Bug 48533 - LDAP registered ACL files are not removed during univention-join/resync of listener module
Summary: LDAP registered ACL files are not removed during univention-join/resync of li...
Status: RESOLVED WONTFIX
Alias: None
Product: UCS
Classification: Unclassified
Component: LDAP
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-25 12:19 CET by Sönke Schwardt-Krummrich
Modified: 2025-02-05 09:28 CET (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2019-01-25 12:19:54 CET 
When analysing bug 48530 I noticed that the listener module ldap_extension.py does not remove existing LDAP ACL files previously written to disk if a resync of the listener module has been triggered (e.g. during a rejoin).

If LDAP ACLs are removed from the LDAP while the listener of the DC Backup/DC Slave is not replicating and a rejoin is performed, the old ACLs remain active.

This could lead to failed.ldifs, information disclosure and other bizarre problems.
Comment 1 Jan-Luca Kiok univentionstaff 2025-02-05 09:28:44 CET 
This issue has been filed against UCS 4.4.

UCS 4.4 is out of maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide information on how this issue is affecting you.