47237 – [4.2] LDAP connection cache doesn't handle credentials change

Bug 47237 - [4.2] LDAP connection cache doesn't handle credentials change

Summary: [4.2] LDAP connection cache doesn't handle credentials change

Status:	CLOSED FIXED

Alias:	None

Product:	UCS@school
Classification:	Unclassified
Component:	HTTP-API (Kelvin)
Version:	UCS@school 4.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS@school 4.2 v10
Assignee:	Daniel Tröder
QA Contact:	Ole Schwiegert

URL:
Keywords:

Depends on:	54135 47236
Blocks:
	Show dependency tree / graph

Reported:	2018-06-22 13:12 CEST by Daniel Tröder
Modified:	2021-11-24 13:13 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018062221000376
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2018-06-22 13:12:08 CEST

+++ This bug was initially created as a clone of Bug #47236 +++

Admin and machine connections are cached in ucsschool/importer/utils/ldap_connection.py. When the machine accounts credentials change, uldap tries to reconnect using the old credentials.

Invalidate the connection caches when the password files change.

Comment 1 Daniel Tröder

2018-06-28 09:28:28 CEST

Gunicorn is now restarted when the machine account password changes.
Cache refresh inside the running Python instance (to not restart it) is not required, as the process does not perform any critical operation. The import is run within Celery instances.

[4.2] 1de022965 Bug #47237: restart Gunicorn when machine account password changes
[4.2] 5189484c9 Bug #47237: advisory

ucs-school-import (15.0.3-59)

Comment 2 Ole Schwiegert

2018-06-29 09:58:02 CEST

Changelog: OK
Advisory: OK
Gunicorn restarts after machine password change: REOP

The script /usr/lib/univention-server/server_password_change.d/gunicorn_ucs-school-import does not get executed since it misses the executable bit.

After chmod +x /usr/lib/univention-server/server_password_change.d/gunicorn_ucs-school-import it works as intended

Comment 3 Daniel Tröder

2018-06-29 13:20:45 CEST

[4.2] 8e35cf945 Bug #47237: add missing executable flag to machine account change script
[4.2] 418c8ba9c Bug #47237: advisory update

Comment 4 Ole Schwiegert

2018-06-29 14:28:26 CEST

Changelog: OK
Advisory: OK
Gunicorn restarts after machine password change: OK

Comment 5 Sönke Schwardt-Krummrich

2018-07-04 18:07:46 CEST

UCS@school 4.2 v10 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.2v10-de.html

If this error occurs again, please clone this bug.