Bug 32581 - Hook support for ldap-group-to-file.py
Hook support for ldap-group-to-file.py
Product: UCS
Classification: Unclassified
Component: PAM
UCS 3.1
Other Linux
: P5 enhancement (vote)
: UCS 3.2
Assigned To: Stefan Gohmann
Philipp Hahn
: interim-2
Depends on:
Blocks: 32683
  Show dependency treegraph
Reported: 2013-09-13 09:04 CEST by Stefan Gohmann
Modified: 2013-11-19 06:42 CET (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

ldap-group-to-file.py (4.83 KB, text/plain)
2013-09-24 11:58 CEST, Philipp Hahn

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2013-09-13 09:04:18 CEST
We should add a simple hook mechanism for ldap-group-to-file.py. We have often the problem that we need all members of a group including groups in groups.

With such a mechanism we could simple add a script which reads all group members with 'getent group grp'.
Comment 1 Stefan Gohmann univentionstaff 2013-09-13 09:04:42 CEST
Needed for Bug #29710
Comment 2 Stefan Gohmann univentionstaff 2013-09-13 16:31:32 CEST

root@master151:~# echo -e '#!/bin/sh\necho "TEST"' >/var/lib/ldap-group-to-file-hooks.d/test
root@master151:~# chmod +x /var/lib/ldap-group-to-file-hooks.d/test
root@master151:~# /usr/lib/univention-pam/ldap-group-to-file.py --verbose
Found 39 ldap groups
The file /var/lib/extrausers/group was created.
run-parts: executing /var/lib/ldap-group-to-file-hooks.d/admingrp-user-passwordreset
run-parts: executing /var/lib/ldap-group-to-file-hooks.d/test

Code: r43995
Test Case: r44042
Changelog: r44041
Comment 3 Philipp Hahn univentionstaff 2013-09-24 11:56:40 CEST
FAIL: r43995
+                       stdout_pipe = subprocess.PIPE
+                       stderr_pipe = subprocess.PIPE
+               p = subprocess.Popen(... stdout=stdout_pipe, stderr=stderr_pipe)
+               returncode = p.wait()


Either use os.path.devnull or communicate(); first one is preferred.

And please move the whole addition into a separate function and call it from the __main__ CLOB.

OK: Otherwise works as expected.
OK: ChangeLog

FYI: The recursion prevention looks fishy; see attached version for some cleanups.
Comment 4 Philipp Hahn univentionstaff 2013-09-24 11:58:56 CEST
Created attachment 5465 [details]

1. Use /dev/null instead of PIPE
2. Don't use deprecated string module
3. Split into smaller functions
4. Log to STDERR
5. Really prevent recursively double resolving the same group
Comment 5 Stefan Gohmann univentionstaff 2013-09-24 13:29:38 CEST
With r44423 I changed the code to use os.path.devnull and a separate function for the hook handling.

(In reply to Philipp Hahn from comment #3)
> FYI: The recursion prevention looks fishy; see attached version for some
> cleanups.

If we have a problem please create a new bug. I won't change it with this bug.
Comment 6 Philipp Hahn univentionstaff 2013-09-24 17:18:38 CEST
OK: r44423,44436
OK: /usr/lib/univention-pam/ldap-group-to-file.py --file /tmp/tmp
OK: /usr/lib/univention-pam/ldap-group-to-file.py --file /tmp/tmp --verbose
OK: 7.0.3-2.221.201309241707
Comment 7 Stefan Gohmann univentionstaff 2013-11-19 06:42:50 CET
UCS 3.2 has been released:

If this error occurs again, please use "Clone This Bug".