Univention Bugzilla – Bug 48530
In some cases LDAP ACLs are not active on DC backup and DC slave
Last modified: 2019-03-07 15:08:01 CET
TL;DR; When a DC Backup/DC Slave is joined for the first time, LDAP ACLs already registered in LDAP are ignored (not written to disk and therefore not included in the slapd). This leads to failed.ldifs at least in UCS@school environments and a possible information disclosure. Scenario: LDAP ACLs are registered and activated on the DC Master (here UCS@school-ACLs). If a DC Backup is now installed and joined into the domain for the first time, it ignores the LDAP ACL objects in LDAP. /var/log/univention/join.log:24.01.19 15:40:43.170 LISTENER ( WARN ) : initializing module ldap_extension /var/log/univention/join.log:24.01.19 15:40:43.183 LISTENER ( PROCESS ) : ldap_extension: ignore first appearance of cn=65ucsschool,cn=ldapacl,cn=univention,dc=nstx,dc=local, not yet activated /var/log/univention/join.log:24.01.19 15:40:45.660 LISTENER ( PROCESS ) : ldap_extension: ignore first appearance of cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=nstx,dc=local, not yet activated /var/log/univention/join.log:24.01.19 15:40:45.661 LISTENER ( PROCESS ) : ldap_extension: ignore first appearance of cn=66univention-appcenter_app,cn=ldapacl,cn=univention,dc=nstx,dc=local, not yet activated /var/log/univention/join.log:24.01.19 15:40:45.661 LISTENER ( WARN ) : finished initializing module ldap_extension with rv=0 The "not yet activated" is NOT correct, because the value "TRUE" is stored in the attribute "univentionLDAPACLActive" of the LDAP ACL objects. However, this is not specifically checked in the Listener module ldap_extensions. Instead, LDAP ACL objects that have just been created (not old and new) are ignored. This also applies to LDAP ACL objects that were created and activated during a replication interruption! LDAP schema objects are (contrary to first assumption) not affected by the problem.
DC backup/slave systems, that have correct ACLs and are about to rejoin, are not affected because the ACL files created by the listener module are *not* removed during resync/initialisation of the listener module. In this case, this behaviour is very good and prevents more harm but in some other corner cases this will produce other problems (DC backup is offline, ACLs get removed in LDAP, DC backup is rejoined → old ACLs are still active but should not). → Bug 48533
The defective query in the listener module ldap_extension was corrected. LDAP ACL objects that were newly created from the listener module's point of view and are already active are now handled and no longer ignored. To avoid missing LDAP ACLs on the DC backup systems, the update to version 14.0.2-35 of univention-ldap-server triggers a resync of the listener module ldap_extension. A jitter of 15 seconds is used to prevent all LDAP servers from failing at the same time if the update is started simultaneously on the systems (e.g. via cron). The resync is not executed on DC Master and member server systems because the ACLs are either already active or are not used there. In univention-ldap-server the versioned dependency was updated to python-univention-lib. The latter package contains the adapted code part of the listener module. c8a47ddc38 Bug #48530: update advisories 7cd0a1cb5f Bug #48530: Merge branch 'sschwardt/48530/4.3/ldap_acl_registration' into 4.3-3 d15258ccf0 Bug #48530: add/update advisories a399e31822 Bug #48530: add changelog entry b222cb63f2 Bug #48530: resync listener module ldap_extension only during update e35dc8ad9b Bug #48530: add dependency to fixed version of python-univention-lib 1373608548 Bug #48530: add changelog entry d5c09115dd Bug #48530: only skip object if univentionLDAPACLActive is not "TRUE" Package: univention-ldap Version: 14.0.2-35A~4.3.0.201901251325 Branch: ucs_4.3-0 Scope: errata4.3-3 Package: univention-lib Version: 7.0.0-21A~4.3.0.201901251325 Branch: ucs_4.3-0 Scope: errata4.3-3
merged to UCS 4.4: Package: univention-ldap Version: 15.0.0-5A~4.4.0.201901251351 Branch: ucs_4.4-0 Scope: Package: univention-lib Version: 8.0.0-3A~4.4.0.201901251351 Branch: ucs_4.4-0 Scope: da972f95cd Bug #48530: add/update advisories a92dcd9b9c Bug #48530: add changelog entry 515c43817d Bug #48530: resync listener module ldap_extension only during update b113a3d110 Bug #48530: add dependency to fixed version of python-univention-lib 167de04450 Bug #48530: add changelog entry 8eaae40806 Bug #48530: only skip object if univentionLDAPACLActive is not "TRUE"
Jenkins tests for UCS 4.3-3 look good. Tested update/rejoin on DC backup and DC slave: 25.01.19 09:55:31.937 LISTENER ( WARN ) : initializing module ldap_extension 25.01.19 09:55:32.908 LISTENER ( PROCESS ) : ldap_extension: cn=65ucsschool,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE'] 25.01.19 09:55:34.411 LISTENER ( PROCESS ) : ldap_extension: cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE'] 25.01.19 09:55:34.898 LISTENER ( PROCESS ) : ldap_extension: cn=66univention-appcenter_app,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE'] 25.01.19 09:55:35.406 LISTENER ( WARN ) : finished initializing module ldap_extension with rv=0 → RESOLVED
What I tested: Updated package on master -> OK Updated package on backup -> Installed acl on master -> OK Installed acl on master -> Join Backup -> Updated package on backup -> OK Install acl on master -> Updated package on UNJOINED backup -> join -> OK Schoolslave -> OK (ACLs are installed after a read STOP acl, which is intended) Rejoin schoolslave -> OK YAML -> OK Merge to 4.4 -> OK
<http://errata.software-univention.de/ucs/4.3/424.html> <http://errata.software-univention.de/ucs/4.3/426.html>