Univention Bugzilla – Bug 48984
LDAP-ACLs deny access for Memberservers stored in a different container than cn=memberserver,cn=computers
Last modified: 2023-12-22 16:09:04 CET
HowTo reproduce: make a new container underneath cn=computers and move the memberserver there. set the ucrv ldap/hostdn='cn=member,cn=memberserver2,cn=computers,dc=schein,dc=ig' After that, it is not possible to install an app via appcenter: Interner Server-Fehler in "appcenter/docker/remote/progress". Request: appcenter/docker/remote/progress Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 253, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response return list(function(self, iterator, *nones)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func yield function(self, *args) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/appcenter/__init__.py", line 371, in remote_progress return client.umc_command('appcenter/docker/progress', {'progress_id': remote_progress_id}).result File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 435, in umc_command return self.request('POST', 'command/%s' % (path,), data, headers) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 515, in request return self.send(request) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 544, in send raise HTTPError(request, response, self.hostname) HTTPError: 591 on member (command/appcenter/docker/progress): {"status": 591, "message": "Interner Server-Fehler in \"appcenter/docker/progress\".", "traceback": "Interner Server-Fehler in \"appcenter/docker/progress\".\nRequest: appcenter/docker/progress\n\nTraceback (most recent call last):\n File \"/usr/lib/pymodules/python2.7/univention/management/console/base.py\", line 253, in execute\n function.__func__(self, request, *args, **kwargs)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 318, in _response\n result = _multi_response(self, request)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n return function(self, request)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 440, in _response\n return list(function(self, iterator, *nones))\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 286, in _fake_func\n yield function(self, *args)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/mixins.py\", line 149, in progress\n ret = progress_obj.poll()\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 309, in _thread\n result = _multi_response(self, request)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n return function(self, request)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 440, in _response\n return list(function(self, iterator, *nones))\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 286, in _fake_func\n yield function(self, *args)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/appcenter/__init__.py\", line 431, in invoke_docker\n result['success'] = action.call(app=app, username=self.username, password=self.password, **kwargs)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py\", line 220, in call\n return obj.call_with_namespace(namespace)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py\", line 226, in call_with_namespace\n result = self.main(namespace)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py\", line 73, in main\n return self.do_it(args)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/install_base.py\", line 109, in do_it\n self._do_it(app, args)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_install.py\", line 63, in _do_it\n ret = super(Install, self)._do_it(app, args)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py\", line 84, in _do_it\n self._register_app(app, args)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/actions/register.py\", line 418, in _register_app\n ldap_object = get_app_ldap_object(app, lo, pos, or_create=True)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 278, in get_app_ldap_object\n return ApplicationLDAPObject(app, lo, pos, or_create)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 178, in __init__\n self._reload(app, create_if_not_exists)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 193, in _reload\n self._create_obj(app)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 229, in _create_obj\n obj = create_object_if_not_exists('appcenter/app', self._lo, self._pos, **attrs)\n File \"/usr/lib/pymodules/python2.7/univention/appcenter/udm.py\", line 101, in create_object_if_not_exists\n obj.create()\n File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 539, in create\n dn = self._create(response=response, serverctrls=serverctrls)\n File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 1178, in _create\n self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)\n File \"/usr/lib/pymodules/python2.7/univention/admin/uldap.py\", line 787, in add\n raise univention.admin.uexceptions.permissionDenied\npermissionDenied", "location": "https://member/univention/command"} or via univention-app install guacamole Going to install Guacamole (0.9.13-univention14) Password for Administrator: Creating data directories for guacamole... Copying /var/cache/univention-appcenter/appcenter.software-univention.de/4.3/guacamole_20180525181438.schema Registering UCR for guacamole Marking guacamole=0.9.13-univention14 as installed File: /etc/univention/service.info/services/univention-appcenter.cfg File: /usr/share/univention-portal/apps.json Setting ports for apache proxy Multifile: /etc/apache2/sites-available/000-default.conf Multifile: /etc/apache2/sites-available/default-ssl.conf Going to remove Guacamole (0.9.13-univention14) No hostdn for guacamole found. Nothing to remove Configuring guacamole=0.9.13-univention14 File: /etc/univention/service.info/services/univention-appcenter.cfg Multifile: /etc/apache2/sites-available/000-default.conf Multifile: /etc/apache2/sites-available/default-ssl.conf File: /usr/share/univention-portal/apps.json Reloading apache2 configuration (via systemctl): apache2.service. Search LDAP binddn done Running 03univention-directory-listener.inst skipped (already executed) Running 04univention-ldap-client.inst skipped (already executed) Running 08univention-apache.inst skipped (already executed) Running 11univention-pam.inst skipped (already executed) Running 18python-univention-directory-manager.inst skipped (already executed) Running 20univention-directory-policy.inst skipped (already executed) Running 20univention-join.inst skipped (already executed) Running 26univention-nagios-common.inst skipped (already executed) Running 30univention-appcenter.inst skipped (already executed) Running 30univention-nagios-client.inst skipped (already executed) Running 33univention-portal.inst skipped (already executed) Running 34univention-management-console-server.inst skipped (already executed) Running 35univention-appcenter-docker.inst skipped (already executed) Running 35univention-management-console-module-appcenter.inst skipped (already executed) Running 35univention-management-console-module-diagnostic.inst skipped (already executed) Running 35univention-management-console-module-join.inst skipped (already executed) Running 35univention-management-console-module-lib.inst skipped (already executed) Running 35univention-management-console-module-mrtg.inst skipped (already executed) Running 35univention-management-console-module-quota.inst skipped (already executed) Running 35univention-management-console-module-reboot.inst skipped (already executed) Running 35univention-management-console-module-services.inst skipped (already executed) Running 