Bug 48530 - In some cases LDAP ACLs are not active on DC backup and DC slave
In some cases LDAP ACLs are not active on DC backup and DC slave
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.3
Other Linux
: P5 major (vote)
: UCS 4.3-3-errata
Assigned To: Sönke Schwardt-Krummrich
Jürn Brodersen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-24 17:40 CET by Sönke Schwardt-Krummrich
Modified: 2019-03-07 15:08 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.640
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2019-01-24 17:40:27 CET
TL;DR;
When a DC Backup/DC Slave is joined for the first time, LDAP ACLs already registered in LDAP are ignored (not written to disk and therefore not included in the slapd). This leads to failed.ldifs at least in UCS@school environments and a possible information disclosure.

Scenario:
LDAP ACLs are registered and activated on the DC Master (here UCS@school-ACLs). If a DC Backup is now installed and joined into the domain for the first time, it ignores the LDAP ACL objects in LDAP. 

/var/log/univention/join.log:24.01.19 15:40:43.170  LISTENER    ( WARN    ) : initializing module ldap_extension
/var/log/univention/join.log:24.01.19 15:40:43.183  LISTENER    ( PROCESS ) : ldap_extension: ignore first appearance of cn=65ucsschool,cn=ldapacl,cn=univention,dc=nstx,dc=local, not yet activated
/var/log/univention/join.log:24.01.19 15:40:45.660  LISTENER    ( PROCESS ) : ldap_extension: ignore first appearance of cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=nstx,dc=local, not yet activated
/var/log/univention/join.log:24.01.19 15:40:45.661  LISTENER    ( PROCESS ) : ldap_extension: ignore first appearance of cn=66univention-appcenter_app,cn=ldapacl,cn=univention,dc=nstx,dc=local, not yet activated
/var/log/univention/join.log:24.01.19 15:40:45.661  LISTENER    ( WARN    ) : finished initializing module ldap_extension with rv=0


The "not yet activated" is NOT correct, because the value "TRUE" is stored in the attribute "univentionLDAPACLActive" of the LDAP ACL objects. However, this is not specifically checked in the Listener module ldap_extensions. Instead, LDAP ACL objects that have just been created (not old and new) are ignored. This also applies to LDAP ACL objects that were created and activated during a replication interruption!

LDAP schema objects are (contrary to first assumption) not affected by the problem.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2019-01-25 12:20:09 CET
DC backup/slave systems, that have correct ACLs and are about to rejoin, are not affected because the ACL files created by the listener module are *not* removed during resync/initialisation of the listener module. In this case, this behaviour is very good and prevents more harm but in some other corner cases this will produce other problems (DC backup is offline, ACLs get removed in LDAP, DC backup is rejoined → old ACLs are still active but should not).
→ Bug 48533
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2019-01-25 13:28:35 CET
The defective query in the listener module ldap_extension was corrected. LDAP ACL objects that were newly created from the listener module's point of view and are already active are now handled and no longer ignored.
To avoid missing LDAP ACLs on the DC backup systems, the update to version 14.0.2-35 of univention-ldap-server triggers a resync of the listener module ldap_extension. A jitter of 15 seconds is used to prevent all LDAP servers from failing at the same time if the update is started simultaneously on the systems (e.g. via cron). The resync is not executed on DC Master and member server systems because the ACLs are either already active or are not used there.
In univention-ldap-server the versioned dependency was updated to python-univention-lib. The latter package contains the adapted code part of the listener module.

c8a47ddc38 Bug #48530: update advisories
7cd0a1cb5f Bug #48530: Merge branch 'sschwardt/48530/4.3/ldap_acl_registration' into 4.3-3
d15258ccf0 Bug #48530: add/update advisories
a399e31822 Bug #48530: add changelog entry
b222cb63f2 Bug #48530: resync listener module ldap_extension only during update
e35dc8ad9b Bug #48530: add dependency to fixed version of python-univention-lib
1373608548 Bug #48530: add changelog entry
d5c09115dd Bug #48530: only skip object if univentionLDAPACLActive is not "TRUE"

Package: univention-ldap
Version: 14.0.2-35A~4.3.0.201901251325
Branch: ucs_4.3-0
Scope: errata4.3-3

Package: univention-lib
Version: 7.0.0-21A~4.3.0.201901251325
Branch: ucs_4.3-0
Scope: errata4.3-3
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2019-01-25 13:53:28 CET
merged to UCS 4.4:

Package: univention-ldap
Version: 15.0.0-5A~4.4.0.201901251351
Branch: ucs_4.4-0
Scope:

Package: univention-lib
Version: 8.0.0-3A~4.4.0.201901251351
Branch: ucs_4.4-0
Scope:

da972f95cd Bug #48530: add/update advisories
a92dcd9b9c Bug #48530: add changelog entry
515c43817d Bug #48530: resync listener module ldap_extension only during update
b113a3d110 Bug #48530: add dependency to fixed version of python-univention-lib
167de04450 Bug #48530: add changelog entry
8eaae40806 Bug #48530: only skip object if univentionLDAPACLActive is not "TRUE"
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2019-01-28 11:31:43 CET
Jenkins tests for UCS 4.3-3 look good. 
Tested update/rejoin on DC backup and DC slave:
25.01.19 09:55:31.937  LISTENER    ( WARN    ) : initializing module ldap_extension
25.01.19 09:55:32.908  LISTENER    ( PROCESS ) : ldap_extension: cn=65ucsschool,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE']
25.01.19 09:55:34.411  LISTENER    ( PROCESS ) : ldap_extension: cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE']
25.01.19 09:55:34.898  LISTENER    ( PROCESS ) : ldap_extension: cn=66univention-appcenter_app,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE']
25.01.19 09:55:35.406  LISTENER    ( WARN    ) : finished initializing module ldap_extension with rv=0


→ RESOLVED
Comment 5 Jürn Brodersen univentionstaff 2019-02-05 13:56:24 CET
What I tested:
Updated package on master -> OK
Updated package on backup -> Installed acl on master -> OK
Installed acl on master -> Join Backup -> Updated package on backup -> OK
Install acl on master -> Updated package on UNJOINED backup -> join -> OK
Schoolslave -> OK (ACLs are installed after a read STOP acl, which is intended)
Rejoin schoolslave -> OK

YAML  -> OK
Merge to 4.4 -> OK