Bug 11658 – LDAP Filter / DN's aren't escaped in AD Connector

Bug 11658 - LDAP Filter / DN's aren't escaped in AD Connector


Summary:	LDAP Filter / DN's aren't escaped in AD Connector

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P4 normal (vote)
Target Milestone:	UCS 4.2-2-errata
Assigned To:	Lukas Oyen
QA Contact:	Felix Botner

URL:
Keywords:

Duplicates:	31047 42470 45124 (view as bug list)
Depends on:
Blocks:	49041 45011
	Show dependency tree / graph

Reported:	2008-07-29 09:44 CEST by Ingo Steuwer
Modified:	2019-03-19 15:58 CET (History)
CC List:	6 users (show)

See Also:	32086 40055 31047 38619
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Cleanup, External feedback, Security, Usability
Max CVSS v3 score:

Flags:	oyen: Patch_Available+

Attachments
Patch-series to fix LDAP (filter/DN) escaping in the adconnector (50.00 KB, application/x-tar) 2017-01-11 10:58 CET, Lukas Oyen	Details
Patch-series to fix LDAP (filter/DN) escaping in the adconnector (updated) (50.00 KB, application/x-tar) 2017-01-24 17:50 CET, Lukas Oyen	Details
Patch-series to fix LDAP (filter/DN) escaping in the adconnector (updated) (50.00 KB, application/x-tar) 2017-02-01 16:42 CET, Lukas Oyen	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ingo Steuwer

2008-07-29 09:44:10 CEST

In AD kann man Gruppen mit Klammern setzen. Das unterstützen wir nicht, der Conenctor sollte aber eine sauberere Fehlermeldung liefern. Dazu muss mindestens dieser Suchfilter korrekt die Klammern setzen:

unexpected Error during ad.resync_rejected
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/univention/connector/ad/__init__.py", line 1511, in resync_rejected
    mapped_object = self._object_mapping(property_key,object)
  File "/usr/lib/python2.4/site-packages/univention/connector/__init__.py", line 1135, in _object_mapping
    object=function(self, object, dn_mapping_stored, isUCSobject=(object_type == 'ucs'))
  File "/usr/lib/python2.4/site-packages/univention/connector/ad/__init__.py", line 288, in group_dn_mapping
    return samaccountname_dn_mapping(connector, given_object, dn_mapping_stored, isUCSobject, 'group', u'cn', u'posixGroup', 'cn', u'group')
  File "/usr/lib/python2.4/site-packages/univention/connector/ad/__init__.py", line 253, in samaccountname_dn_mapping
    base=connector.lo.base, scope='sub', attr=['objectClass'])
  File "/usr/lib/python2.4/site-packages/univention/admin/uldap.py", line 296, in search
    raise univention.admin.uexceptions.ldapError, msg[0]['desc']
ldapError: Bad search filter

Comment 1 Ingo Steuwer

2010-04-30 14:16:52 CEST

Diese Fehlermeldung ist so scheinbar nicht mehr relevant, wenn man manuell Gruppen mit Klammern erlaubt (siehe Bug #18296)

Comment 2 Lukas Walter

2013-02-22 11:30:11 CET

Das Problem tritt in anderer Form noch auf.

Anlegen einer Gruppe "group()group" auf AD Seite führt zu folgendem Traceback im connector.log:

 (PROCESS): sync to ucs:   [         group] [       add] cn=group()group,cn=users,dc=lwa,dc=dev
22.02.2013 11:28:17,324 LDAP        (INFO   ): sync_to_ucs: set position to cn=users,dc=lwa,dc=dev
22.02.2013 11:28:17,324 LDAP        (INFO   ): sync_to_ucs: remove cn=group()group,cn=users,dc=lwa,dc=dev from ucs group cache
22.02.2013 11:28:17,324 LDAP        (INFO   ): __set_values: set attribute, ucs_key: name - value: [u'group()group']
22.02.2013 11:28:17,325 LDAP        (INFO   ): __set_values: module groups/group has custom attributes
22.02.2013 11:28:17,325 LDAP        (INFO   ): set key in ucs-object: name
22.02.2013 11:28:17,325 LDAP        (INFO   ): __set_values: no ldap_attribute defined in <univention.connector.attribute instance at 0x984f72c>, we unset the key description in the ucs-object
22.02.2013 11:28:17,373 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
22.02.2013 11:28:17,373 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 1233, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 1101, in add_in_ucs
    return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 331, in create
    return self._create()
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 628, in _create
    al=self._ldap_addlist()
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 569, in _ldap_addlist
    raise univention.admin.uexceptions.groupNameAlreadyUsed, ': %s' % (name)
groupNameAlreadyUsed: : group()group

Comment 3 Florian Best

2016-09-28 18:11:26 CEST

*** Bug 42470 has been marked as a duplicate of this bug. ***

Comment 4 Florian Best

2016-09-28 18:14:39 CEST

I remove the univentionstaff flag at this bug.
The security impact of not escaping things is obvious and no secret.
This bugs allows users with write-permissions to UDM objects to construct evil filters or move their objects into different subtrees.

