Univention Bugzilla – Bug 41835
Improve univention-s4search to also work for normal users
Last modified: 2019-01-03 07:23:08 CET
Created attachment 7824 [details] univention-s4search Currently univention-s4search doesn't work for users: arequate@master:~$ /usr/sbin/univention-s4search /usr/sbin/univention-s4search: 30: /usr/sbin/univention-s4search: univention-config-registry: not found Failed to connect to ldap URL 'ldaps://' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldaps://' with backend 'ldaps': (null) Failed to connect to ldaps:// - (null) The attached version of that script a) works for normal users b) works with an existing kerberos ticket c) is ugly shell code, especially the option parsing Maybe we should rewrite this in Python some day. If we do so, the Python code should be able to output a shell line that can be used to debug the search with exactly the given parameters, in case the s4search itself fails.
Created attachment 7993 [details] univention-s4search python version Attached you'll find a python version of `univention-s4search`. This version also fixes bug 34156. It differs in some regards from the original version and in some regards from the attached version from Arvid. Differences to the original: 1) Works for normal users. 2) Will append `--kerberos=no` to the arguments if no credentials were given and the user did not supply a value for `-k/--kerberos`. 3) Will no longer accept `-k/--kerberos`, `-A/--authentication-file`, `-P/--password`, `-U/--user` or `--simple-bind-dn` without an additional value as valid credentials. Differences to Arvids' version: 4) The same as 3) with the addition, that `-U/--user` with the suffix `%<password>` is also counted as valid credentials (in addition to a given account). 5) `-k/--kerberos` with a value of `no` is no longer accepted as valid credentials. 6) Whenever a user is prompted for a password, a username will be shown. Two additional thoughts: a) There is no handling of `--no-pass` in either version. b) Passing credentials as commmand-line arguments is inherently unsafe. These should be passed via stdin. But that would inhibit the output of a standalone ldbsearch debug command in case of secrets.ldb lookup.
> a) There is no handling of `--no-pass` in either version. That's ok
Feedback from Support: It would be cool to make univention-s4search also search below the cn=configuration branch by default (but not under cn=schema).
Created attachment 8305 [details] Updated Python univention-s4search which includes CN=Configuration
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.