Bug 41518 – replace self.lo.search() with getAttr() or get (uldap) if the search is meant to return attributes for a specific object

Bug 41518 - replace self.lo.search() with getAttr() or get (uldap) if the search is meant to return attributes for a specific object


Summary:	replace self.lo.search() with getAttr() or get (uldap) if the search is meant...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 3.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.3-0-errata
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:	40651 40652
Blocks:
	Show dependency tree / graph

Reported:	2016-06-10 07:23 CEST by Stefan Gohmann
Modified:	2016-09-29 17:30 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.206
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2016-06-10 07:23:47 CEST

Needs to be merged to UCS 3.3.

+++ This bug was initially created as a clone of Bug #40652 +++

(Clone for UCS 3.2)

+++ This bug was initially created as a clone of Bug #40651 +++

In setups with big databases and sldap size limits, creating a users fails:

udm users/user create ...
LDAP Error: Administrative limit exceeded


 uldap.search filter=(objectClass=*) base=cn=Domain Users,cn=groups,o=in8,o=orange scope=sub attr=['gidNumber'] unique=0 required=0 timeout=-1 sizelimit=0
12.02.16 15:49:51.490  ADMIN       ( ERROR   ) : Post-modify operation failed:   File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 781, in _create
    self._ldap_post_create()

  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py", line 1887, in _ldap_post_create
    self.__primary_group()

  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py", line 1701, in __primary_group
    searchResult=self.lo.search(base=self['primaryGroup'], attr=['gidNumber'])

  File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 355, in search
    raise univention.admin.uexceptions.ldapError, _err2str(msg)
12.02.16 15:50:42.808  ADMIN       ( ERROR   ) : Post-modify operation failed:   File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 781, in _create
    self._ldap_post_create()

The problem is this:

 self.lo.search(base=self['primaryGroup'], attr=['sambaSID'])

This search uses the ldap filter filter=(objectClass=*). Seems that slapd applies the filter and than checks the limits (before filtering the search base).

The search works with a proper scope "scope=base" but we may better use uldap.get or uldap.getAttr instead.

Attached a patch that fixes this problem for "udm users/user create" (with scope=base). But there are much more of those searches in our udm handlers.

Comment 1 Stefan Gohmann

2016-06-10 07:47:17 CEST

Merged r67641 and r67688.

YAML file: r70060

I've created a new bug for the generic check of scopes: Bug #41519.

Comment 2 Felix Botner

2016-06-15 10:56:26 CEST

OK - changes merged
OK - udm
OK - YAML

OK - 9.0.76-143~ucs3.3.1397.201606100742

Comment 3 Janek Walkenhorst

2016-06-15 12:09:15 CEST

<http://errata.software-univention.de/ucs/3.3/3.html>