain Admins
ldap/acl/user/passwordreset/internal/groupmemberlist/.*: <empty>
ldap/acl/user/passwordreset/internal/groupmemberlist/Domain Admins: Administrator,B.Nachname,D.Nachname,J.Nachname,a.>
ldap/acl/user/passwordreset/accesslist/groups/.*: <empty>
ldap/acl/user/passwordreset/accesslist/groups/dn: cn=User Password Admins,cn=groups,dc=univention,dc=intranet
ldap/acl/user/passwordreset/attributes: krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLast>
ldap/acl/nestedgroups: yes
ldap/base: dc=univention,dc=intranet

Comment 2 Finn David

2023-12-07 16:52:58 CET

Clarification from the customer on which config changes were made:

The ACL on the helpdesk-group are probably generated when a new user is added to the helpdesk-group. With a certain length of the parameters the template is implemented in the config file with broken syntax.

Comment 3 Arvid Requate

2023-12-08 12:38:55 CET

Looks like the slapd config parser has an issue, specifically with the ! operator:
This is triggering the issue:
```
    filter="(!(uid=Administrator)
    )"
```

While all of the following works:

Shifting the closing parenthesis, as the customer observed (nice catch!)
```
    filter="(!(uid=Administrator
    ))"
```
works ok and other operators doen't seem to suffer from that issue either:
```
    filter="(&(uid=Administrator)
    )"
```