Univention Bugzilla – Bug 11658
LDAP Filter / DN's aren't escaped in AD Connector
Last modified: 2019-03-19 15:58:54 CET
In AD kann man Gruppen mit Klammern setzen. Das unterstützen wir nicht, der Conenctor sollte aber eine sauberere Fehlermeldung liefern. Dazu muss mindestens dieser Suchfilter korrekt die Klammern setzen: unexpected Error during ad.resync_rejected Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/univention/connector/ad/__init__.py", line 1511, in resync_rejected mapped_object = self._object_mapping(property_key,object) File "/usr/lib/python2.4/site-packages/univention/connector/__init__.py", line 1135, in _object_mapping object=function(self, object, dn_mapping_stored, isUCSobject=(object_type == 'ucs')) File "/usr/lib/python2.4/site-packages/univention/connector/ad/__init__.py", line 288, in group_dn_mapping return samaccountname_dn_mapping(connector, given_object, dn_mapping_stored, isUCSobject, 'group', u'cn', u'posixGroup', 'cn', u'group') File "/usr/lib/python2.4/site-packages/univention/connector/ad/__init__.py", line 253, in samaccountname_dn_mapping base=connector.lo.base, scope='sub', attr=['objectClass']) File "/usr/lib/python2.4/site-packages/univention/admin/uldap.py", line 296, in search raise univention.admin.uexceptions.ldapError, msg[0]['desc'] ldapError: Bad search filter
Diese Fehlermeldung ist so scheinbar nicht mehr relevant, wenn man manuell Gruppen mit Klammern erlaubt (siehe Bug #18296)
Das Problem tritt in anderer Form noch auf. Anlegen einer Gruppe "group()group" auf AD Seite führt zu folgendem Traceback im connector.log: (PROCESS): sync to ucs: [ group] [ add] cn=group()group,cn=users,dc=lwa,dc=dev 22.02.2013 11:28:17,324 LDAP (INFO ): sync_to_ucs: set position to cn=users,dc=lwa,dc=dev 22.02.2013 11:28:17,324 LDAP (INFO ): sync_to_ucs: remove cn=group()group,cn=users,dc=lwa,dc=dev from ucs group cache 22.02.2013 11:28:17,324 LDAP (INFO ): __set_values: set attribute, ucs_key: name - value: [u'group()group'] 22.02.2013 11:28:17,325 LDAP (INFO ): __set_values: module groups/group has custom attributes 22.02.2013 11:28:17,325 LDAP (INFO ): set key in ucs-object: name 22.02.2013 11:28:17,325 LDAP (INFO ): __set_values: no ldap_attribute defined in <univention.connector.attribute instance at 0x984f72c>, we unset the key description in the ucs-object 22.02.2013 11:28:17,373 LDAP (ERROR ): Unknown Exception during sync_to_ucs 22.02.2013 11:28:17,373 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 1233, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 1101, in add_in_ucs return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 331, in create return self._create() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 628, in _create al=self._ldap_addlist() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 569, in _ldap_addlist raise univention.admin.uexceptions.groupNameAlreadyUsed, ': %s' % (name) groupNameAlreadyUsed: : group()group
*** Bug 42470 has been marked as a duplicate of this bug. ***
I remove the univentionstaff flag at this bug. The security impact of not escaping things is obvious and no secret. This bugs allows users with write-permissions to UDM objects to construct evil filters or move their objects into different subtrees.
I guess the code which is responsible for the traceback in Bug #42470 is to simply ignore invalid DN syntax (ldap.INVALID_DN_SYNTAX exception): services/univention-ad-connector/modules/univention/connector/__init__.py: 750 » def get_ucs_ldap_object(self, dn): 751 » » _d=ud.function('ldap.get_ucs_ldap_object') 752 753 » » if type(dn) == type(u''): 754 » » » searchdn = dn 755 » » else: 756 » » » searchdn = unicode(dn) 757 » » try: 758 » » » return self.lo.get(searchdn,required=1) 759 » » except ldap.NO_SUCH_OBJECT: 760 » » » return None 761 » » except ldap.INVALID_DN_SYNTAX: 762 » » » return None 763 » » except ldap.INVALID_SYNTAX: 764 » » » return None
Created attachment 8346 [details] Patch-series to fix LDAP (filter/DN) escaping in the adconnector The attached patch-series fixes the LDAP filter-expression/DN escaping in the ad-connector. It also cleans up LDAP operations in several places (in favour of functions from `univention.uldap`). All ad-connector tests running on a UCS master 4.1-4 connected to a Windows Server 2012 in sync mode are passing.
(In reply to Lukas Oyen from comment #6) > Created attachment 8346 [details] > Patch-series to fix LDAP (filter/DN) escaping in the adconnector > > The attached patch-series fixes the LDAP filter-expression/DN escaping in > the ad-connector. It also cleans up LDAP operations in several places (in > favour of functions from `univention.uldap`). > > All ad-connector tests running on a UCS master 4.1-4 connected to a Windows > Server 2012 in sync mode are passing. This does not regard the `mapping.py`. I will update it soon.
Created attachment 8374 [details] Patch-series to fix LDAP (filter/DN) escaping in the adconnector (updated) Updated the patch-series to also include the changes to the `mapping.py` file.
Created attachment 8392 [details] Patch-series to fix LDAP (filter/DN) escaping in the adconnector (updated) Updated patchset rebased on current 4.2-0 branch and with fixed indentation.
Committed in r81450-81459 (tests r81461-81466, advisory r81468).
*** Bug 31047 has been marked as a duplicate of this bug. ***
See also Bug #32086 comment 19.
*** Bug 45124 has been marked as a duplicate of this bug. ***
Committed the fix from bug #45124 as r81807.
hmm, svn r81452 makes behavior changes (See Bug #43420 comment 1). One of them at least is still wrong: modules/univention/connector/ad/__init__.py:» » » default_naming_context = self.lo_ad.getAttr('', 'defaultNamingContext') → I think a test case for this would be good, too.
(In reply to Florian Best from comment #15) > modules/univention/connector/ad/__init__.py:» » » > default_naming_context = self.lo_ad.getAttr('', 'defaultNamingContext') Fixed in r82202. Also fixed the issue from bug #18501 comment 17 in r82201. The issue was, that the `ignore_filter` for "user" was not correctly generated because of a typo. This resulted in "Administrator" beeing _wrongly_ synced.
Tests updated to also rename/move users/groups in r82211-r82215.
OK - ad group with parenthesis 25.10.2017 00:22:56,314 LDAP (PROCESS): sync to ucs: [ group] [ 25.10.2017 00:22:56,317 LDAP (ERROR ): InvalidSyntax: Name: Value may not contain other than numbers, letters and dots! (cn=g(100),cn=users,dc=four,dc=two) ... OK - code review OK - jenkins test OK - connector with old mapping OK - YAML
<http://errata.software-univention.de/ucs/4.2/205.html>