46089 – computerroom/room/acquire: ldapError: Insufficient access

Bug 46089 - computerroom/room/acquire: ldapError: Insufficient access

Summary: computerroom/room/acquire: ldapError: Insufficient access

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 4.4-0-errata
Assignee:	Jürn Brodersen
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:
Blocks:	49447 50355
	Show dependency tree / graph

Reported:	2018-01-19 16:42 CET by Johannes Keiser
Modified:	2019-10-11 17:27 CEST (History)
CC List:	5 users (show)

See Also:	47926
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	4: Will affect most installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.343
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019022121000561, 2019031221000264, 2018112921001076, 2018081421000146, 2018040621000267, 2018022721000463, 2018030721000383, 2018022121000367, 2018021521000593, 2018012521000549, 2018012521000405, 2018012421000631, 2018013121000448, 2018011721000493
Bug group (optional):	Error handling, External feedback
Customer ID:
Max CVSS v3 score:

Attachments
patch (1.66 KB, patch) 2019-03-29 16:56 CET, Florian Best	Details \| Diff
patch2 (2.76 KB, patch) 2019-04-12 18:28 CEST, Florian Best	Details \| Diff
Possible patch for python-ldap (1.11 KB, patch) 2019-05-10 13:14 CEST, Jürn Brodersen	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Keiser

2018-01-19 16:42:01 CET

Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6

Die Ausführung des Kommandos computerroom/room/acquire ist fehlgeschlagen:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 250, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func
    return func(*args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/computerroom/__init__.py", line 325, in room_acquire
    room = ComputerRoom.from_dn(roomDN, None, ldap_user_read)
  File "%PY2.7%/ucsschool/lib/models/base.py", line 853, in from_dn
    udm_obj = udm_modules.lookup(cls._meta.udm_module, None, lo, filter=cls._meta.udm_filter, base=dn, scope='base', superordinate=superordinate)[0]
  File "%PY2.7%/univention/admin/modules.py", line 732, in lookup
    tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit)
  File "%PY2.7%/univention/admin/handlers/groups/group.py", line 1063, in lookup
    for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit):
  File "%PY2.7%/univention/admin/uldap.py", line 437, in search
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Role: domaincontroller_slave

Comment 1 Johannes Keiser

2018-02-15 17:15:57 CET

Reported again: Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6

Comment 2 Johannes Keiser

2018-02-16 11:57:48 CET

Reported again: Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6

Die Ausführung des Kommandos computerroom/schools ist fehlgeschlagen:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 250, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func
    return func(*args, **kwargs)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 390, in schools
    schools = School.from_binddn(ldap_user_read)
  File "%PY2.7%/ucsschool/lib/models/school.py", line 408, in from_binddn
    user_schools = lo.search(base=lo.binddn, scope='base', attr=['ucsschoolSchool'])[0][1].get('ucsschoolSchool', [])
  File "%PY2.7%/univention/admin/uldap.py", line 437, in search
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access


Role: domaincontroller_slave

Comment 3 Johannes Keiser

2018-02-16 12:17:46 CET

Reported again: Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6

Comment 4 Johannes Keiser

2018-02-16 12:19:21 CET

Reported again: Version: 4.2-3 errata256 (Lesum) - UCS@school 4.2 v6

Comment 5 Johannes Keiser

2018-02-16 13:39:53 CET

Reported again: Version: 4.2-3 errata284 (Lesum) - UCS@school 4.2 v7

Comment 6 Daniel Tröder

2018-02-19 15:24:03 CET

Is the DN of the user doing the requests known?

Comment 7 Johannes Keiser

2018-03-15 14:19:10 CET

Reported again: Version: 4.2-3 errata284 (Lesum) - UCS@school 4.2 v7

Comment 8 Johannes Keiser

2018-03-29 19:52:54 CEST

Reported again: Version: 4.2-3 errata284 (Lesum) - UCS@school 4.2 v7

Comment 9 Johannes Keiser

2018-03-29 20:45:37 CEST

Reported again: Version: 4.2-3 errata284 (Lesum) - UCS@school 4.2 v7

Comment 10 Johannes Keiser

2018-04-13 11:51:27 CEST

Reported again: Version: 4.2-3 errata315 (Lesum) - UCS@school 4.2 v7

Comment 11 Johannes Keiser

2018-08-16 12:16:44 CEST

Reported again: Version: 4.3-1 errata163 (Neustadt) - UCS@school 4.3 v4

Interner Server-Fehler in "computerroom/schools".
Request: computerroom/schools

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 253, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func
    return func(*args, **kwargs)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 390, in schools
    schools = School.from_binddn(ldap_user_read)
  File "%PY2.7%/ucsschool/lib/models/school.py", line 426, in from_binddn
    user_schools = lo.search(base=lo.binddn, scope='base', attr=['ucsschoolSchool'])[0][1].get('ucsschoolSchool', [])
  File "%PY2.7%/univention/admin/uldap.py", line 710, in search
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Role: domaincontroller_slave

Comment 12 Johannes Keiser

2018-12-19 15:23:01 CET

Reported again: Version: 4.3-2 errata270 (Neustadt) - UCS@school 4.3 v5
Traceback: Same as Comment 11

Comment 13 Johannes Keiser

2019-03-22 13:27:15 CET

Reported again: Version: 4.3-3 errata390 (Neustadt) - UCS@school 4.3 v6

Interner Server-Fehler in "computerroom/room/acquire".
Request: computerroom/room/acquire

