Bug 48943 - Could not get groups for u'Administrator': ldapError: Insufficient access
Could not get groups for u'Administrator': ldapError: Insufficient access
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Portal
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Florian Best
Johannes Keiser
:
Depends on:
Blocks: 48990
  Show dependency treegraph
 
Reported: 2019-03-11 10:14 CET by Florian Best
Modified: 2019-03-27 13:29 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2019030521000572, 2019031321000959
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2019-03-11 10:14:44 CET
In a school environment the following traceback happens when accessing the portal:

08.03.19 13:10:07.792 MAIN ( ERROR ) : Could not get groups for u'Administrator': Traceback (most recent call last):
File "/usr/sbin/univention-management-console-web-server", line 380, in get_user_groups
user_dn = lo.searchDn(ldap.filter.filter_format('(&(uid=%s)(objectClass=person))', (self.username,)))[0]
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 750, in searchDn
raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Afaik this happens on a DC Master. Memberoverlay is activated.
Is something wrong with the LDAP ACL's for DC's in UCS@school?
Comment 1 Florian Best univentionstaff 2019-03-11 10:20:04 CET
This causes that the entries on the portal are not correctly displayed/filtered.

Afaics, we can remove this code completely because in UCS 4.4 there is a service which does the filtering instead of the javascript frontend.
Comment 2 Florian Best univentionstaff 2019-03-11 10:28:21 CET
Patch for code removal in branch fbest/48943-portal-user-groups-filtering.
Comment 3 Florian Best univentionstaff 2019-03-13 13:50:58 CET
From the server logs I can see a server password change:

Starting server password change (Sat Mar  2 01:00:11 CET 2019)
Proceeding with regular server password change scheduled for today

From the logs I can also see that since then no UMC-Webserver restart was made, which would have fixed the problem.

Grrr…
I added extra for this univention.management.console.ldap but again the univention.admin.uldap.getMachineConnection was used during implementation.
Comment 4 Christina Scheinig univentionstaff 2019-03-13 16:09:24 CET
The web-server restart fixed the problem.
Comment 5 Florian Best univentionstaff 2019-03-14 08:04:58 CET
univention-portal (3.0.1-21)
cd54e7195cf4 | Bug #48943: remove obsolete code

univention-management-console (11.0.4-6)
cd54e7195cf4 | Bug #48943: remove obsolete code
Comment 6 Christina Scheinig univentionstaff 2019-03-14 10:40:51 CET
(In reply to Florian Best from comment #3)
> From the server logs I can see a server password change:
> 
> Starting server password change (Sat Mar  2 01:00:11 CET 2019)
> Proceeding with regular server password change scheduled for today
> 
> From the logs I can also see that since then no UMC-Webserver restart was
> made, which would have fixed the problem.
> 
> Grrr…
> I added extra for this univention.management.console.ldap but again the
> univention.admin.uldap.getMachineConnection was used during implementation.

So does this mean, the problem will happen again after a server password change?
Comment 7 Florian Best univentionstaff 2019-03-14 10:41:50 CET
(In reply to Christina Scheinig from comment #6)
> So does this mean, the problem will happen again after a server password
> change?
Yes!
Comment 8 Christina Scheinig univentionstaff 2019-03-14 12:27:06 CET
(In reply to Florian Best from comment #7)
> (In reply to Christina Scheinig from comment #6)
> > So does this mean, the problem will happen again after a server password
> > change?
> Yes!

Do we have an other Bug for this problem? Otherwise we would need a fix for 4.3-3, too
A customer already asked
Comment 9 Johannes Keiser univentionstaff 2019-03-14 18:37:37 CET
OK: removed code was not used
OK: portal entries still filtered due to portal server
OK: YAML
-> verified