Univention Bugzilla – Bug 30222
Quoting bug in univention-run-join-scripts when joining with minor-privileged user
Last modified: 2020-07-06 19:08:41 CEST
When running univention-run-join-scripts a consmetic error occurs: Search LDAP binddn bash: -c: Zeile 0: Syntaxfehler beim unerwarteten Wort `(' bash: -c: Zeile 0: `ldapsearch -x LLL -H ldapi:/// (&(uid=joinuser-28g03)(objectClass=person)) dn' done Join succeeds anyway as the specific buggy univention-ssh call is not going to succeed anyway in this specific case.
Created attachment 5028 [details] patch for univention-run-join-scripts
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
There is a Customer ID set so I set the flag "Enterprise Customer affected".
(In reply to Arvid Requate from comment #1) > Created attachment 5028 [details] > patch for univention-run-join-scripts the patch is empty :-/ Still relevant?
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
(In reply to Florian Best from comment #4) > (In reply to Arvid Requate from comment #1) > > Created attachment 5028 [details] > > patch for univention-run-join-scripts > > the patch is empty :-/ > > Still relevant? I think the problem was already fixed with git:2c5ed2d12af by inserting "--no-split" for "univention-ssh": 76 -»··»···binddn="$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \ 77 -»··»···»···ldapsearch -x LLL -H ldapi:/// "(&(uid=$DCACCOUNT)(objectClass=person))" dn | ldapsearch-decode64 | sed -ne 's|^dn: | |p;s|^DN: ||p')" 78 +»··»···binddn=($(univention-ssh --no-split "$DCPWD" "$DCACCOUNT"@"$ldap_master" \ 79 +»··»···»···ldapsearch -x -LLL -H ldapi:/// "'(&(uid=$DCACCOUNT)(objectClass=person))'" dn | 80 +»··»···»···ldapsearch-wrapper | 81 +»··»···»···ldapsearch-decode64 | 82 +»··»···»···sed -ne 's|^dn: ||p')) Without that the code would go through two rounds of shell-eval, which removes too many quotation and then leads to the original problem, where code is executed von the server. Another problem here is that this is shell code, which lacks proper escaping functions for LDAP filters.
*** This bug has been marked as a duplicate of bug 32005 ***