Bug 48082 - univention-adsearch displays binary code resulting in unreadable screen
univention-adsearch displays binary code resulting in unreadable screen
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Felix Botner
Arvid Requate
:
: 43319 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-30 12:56 CET by Christian Völker
Modified: 2019-03-30 08:32 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018102921000284
Bug group (optional):
Max CVSS v3 score:


Attachments
b64.diff (945 bytes, patch)
2018-11-22 18:00 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2018-10-30 12:56:37 CET
univention-adsearch seems to decode items not correctly:

root@ucs:/etc/univention/ssl/ucsCA/crl# univention-adsearch cn=username
[...]
linuxobjectClass: organizationalPerson

objectClass: user

msExchUserAccountControl: 0

userCert*▒H▒▒te: 0▒▒0▒▒▒xt0▒▒=▒
Comment 2 Arvid Requate univentionstaff 2018-10-30 13:55:08 CET
univention-adesearch should use ldif.LDIFWriter for output with a suitable list of base64_attrs. Alternatively it should be re-implemented as just a wrapper of ldapsearch (or ldbsearch, like univention-s4search), which would simultaneously fix Bug 43319, Bug 43189, Bug 35504.
Comment 3 Arvid Requate univentionstaff 2018-10-30 14:00:08 CET
Affected attributes reported:

msExchMailboxSecurityDescriptor msExchSafeSendersHash userCert thumbnailPhoto logonHours msExchMailboxGuid

see also the list in the encode_s4_object method of the S4-Connector.
Comment 4 Felix Botner univentionstaff 2018-11-08 13:35:29 CET
*** Bug 43319 has been marked as a duplicate of this bug. ***
Comment 5 Felix Botner univentionstaff 2018-11-08 15:04:23 CET
The small step for now, no ldbsearch, there is too much going on with SSL/kerberos authentication in univention-adsearch, i dont' want to mess with right now.

fixed now by base64 encode every non-printable attribute, also, i removed the replace_filter function, seems to make no difference 

488212ced044ca5bb6278750bc724dba88f9efb2 - univention-ad-connector
252e48eeb342ebe7960b2537c41f849539f8578b - yaml
Comment 6 Arvid Requate univentionstaff 2018-11-21 19:34:48 CET
Ok, much better. There are still corner cases of attributes with Active Directory attributeSyntax 2.5.5.10 (octetstring), which are 8bit and may or may not be printable. The ldapsearch source code seems to check the values for printability and encode accordingly:

========================================================================
#
# univention-adsearch
# filter: (|(auditingPolicy=*)(dnsRecord=*))
#

DN: DC=w2k8r2d2ar,DC=net
auditingPolicy: ^@^A

DN: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net
dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ag^Lroot-servers^Cnet^@
dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ab^Lroot-servers^Cnet^@
dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ae^Lroot-servers^Cnet^@
dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ad^Lroot-servers^Cnet^@

DN: DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net
dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxwdbDQ==

DN: DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net
dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwMvmCg==

DN: DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net
dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxwkOyQ==

DN: DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net
dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwHAkBA==
========================================================================

Strangely, some dnsRecord entries are encoded, others not.

Doing the same with ldapsearch returns all values base64-encoded:

ldapsearch -H ldap://10.200.8.126 -D Administrator@W2K8R2D2AR.NET \
           -w Univention.1 -b DC=w2k8r2d2ar,DC=net \
           '(|(auditingPolicy=*)(dnsRecord=*))' auditingPolicy dnsRecord
Comment 7 Felix Botner univentionstaff 2018-11-22 11:43:26 CET
Added special (base64 encode) handling for dnsRecord and auditingPolicy,

We should definitely switch to ldbsearch, but i think we need a minor update for that
Comment 8 Arvid Requate univentionstaff 2018-11-22 18:00:27 CET
Created attachment 9752 [details]
b64.diff

I think we need to output the base64-encoded values with "::", see attached patch.
Comment 9 Felix Botner univentionstaff 2018-11-22 18:26:50 CET
fixed
Comment 10 Arvid Requate univentionstaff 2018-11-26 17:20:54 CET
Verified:

* univention-adsearch output is UTF-8 (verified by running "file" on it)
* decoding works: univention-adsearch | ldapsearch-wrapper | ldapsearch-decode64
* objectGUID is now displayed properly
* Advisory: Ok
Comment 11 Arvid Requate univentionstaff 2018-12-05 17:25:36 CET
<http://errata.software-univention.de/ucs/4.3/354.html>