Univention Bugzilla – Bug 39878
ldap/acl/read/ips does not work
Last modified: 2023-03-25 06:51:54 CET
We should add some test cases. +++ This bug was initially created as a clone of Bug #39877 +++ The fix for Bug #29482 seems to break the anonymous read via IP, for example: ucr set ldap/acl/read/ips="127.0.0.1" This results in my test setup to: ------------------------------------------------------------------- access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid by anonymous auth by * +0 break access to * by set="user & [cn=Domain Admins,cn=groups,dc=deadlock44,dc=intranet]/uniqueMember*" write by users read by peername.ip=127.0.0.1 read ------------------------------------------------------------------- A anonymous search via 127.0.0.1 is not possible. After removing the lines ------------------------------------------------------------------- access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid by anonymous auth by * +0 break ------------------------------------------------------------------- it works again. +++ This bug was initially created as a clone of Bug #29482 +++ Mit einem Kerberos Ticket als Administrator kann ich auf einem 3.0 / 3.1 System nicht als Administrator am LDAP Operationen durchführen: Administrator@master411:~$ kinit Administrator Administrator@DEADLOCK41.LOCAL's Password: Administrator@master411:~$ ldapadd -Y GSSAPI -f x SASL/GSSAPI authentication started SASL username: Administrator@DEADLOCK41.LOCAL SASL SSF: 56 SASL data security layer installed. adding new entry "cn=users2,dc=deadlock41,dc=local" ldap_add: Insufficient access (50) additional info: no write access to parent Administrator@master411:~$ ldapsearch -Y GSSAPI uid=Administrator -LLL uid userPassword SASL/GSSAPI authentication started SASL username: Administrator@DEADLOCK41.LOCAL SASL SSF: 56 SASL data security layer installed. dn: uid=Administrator,cn=users,dc=deadlock41,dc=local uid: Administrator Administrator@master411:~$
r66314 | Bug #39878 test: Test LDAP anonymous read tests/10_ldap/11anonymous Package: ucs-test Version: 6.0.28-4.1359.201512141330 Branch: ucs_4.1-0 Scope: errata4.1-0
The test case failed: http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=slave/151/testReport/junit/10_ldap/11anonymous/test/ Is it still or again broken? *** BEGIN *** ['/bin/bash', '11anonymous'] *** *** 10_ldap/11anonymous *** Test that LDAP anonymous read works *** *** START TIME: 2015-12-20 20:29:18 *** Testing ldap/acl/read/anonymous=no ldap/acl/read/ips= ... Setting ldap/acl/read/anonymous Create ldap/acl/read/ips Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. Operations error (1) Additional information: 00002020: Operation unavailable without authentication Testing ldap/acl/read/anonymous=no ldap/acl/read/ips=127.0.0.1 ... Setting ldap/acl/read/anonymous Setting ldap/acl/read/ips Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. Operations error (1) Additional information: 00002020: Operation unavailable without authentication error 2015-12-20 20:29:20 Failed anonymous read by IP Testing ldap/acl/read/anonymous=yes ldap/acl/read/ips= ... error 2015-12-20 20:29:20 **************** Test failed above this line (110) **************** Setting ldap/acl/read/anonymous Setting ldap/acl/read/ips Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. Operations error (1) Additional information: 00002020: Operation unavailable without authentication error 2015-12-20 20:29:21 *** Check failed (110), but this might be caused by the error above *** Unsetting ldap/acl/read/ips Unsetting ldap/acl/read/ips Unsetting ldap/acl/read/ips Multifile: /etc/ldap/slapd.conf Setting ldap/acl/read/anonymous Setting ldap/acl/read/anonymous Setting ldap/acl/read/anonymous Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. *** END TIME: 2015-12-20 20:29:23 *** *** TEST DURATION (H:MM:SS.ms): 0:00:04.687187 *** *** END *** 110 ***
r66510 | Bug #39878 test: Fix LDAP anonymous read Added explicit TCP port 7389 for OpenLDAP Package: ucs-test Version: 6.0.30-2.1370.201512211543 Branch: ucs_4.1-0 Scope: errata4.1-0
For this bug is no separate QA needed.