Univention Bugzilla – Bug 28645
LDAP Filter des faillog Listener-Moduls matched auf alle Objekte
Last modified: 2021-05-25 15:57:58 CEST
Der im faillog Listener-Modul deklarierte LDAP-Filter filter='objectClass=shadowAccount' scheint nicht zu greifen: Im Listener-code liefert der Call cache_entry_ldap_filter_match(handler->filters, dn, &entry); für den 'faillog' handler im Test immer 1, z.B. auch für DNS-Einträge. Mit filter='(objectClass=shadowAccount)' funktioniert der Filter hingegen.
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2. As such, this bug is moved to the new target milestone.
Also see Bug #28646, which is for fixing the filter evaluation code in the Listener. I don't close this bug as a duplicate of it, as this bug is specific for the faillog listener module.
This issue has been filed against UCS 2.2. UCS 2.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug". In this case please provide detailed information on how this issue is affecting you.
[feature/ucs5] e8e843b336 Bug #28645 PAM: Fix LDAP filter syntax base/univention-pam/debian/changelog | 6 ++++++ base/univention-pam/faillog.py | 2 +- doc/changelog/changelog-5.0-0.xml | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-)
REOPEN: it must also match for the object classes 'sambaSamAccount', 'krb5Principal', 'krb5KDCEntry' because it uses users.user.unmapLocked(). (Maybe this is also a wrong function since UCS 4.3.) Fixed a typo in the changelog entry: - Fix LDAP filter syntax in &ucsUDL; module <filename>failllog.py</filename> (<u:bug>28645</u:bug>) + Fix LDAP filter syntax in &ucsUDL; module <filename>faillog.py</filename> (<u:bug>28645</u:bug>)
(In reply to Florian Best from comment #5) > REOPEN: > it must also match for the object classes 'sambaSamAccount', > 'krb5Principal', 'krb5KDCEntry' because it uses users.user.unmapLocked(). > (Maybe this is also a wrong function since UCS 4.3.) As discussed with Arvid: The original module intended to work with shadow accounts. As we no longer separate between POSIX / Samba / Kerberos accounts this would only be relevant for legacy accounts, where only some of those types were used. The called functions unmapLocked() +- isSambaLocked() # optional | +- sambaSamAccount.sambaAcctFlags +- isKerberosLocked() # optional | +- krb5KDCEntry.krb5KDCFlags +- isLDAPLocked() # commented out +- ppolicy.pwdAccountLockedTime So strictly speaking the module is triggered by *optional* attributes from Samba and krb5 to change a *required* attribute of Shadow. So the filter might look strange, but is otherwise correct.
Then it's okay for me. I already did the tests.
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".