Bug 37904 - It's not possible to search for GID number
It's not possible to search for GID number
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Groups
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Florian Best
Jürn Brodersen
:
: 29711 30190 (view as bug list)
Depends on:
Blocks: 42181 42387 42388
  Show dependency treegraph
 
Reported: 2015-03-02 07:44 CET by Moritz Muehlenhoff
Modified: 2016-09-14 12:40 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): External feedback, Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2015-03-02 07:44:21 CET
Noted during a technical training: It's not possible to search by GID: 

- Open the "Groups" module in the UMC
- Select "Advanced Options" and the property "Group ID"
- Enter thr GID of an existing group (e.g. 5001 which is usually Domain Users")

-> No result in found.
Comment 1 Florian Best univentionstaff 2015-03-03 13:23:17 CET
univention-ldapsearch 'gidNumber=5001' → works
univention-ldapsearch 'gidNumber=*5001* → does not work

UMC puts every search value into '*' for each search string automatically.
Comment 2 Alexander Kläser univentionstaff 2015-03-04 10:57:22 CET
(In reply to Florian Best from comment #1)
> univention-ldapsearch 'gidNumber=5001' → works
> univention-ldapsearch 'gidNumber=*5001* → does not work
> 
> UMC puts every search value into '*' for each search string automatically.

It would be thus good to only search for '*...*' for specific attributes. Or could we defer it from the syntax type? The user's gidNumber is univention.admin.syntax.integer.
Comment 3 Florian Best univentionstaff 2015-03-25 13:06:02 CET
(In reply to Alexander Kläser from comment #2)
> > univention-ldapsearch 'gidNumber=5001' → works
> > univention-ldapsearch 'gidNumber=*5001* → does not work

> It would be thus good to only search for '*...*' for specific attributes. Or
> could we defer it from the syntax type? The user's gidNumber is
> univention.admin.syntax.integer.

Another idea would be to construct the search filter like this: '(|(gidNumber=5001)(gidNumber=*5001*)'
Comment 4 Alexander Kläser univentionstaff 2015-03-25 13:15:51 CET
(In reply to Florian Best from comment #3)
> Another idea would be to construct the search filter like this:
> '(|(gidNumber=5001)(gidNumber=*5001*)'

Ahh... nice idea :) . This could indeed help!
Comment 5 Florian Best univentionstaff 2015-05-08 17:23:34 CEST
*** Bug 30190 has been marked as a duplicate of this bug. ***
Comment 6 Florian Best univentionstaff 2015-05-08 17:25:06 CEST
Bug #30533 suggests to allow quoted strings like "test" to not make a substring query. Ofc. this is not usable for the GID but could also be adjusted.
Comment 7 Dirk Wiesenthal univentionstaff 2016-02-19 20:35:34 CET
Whether *5001* finds 5001 or not is defined in the underlying LDAP schema. When known, it is possible to do a "smart search".

EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch

finds it

EQUALITY integerMatch

does not.

It may be difficult to read the schema (cn=schema or cn=config or something like that). I do not know whether we would need to adjust ACLs.

Although slapd.conf should include all of the definitions, too. And UMC-UDM is installed on DC Master / DC Backup only.

(In fact, I think it is cn=config XOR slapd.conf and we use the latter)
Comment 8 Florian Best univentionstaff 2016-03-04 15:25:41 CET
Adapted filter to search for:
'(|(gidNumber=5001)(gidNumber=*5001*)'

Another candidate is e.g. DHCP-Pool: Failover Peer.

You can find a lot more in:
rgrep caseIgnoreIA5Match /usr/share/univention-ldap/schema

univention-management-console-module-udm (6.0.11-8):
r67918 | Bug #37904: fix searching for caseIgnoreIA5Match values

univention-management-console-module-udm.yaml:
r67919 | YAML Bug #37904
Comment 9 Jürn Brodersen univentionstaff 2016-03-11 10:47:46 CET
Die Ausführung des Kommandos udm/query groups/group ist fehlgeschlagen:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 82, in _run
    tmp = self._function()
  File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__
    return self._function( *tmp, **self._kwargs )
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/__init__.py", line 536, in _thread
    result = module.search(container, objectProperty, objectPropertyValue, superordinate, scope=scope, hidden=hidden)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 86, in _decorated
    return method(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 135, in _decorated
    result = func(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 471, in search
    result = self.module.lookup(None, ldap_connection, filter_s, base=container, superordinate=superordinate, scope=scope, sizelimit=sizelimit)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1098, in lookup
    for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit):
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 359, in search
    raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter))
ldapError: Bad search filter: (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))(&(!(univentionObjectFlag=hidden))(|(sambaRID=*)(=))))


How to reproduce:
- Open the "Groups" module in the UMC
- Select "Advanced Options" and the property "Relative ID"
- Search for '*' without the quotes
Comment 10 Florian Best univentionstaff 2016-03-11 12:19:13 CET
r68039 | Bug #37904: fix Bad search filter exception if searching for '*'
Comment 11 Jürn Brodersen univentionstaff 2016-03-11 15:53:38 CET
Changes: OK, search is working as expected.
YAML: OK. (Updated version r68041)

→ VERIFIED
Comment 12 Florian Best univentionstaff 2016-03-18 06:45:26 CET
<http://errata.software-univention.de/ucs/4.1/133.html>
Comment 13 Florian Best univentionstaff 2016-05-09 08:48:15 CEST
*** Bug 29711 has been marked as a duplicate of this bug. ***