Bug 37178 - detection of users LDAP DN error prone
detection of users LDAP DN error prone
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-0-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
: 35348 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-04 13:45 CET by Florian Best
Modified: 2015-01-22 11:54 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
python script to reproduce (313 bytes, text/x-python)
2014-12-08 18:04 CET, Florian Best
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2014-12-04 13:45:14 CET
Currently this source code is used to detect the LDAP dn of the current logged in user in UMC:
> self.lo, self.po = udm_uldap.getMachineConnection(ldap_master=False)
> ldap_dn = self.lo.searchDn('(&(uid=%s)(objectClass=posixAccount))' % self.__username)

This can fail in various ways.
1.) users without posix option will never have a LDAP dn, resulting in many various errors in UDM
2.) using ldap_master=False will prevent to find some DN's
3.) what if a LDAP timeout internally happens? Would this raise a exception? Or just return an empty list?
Comment 1 Florian Best univentionstaff 2014-12-04 16:58:30 CET
*** Bug 35280 has been marked as a duplicate of this bug. ***
Comment 2 Florian Best univentionstaff 2014-12-08 13:22:34 CET
I found another reason:
If the join failed (univention-check-join-status returns often "Error: ldapsearch -x failed​ " the DN is also not detected, using UDM fails then.
Comment 3 Florian Best univentionstaff 2014-12-08 13:56:11 CET
* using the user "root" with assigned ACL's for the UDM module.
Comment 4 Florian Best univentionstaff 2014-12-08 17:55:31 CET
*** Bug 35348 has been marked as a duplicate of this bug. ***
Comment 5 Florian Best univentionstaff 2014-12-08 18:04:51 CET
Created attachment 6513 [details]
python script to reproduce

(In reply to Florian Best from comment #4)
> *** Bug 35348 has been marked as a duplicate of this bug. ***
Attached a python script which reproduces exactly the behavior.
Comment 6 Florian Best univentionstaff 2014-12-09 13:28:29 CET
The filter has been adapted to uid=%(escaped_username)s.
If the LDAP DN could not be found a ERROR log output is done now (if the user is not root or __systemsetup__).
In Bug #31828 the specific handling for the UDM module was implemented.

I reproduced a LDAP timeout → Exception is raised. So the server would have been crashed.

I wanted to user univention.admin.handlers.users.user.lookup_filter() for this, but this would prevent machine accounts to login into UMC. I guess we need this for the ipchange module. And maybe some useful purposes in the future. 

Fix: svn r56578
YAML: 2014-12-04-univention-management-console.yaml
Package: univention-management-console (7.1.63-4)
Downgradeable to UCS 3.2-4: yes, preferred.
Reproducible:
umc-acls allow -u root 'udm/*'
Login in UMC as root, try to use the UDM module. Compare the log output in /var/log/univention/management-console-server.log for Administrator login and root login and a user without posix.
Comment 7 Dirk Wiesenthal univentionstaff 2015-01-07 17:59:17 CET
Works now. Fine error message is shown.
Comment 8 Janek Walkenhorst univentionstaff 2015-01-08 13:59:12 CET
http://errata.univention.de/ucs/4.0/18.html
Comment 9 Janek Walkenhorst univentionstaff 2015-01-22 11:54:34 CET
<http://errata.univention.de/ucs/4.0/44.html>