Univention Bugzilla – Bug 46089
computerroom/room/acquire: ldapError: Insufficient access
Last modified: 2019-10-11 17:27:24 CEST
Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6 Die Ausführung des Kommandos computerroom/room/acquire ist fehlgeschlagen: Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 250, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "%PY2.7%/univention/management/console/modules/computerroom/__init__.py", line 325, in room_acquire room = ComputerRoom.from_dn(roomDN, None, ldap_user_read) File "%PY2.7%/ucsschool/lib/models/base.py", line 853, in from_dn udm_obj = udm_modules.lookup(cls._meta.udm_module, None, lo, filter=cls._meta.udm_filter, base=dn, scope='base', superordinate=superordinate)[0] File "%PY2.7%/univention/admin/modules.py", line 732, in lookup tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit) File "%PY2.7%/univention/admin/handlers/groups/group.py", line 1063, in lookup for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit): File "%PY2.7%/univention/admin/uldap.py", line 437, in search raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access Role: domaincontroller_slave
Reported again: Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6
Reported again: Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6 Die Ausführung des Kommandos computerroom/schools ist fehlgeschlagen: Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 250, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 390, in schools schools = School.from_binddn(ldap_user_read) File "%PY2.7%/ucsschool/lib/models/school.py", line 408, in from_binddn user_schools = lo.search(base=lo.binddn, scope='base', attr=['ucsschoolSchool'])[0][1].get('ucsschoolSchool', []) File "%PY2.7%/univention/admin/uldap.py", line 437, in search raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access Role: domaincontroller_slave
Reported again: Version: 4.2-3 errata284 (Lesum) - UCS@school 4.2 v7
Is the DN of the user doing the requests known?
Reported again: Version: 4.2-3 errata315 (Lesum) - UCS@school 4.2 v7
Reported again: Version: 4.3-1 errata163 (Neustadt) - UCS@school 4.3 v4 Interner Server-Fehler in "computerroom/schools". Request: computerroom/schools Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 253, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 390, in schools schools = School.from_binddn(ldap_user_read) File "%PY2.7%/ucsschool/lib/models/school.py", line 426, in from_binddn user_schools = lo.search(base=lo.binddn, scope='base', attr=['ucsschoolSchool'])[0][1].get('ucsschoolSchool', []) File "%PY2.7%/univention/admin/uldap.py", line 710, in search raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access Role: domaincontroller_slave
Reported again: Version: 4.3-2 errata270 (Neustadt) - UCS@school 4.3 v5 Traceback: Same as Comment 11
Reported again: Version: 4.3-3 errata390 (Neustadt) - UCS@school 4.3 v6 Interner Server-Fehler in "computerroom/room/acquire". Request: computerroom/room/acquire Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 253, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "%PY2.7%/univention/management/console/modules/computerroom/__init__.py", line 325, in room_acquire room = ComputerRoom.from_dn(roomDN, None, ldap_user_read) File "%PY2.7%/ucsschool/lib/models/base.py", line 903, in from_dn udm_obj = udm_modules.lookup(cls._meta.udm_module, None, lo, filter=cls._meta.udm_filter, base=dn, scope='base', superordinate=superordinate)[0] File "%PY2.7%/univention/admin/modules.py", line 736, in lookup tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit) File "%PY2.7%/univention/admin/handlers/__init__.py", line 1576, in lookup for dn, attrs in lo.search(filter_str, base, scope, attr, unique, required, timeout, sizelimit): File "%PY2.7%/univention/admin/uldap.py", line 710, in search raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access Role: domaincontroller_slave
Reported again: Version: 4.3-3 errata390 (Neustadt) - UCS@school 4.3 v6 Remark: w Interner Server-Fehler in "computerroom/schools". Request: computerroom/schools Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 253, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 390, in schools schools = School.from_binddn(ldap_user_read) File "%PY2.7%/ucsschool/lib/models/school.py", line 472, in from_binddn user_schools = lo.search(base=lo.binddn, scope='base', attr=['ucsschoolSchool'])[0][1].get('ucsschoolSchool', []) File "%PY2.7%/univention/admin/uldap.py", line 710, in search raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access Role: domaincontroller_slave
This bug should be fixed urgently from my point of view.
Created attachment 9946 [details] patch
(In reply to Florian Best from comment #16) > Created attachment 9946 [details] > patch Patch which can be used as hotfix for customers. For a patch in the product I have the wish to a idempotent behavior, i.e. instead of the "return" a "raise" should be done.
It's reproducible by loggin via SAML, stop the ldap server, make a search and start the ldap server again. I have another idea to fix this: Wrap the uldap methods and apply the reconnection there. Then reconnecting works also for SAML (seems it doesn't work now?!) and it could also fix Bug #47926.
Created attachment 9969 [details] patch2 Patch for the alternative idea (branch fbest/46089-reset-cache-on-ldap-server-down).
The problem was not limited to saml. How to reproduce: Open a computerroom Open the change room menu Stop slapd Change the computerroom and wait for a ldap server down/timeout error Start the ldap server again Try changing the room again -> You should now get an "Insufficient access" exception. Problem: After the ldap error the ldapobject has not called bind but is initialized resulting in anonymize ldap calls. [4.4-0 1d84181f91] Bug #46089: Fix "ldapError: Insufficient access" errors [4.4-0 3560ac4c16] Bug #46089: yaml Package: univention-management-console Version: 11.0.4-16A~4.4.0.201905101258 Branch: ucs_4.4-0 Scope: errata4.4-0
Created attachment 10021 [details] Possible patch for python-ldap As an alternative we could be able to patch python-ldap to ensure this situation doesn't happen in the first place.
(In reply to Jürn Brodersen from comment #21) > Created attachment 10021 [details] > Possible patch for python-ldap > > As an alternative we could be able to patch python-ldap to ensure this > situation doesn't happen in the first place. Would be nice to have a reproducer script which is only using pure python-ldap.
1. The connection cache is now not invalidated on ldap.LDAPError but only by the wrapped udm_errors.ldapError. Shouldn't it be reset on both? 2. With the current changes, I think we should also remove the duplicated function call from the UDM module: diff --git a/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py b/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py index 3cccd87d4c..239eeae9f5 100644 --- a/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py +++ b/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py @@ -82,10 +82,7 @@ def LDAP_Connection(func): @functools.wraps(func) def _decorated(*args, **kwargs): method = user_connection(func, bind=__bind_function, write=True) - try: - return method(*args, **kwargs) - except (LDAPError, udm_errors.ldapError): - return method(*args, **kwargs) + return method(*args, **kwargs) return _decorated
(In reply to Florian Best from comment #23) > 1. The connection cache is now not invalidated on ldap.LDAPError but only by > the wrapped udm_errors.ldapError. Shouldn't it be reset on both? Yes thanks! > 2. With the current changes, I think we should also remove the duplicated > function call from the UDM module: Probably, but I'm not quite sure. I think that should be handled in a separate bug. [4.4-0 5cf86bd215] Bug #46089: except ldap.LDAPError as well as udm_errors [4.4-0 66fb244df8] Bug #46089: yaml Package: univention-management-console Version: 11.0.4-16A~4.4.0.201905101433 Branch: ucs_4.4-0 Scope: errata4.4-0
OK: code change OK: reproduced the error with u-m-c=11.0.4-2 and it is gone with 11.0.4-16 OK. advisory
<http://errata.software-univention.de/ucs/4.4/104.html>