Comment 5 Florian Best

2016-09-28 18:19:03 CEST

I guess the code which is responsible for the traceback in Bug #42470 is to simply ignore invalid DN syntax (ldap.INVALID_DN_SYNTAX exception):

services/univention-ad-connector/modules/univention/connector/__init__.py:
 750 »   def get_ucs_ldap_object(self, dn):
 751 »   »   _d=ud.function('ldap.get_ucs_ldap_object')
 752 
 753 »   »   if type(dn) == type(u''):
 754 »   »   »   searchdn = dn
 755 »   »   else:
 756 »   »   »   searchdn = unicode(dn)
 757 »   »   try:
 758 »   »   »   return self.lo.get(searchdn,required=1)
 759 »   »   except ldap.NO_SUCH_OBJECT:
 760 »   »   »   return None
 761 »   »   except ldap.INVALID_DN_SYNTAX:
 762 »   »   »   return None
 763 »   »   except ldap.INVALID_SYNTAX:
 764 »   »   »   return None

Comment 6 Lukas Oyen

2017-01-11 10:58:20 CET

Created attachment 8346 [details]
Patch-series to fix LDAP (filter/DN) escaping in the adconnector

The attached patch-series fixes the LDAP filter-expression/DN escaping in the ad-connector. It also cleans up LDAP operations in several places (in favour of functions from `univention.uldap`).

All ad-connector tests running on a UCS master 4.1-4 connected to a Windows Server 2012 in sync mode are passing.

Comment 7 Lukas Oyen

2017-01-24 11:51:10 CET

(In reply to Lukas Oyen from comment #6)
> Created attachment 8346 [details]
> Patch-series to fix LDAP (filter/DN) escaping in the adconnector
> 
> The attached patch-series fixes the LDAP filter-expression/DN escaping in
> the ad-connector. It also cleans up LDAP operations in several places (in
> favour of functions from `univention.uldap`).
> 
> All ad-connector tests running on a UCS master 4.1-4 connected to a Windows
> Server 2012 in sync mode are passing.

This does not regard the `mapping.py`. I will update it soon.

Comment 8 Lukas Oyen

2017-01-24 17:50:34 CET

Created attachment 8374 [details]
Patch-series to fix LDAP (filter/DN) escaping in the adconnector (updated)

Updated the patch-series to also include the changes to the `mapping.py` file.

Comment 9 Lukas Oyen

2017-02-01 16:42:05 CET

Created attachment 8392 [details]
Patch-series to fix LDAP (filter/DN) escaping in the adconnector (updated)

Updated patchset rebased on current 4.2-0 branch and with fixed indentation.

Comment 10 Lukas Oyen

2017-07-27 14:42:28 CEST

Committed in r81450-81459 (tests r81461-81466, advisory r81468).

Comment 11 Florian Best

2017-07-27 16:11:56 CEST

*** Bug 31047 has been marked as a duplicate of this bug. ***

Comment 12 Florian Best

2017-08-03 17:51:33 CEST

See also Bug #32086 comment 19.

Comment 13 Florian Best

2017-08-04 15:43:50 CEST

*** Bug 45124 has been marked as a duplicate of this bug. ***

Comment 14 Lukas Oyen

2017-08-07 08:54:16 CEST

Committed the fix from bug #45124 as r81807.

Comment 15 Florian Best

2017-08-15 16:11:31 CEST

hmm, svn r81452 makes behavior changes (See Bug #43420 comment 1). One of them at least is still wrong:

modules/univention/connector/ad/__init__.py:»   »   »   default_naming_context = self.lo_ad.getAttr('', 'defaultNamingContext')

→ I think a test case for this would be good, too.

Comment 16 Lukas Oyen

2017-08-16 17:15:03 CEST

(In reply to Florian Best from comment #15)
> modules/univention/connector/ad/__init__.py:»   »   »  
> default_naming_context = self.lo_ad.getAttr('', 'defaultNamingContext')

Fixed in r82202.

Also fixed the issue from bug #18501 comment 17 in r82201.

The issue was, that the `ignore_filter` for "user" was not correctly generated because of a typo. This resulted in "Administrator" beeing _wrongly_ synced.

Comment 17 Lukas Oyen

2017-08-16 17:24:51 CEST

Tests updated to also rename/move users/groups in r82211-r82215.

Comment 18 Felix Botner

2017-10-26 10:35:04 CEST

OK - ad group with parenthesis 

25.10.2017 00:22:56,314 LDAP        (PROCESS): sync to ucs:   [         group] [       
25.10.2017 00:22:56,317 LDAP        (ERROR  ): InvalidSyntax: Name: Value may not contain other than numbers, letters and dots! (cn=g(100),cn=users,dc=four,dc=two)
...

OK - code review
OK - jenkins test
OK - connector with old mapping
OK - YAML

Comment 19 Arvid Requate

2017-11-01 13:49:16 CET

<http://errata.software-univention.de/ucs/4.2/205.html>