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 253, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func
    return func(*args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/computerroom/__init__.py", line 325, in room_acquire
    room = ComputerRoom.from_dn(roomDN, None, ldap_user_read)
  File "%PY2.7%/ucsschool/lib/models/base.py", line 903, in from_dn
    udm_obj = udm_modules.lookup(cls._meta.udm_module, None, lo, filter=cls._meta.udm_filter, base=dn, scope='base', superordinate=superordinate)[0]
  File "%PY2.7%/univention/admin/modules.py", line 736, in lookup
    tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit)
  File "%PY2.7%/univention/admin/handlers/__init__.py", line 1576, in lookup
    for dn, attrs in lo.search(filter_str, base, scope, attr, unique, required, timeout, sizelimit):
  File "%PY2.7%/univention/admin/uldap.py", line 710, in search
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Role: domaincontroller_slave

Comment 14 Johannes Keiser

2019-03-25 15:17:32 CET

Reported again: Version: 4.3-3 errata390 (Neustadt) - UCS@school 4.3 v6

Remark: w

Interner Server-Fehler in "computerroom/schools".
Request: computerroom/schools

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 253, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 145, in wrapper_func
    return func(*args, **kwargs)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 390, in schools
    schools = School.from_binddn(ldap_user_read)
  File "%PY2.7%/ucsschool/lib/models/school.py", line 472, in from_binddn
    user_schools = lo.search(base=lo.binddn, scope='base', attr=['ucsschoolSchool'])[0][1].get('ucsschoolSchool', [])
  File "%PY2.7%/univention/admin/uldap.py", line 710, in search
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Role: domaincontroller_slave

Comment 15 Michel Smidt 2019-03-25 16:45:12 CET

This bug should be fixed urgently from my point of view.

Comment 16 Florian Best

2019-03-29 16:56:22 CET

Created attachment 9946 [details]
patch

Comment 17 Florian Best

2019-03-29 17:09:12 CET

(In reply to Florian Best from comment #16)
> Created attachment 9946 [details]
> patch

Patch which can be used as hotfix for customers. For a patch in the product I have the wish to a idempotent behavior, i.e. instead of the "return" a "raise" should be done.

Comment 18 Florian Best

2019-04-12 17:29:17 CEST

It's reproducible by loggin via SAML, stop the ldap server, make a search and start the ldap server again.

I have another idea to fix this:
Wrap the uldap methods and apply the reconnection there. Then reconnecting works also for SAML (seems it doesn't work now?!) and it could also fix Bug #47926.

Comment 19 Florian Best

2019-04-12 18:28:37 CEST

Created attachment 9969 [details]
patch2

Patch for the alternative idea (branch fbest/46089-reset-cache-on-ldap-server-down).

Comment 20 Jürn Brodersen

2019-05-10 13:11:14 CEST

The problem was not limited to saml.

How to reproduce:
Open a computerroom
Open the change room menu
Stop slapd
Change the computerroom and wait for a ldap server down/timeout error
Start the ldap server again
Try changing the room again -> You should now get an "Insufficient access" exception.

Problem:
After the ldap error the ldapobject has not called bind but is initialized resulting in anonymize ldap calls.

[4.4-0 1d84181f91] Bug #46089: Fix "ldapError: Insufficient access" errors
[4.4-0 3560ac4c16] Bug #46089: yaml
Package: univention-management-console
Version: 11.0.4-16A~4.4.0.201905101258
Branch: ucs_4.4-0
Scope: errata4.4-0

Comment 21 Jürn Brodersen

2019-05-10 13:14:57 CEST

Created attachment 10021 [details]
Possible patch for python-ldap

As an alternative we could be able to patch python-ldap to ensure this situation doesn't happen in the first place.

Comment 22 Florian Best

2019-05-10 13:17:49 CEST

(In reply to Jürn Brodersen from comment #21)
> Created attachment 10021 [details]
> Possible patch for python-ldap
> 
> As an alternative we could be able to patch python-ldap to ensure this
> situation doesn't happen in the first place.
Would be nice to have a reproducer script which is only using pure python-ldap.

Comment 23 Florian Best

2019-05-10 13:25:24 CEST

1. The connection cache is now not invalidated on ldap.LDAPError but only by the wrapped udm_errors.ldapError. Shouldn't it be reset on both?

2. With the current changes, I think we should also remove the duplicated function call from the UDM module:

diff --git a/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py b/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py
index 3cccd87d4c..239eeae9f5 100644
--- a/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py
+++ b/management/univention-management-console-module-udm/umc/python/udm/udm_ldap.py
@@ -82,10 +82,7 @@ def LDAP_Connection(func):
        @functools.wraps(func)
        def _decorated(*args, **kwargs):
                method = user_connection(func, bind=__bind_function, write=True)
-               try:
-                       return method(*args, **kwargs)
-               except (LDAPError, udm_errors.ldapError):
-                       return method(*args, **kwargs)
+               return method(*args, **kwargs)
        return _decorated

Comment 24 Jürn Brodersen

2019-05-10 14:40:24 CEST

(In reply to Florian Best from comment #23)
> 1. The connection cache is now not invalidated on ldap.LDAPError but only by
> the wrapped udm_errors.ldapError. Shouldn't it be reset on both?

Yes thanks!

> 2. With the current changes, I think we should also remove the duplicated
> function call from the UDM module:

Probably, but I'm not quite sure. I think that should be handled in a separate bug.

[4.4-0 5cf86bd215] Bug #46089: except ldap.LDAPError as well as udm_errors
[4.4-0 66fb244df8] Bug #46089: yaml

Package: univention-management-console
Version: 11.0.4-16A~4.4.0.201905101433
Branch: ucs_4.4-0
Scope: errata4.4-0

Comment 25 Daniel Tröder

2019-05-10 15:35:40 CEST

OK: code change
OK: reproduced the error with u-m-c=11.0.4-2 and it is gone with 11.0.4-16
OK. advisory

Comment 26 Arvid Requate

2019-05-15 14:52:13 CEST

<http://errata.software-univention.de/ucs/4.4/104.html>