Univention Bugzilla – Bug 40129
LDAP filter escaping incomplete
Last modified: 2016-09-26 13:30:54 CEST
Having such an object in the LDAP (e.g. because that name was synched from AD to LDAP) causes also that the self-service cannot be used anymore: Execution of command 'passwordreset/get_reset_methods' has failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 283, in execute function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 120, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 190, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 347, in get_reset_methods blacklisted = self.is_blacklisted(username) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 460, in is_blacklisted groups_dns.extend(self.get_nested_groups(group_dn)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 496, in get_nested_groups group = self.get_udm_group(groupdn) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 562, in get_udm_group group = self.groupmod.lookup(self.config, self.lo, filter_s=gidf, base=base)[0] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1100, in lookup for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit): File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 359, in search raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter)) ldapError: Bad search filter: (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))(cn=Foo-Gruppe (BAR)))
Oh no, this is a bug in the self service module itself.
Created attachment 7342 [details] patch The functions univention.admin.parentDn and univention.admin.explodeDn should also use the official functions from the ldap library.
Reported again, 4.0-4 errata363 (Walle) Remark: Hallo, Aufgrund diesen Fehler kann ich die Gruppe weder bearbeiten, noch umbennen oder löschen. Es klappt nicht über die management oberfläche und auch nicht über ssh. Können Sie mir da weiterhelfen?
All broken LDAP filter escaping in univention-directory-manager-modules has been fixed. univention-directory-manager-modules (11.0.3-17): r70589 | Bug #40129: escape ldap filters
univention-python (9.0.1-4): r70653 | Bug #40129: use official python-LDAP utilities univention-directory-manager-modules.yaml: r70599 | YAML Bug #41580, Bug #40041, Bug #40129, Bug #38110, Bug #40422 univention-directory-manager-modules (11.0.3-21): r70620 | Bug #40129: fix filter formatting for multivalue fields → use only the first value of that multivalue, should be fixed correctly by Bug #7430 univention-python.yaml: r70654 | YAML Bug #40129
Found some more: univention-directory-manager-modules (11.0.3-25): r70751 | Bug #40129: more LDAP filter escaping
This seems to have broken the last Jenkins run: +280 failures like <http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/66_udm-computers/01_all_roles_removal/test/>
*** Bug 41111 has been marked as a duplicate of this bug. ***
(In reply to Philipp Hahn from comment #10) > This seems to have broken the last Jenkins run: +280 failures like > <http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/ > AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/ > testReport/66_udm-computers/01_all_roles_removal/test/> univention-directory-manager-modules (11.0.3-28): r70768 | Bug #40129: fixup svn r70751
Reported again, 4.1-2 errata206 (Vahr) Remark: Gave OU a name with brackets in UMC. Appeared to work on creation and moving a computer object into it. However, subsequent renaming in Active directory computers and users exposed a problem with sync to openldap. Subsequent attempts to rename, move computer object and delete OU all give the below search filter error. Assume it's failing on brackets in the name. Execution of command 'udm/nav/object/query navigation' has failed: Traceback (most recent call last): File "%PY2.7%/notifier/threads.py", line 82, in _run tmp = self._function() File "%PY2.7%/notifier/__init__.py", line 104, in __call__ return self._function( *tmp, **self._kwargs ) File "%PY2.7%/univention/management/console/modules/udm/__init__.py", line 1035, in _thread for module, obj in list_objects(container, object_type=object_type): File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 1074, in list_objects yield (module, module.get(dn)) File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 87, in _decorated return method(*args, **kwargs) File "%PY2.7%/univention/management/console/ldap.py", line 135, in _decorated result = func(*args, **kwargs) File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 507, in get obj.open() File "%PY2.7%/univention/admin/handlers/computers/windows.py", line 395, in open univention.admin.handlers.simpleComputer.open( self ) File "%PY2.7%/univention/admin/handlers/__init__.py", line 1273, in open result=self.lo.search(base=self.lo.base, filter=searchFilter, attr=['dn']) File "%PY2.7%/univention/admin/uldap.py", line 363, in search raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter)) ldapError: Bad search filter: (&(objectclass=univentionGroup)(uniqueMember=cn=***,ou=Laptops \\(roaming\\),dc=***,dc=com,dc=au))
Very good. Code review: OK r70653 → OK r70589 → OK r70620 → OK r70751 → OK r70768 → OK YAML: OK (minor adjustment r70835) Tests: OK
<http://errata.software-univention.de/ucs/4.1/207.html> <http://errata.software-univention.de/ucs/4.1/208.html>
*** Bug 10687 has been marked as a duplicate of this bug. ***
Reported again, 4.1-2 errata206 (Vahr)
*** Bug 34522 has been marked as a duplicate of this bug. ***
*** Bug 34432 has been marked as a duplicate of this bug. ***