Univention Bugzilla – Bug 37178
detection of users LDAP DN error prone
Last modified: 2015-01-22 11:54:34 CET
Currently this source code is used to detect the LDAP dn of the current logged in user in UMC: > self.lo, self.po = udm_uldap.getMachineConnection(ldap_master=False) > ldap_dn = self.lo.searchDn('(&(uid=%s)(objectClass=posixAccount))' % self.__username) This can fail in various ways. 1.) users without posix option will never have a LDAP dn, resulting in many various errors in UDM 2.) using ldap_master=False will prevent to find some DN's 3.) what if a LDAP timeout internally happens? Would this raise a exception? Or just return an empty list?
*** Bug 35280 has been marked as a duplicate of this bug. ***
I found another reason: If the join failed (univention-check-join-status returns often "Error: ldapsearch -x failed " the DN is also not detected, using UDM fails then.
* using the user "root" with assigned ACL's for the UDM module.
*** Bug 35348 has been marked as a duplicate of this bug. ***
Created attachment 6513 [details] python script to reproduce (In reply to Florian Best from comment #4) > *** Bug 35348 has been marked as a duplicate of this bug. *** Attached a python script which reproduces exactly the behavior.
The filter has been adapted to uid=%(escaped_username)s. If the LDAP DN could not be found a ERROR log output is done now (if the user is not root or __systemsetup__). In Bug #31828 the specific handling for the UDM module was implemented. I reproduced a LDAP timeout → Exception is raised. So the server would have been crashed. I wanted to user univention.admin.handlers.users.user.lookup_filter() for this, but this would prevent machine accounts to login into UMC. I guess we need this for the ipchange module. And maybe some useful purposes in the future. Fix: svn r56578 YAML: 2014-12-04-univention-management-console.yaml Package: univention-management-console (7.1.63-4) Downgradeable to UCS 3.2-4: yes, preferred. Reproducible: umc-acls allow -u root 'udm/*' Login in UMC as root, try to use the UDM module. Compare the log output in /var/log/univention/management-console-server.log for Administrator login and root login and a user without posix.
Works now. Fine error message is shown.
http://errata.univention.de/ucs/4.0/18.html
<http://errata.univention.de/ucs/4.0/44.html>