35univention-management-console-module-setup.inst skipped (already executed) Running 35univention-management-console-module-sysinfo.inst skipped (already executed) Running 35univention-management-console-module-top.inst skipped (already executed) Running 35univention-management-console-module-ucr.inst skipped (already executed) Running 35univention-management-console-module-updater.inst skipped (already executed) Running 36univention-management-console-module-apps.inst skipped (already executed) Running 81univention-nfs-server.inst skipped (already executed) Running 92univention-management-console-web-server.inst skipped (already executed) Running 98univention-pkgdb-tools.inst skipped (already executed) Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace result = self.main(namespace) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 73, in main return self.do_it(args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install_base.py", line 109, in do_it self._do_it(app, args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_install.py", line 63, in _do_it ret = super(Install, self)._do_it(app, args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 84, in _do_it self._register_app(app, args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/register.py", line 418, in _register_app ldap_object = get_app_ldap_object(app, lo, pos, or_create=True) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 278, in get_app_ldap_object return ApplicationLDAPObject(app, lo, pos, or_create) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 178, in __init__ self._reload(app, create_if_not_exists) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 193, in _reload self._create_obj(app) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 229, in _create_obj obj = create_object_if_not_exists('appcenter/app', self._lo, self._pos, **attrs) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 101, in create_object_if_not_exists obj.create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 539, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1178, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 787, in add raise univention.admin.uexceptions.permissionDenied permissionDenied Traceback (most recent call last): File "/usr/bin/univention-app", line 91, in <module> main() File "/usr/bin/univention-app", line 78, in main ret = args.func(args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace result = self.main(namespace) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 73, in main return self.do_it(args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install_base.py", line 109, in do_it self._do_it(app, args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_install.py", line 63, in _do_it ret = super(Install, self)._do_it(app, args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/install.py", line 84, in _do_it self._register_app(app, args) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/register.py", line 418, in _register_app ldap_object = get_app_ldap_object(app, lo, pos, or_create=True) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 278, in get_app_ldap_object return ApplicationLDAPObject(app, lo, pos, or_create) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 178, in __init__ self._reload(app, create_if_not_exists) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 193, in _reload self._create_obj(app) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 229, in _create_obj obj = create_object_if_not_exists('appcenter/app', self._lo, self._pos, **attrs) File "/usr/lib/pymodules/python2.7/univention/appcenter/udm.py", line 101, in create_object_if_not_exists obj.create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 539, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1178, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 787, in add raise univention.admin.uexceptions.permissionDenied univention.admin.uexceptions.permissionDenied
I increased the affected feeling, because the customers cannot install apps on such servers. It still happens with UCS 4.4
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Still relevant
Another customer affected 2023101221000181 UCS: 5.0-5 errata838 while installing the app "samba-memberserver" Traceback (most recent call last): File "/usr/bin/univention-app", line 101, in <module> main() File "/usr/bin/univention-app", line 88, in main ret = action(args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/__init__.py", line 194, in call_with_namespace result = self.main(namespace) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install.py", line 94, in main return self.do_it(args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install_base.py", line 171, in do_it success = self.do_it_once(app, args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install.py", line 210, in do_it_once return super(Install, self).do_it_once(app, args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install_base.py", line 216, in do_it_once self._do_it(app, args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/docker_install.py", line 74, in _do_it ret = super(Install, self)._do_it(app, args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install.py", line 117, in _do_it self._register_app(app, args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/register.py", line 444, in _register_app ldap_object = get_app_ldap_object(app, lo, pos, or_create=True) File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 274, in get_app_ldap_object return ApplicationLDAPObject(app, lo, pos, or_create) File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 180, in __init__ self._reload(app, create_if_not_exists) File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 196, in _reload self._create_obj(app) File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 199, in _create_obj create_recursive_container(self._container, self._lo, self._pos) File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 286, in create_recursive_container create_object_if_not_exists(module, lo, pos, name=name) File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 102, in create_object_if_not_exists obj.create() File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1304, in _create six.reraise(exc[0], exc[1], exc[2]) File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1286, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 767, in add raise univention.admin.uexceptions.permissionDenied() univention.admin.uexceptions.permissionDenied: Zugriff verweigert.
Another customer affected 2023122221000149 UCS: 5.0-6 errata904 During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/appcenter/actions/__init__.py", line 194, in call_with_namespace result = self.main(namespace) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install.py", line 94, in main return self.do_it(args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install_base.py", line 171, in do_it success = self.do_it_once(app, args) File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install.py", line 210, in do_it_once return super(Install, self).do_it_once(app, args) | File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install_base.py", line 216, in do_it_once | self._do_it(app, args) | File "/usr/lib/python3/dist-packages/univention/appcenter/actions/docker_install.py", line 74, in _do_it | ret = super(Install, self)._do_it(app, args) | File "/usr/lib/python3/dist-packages/univention/appcenter/actions/install.py", line 117, in _do_it | self._register_app(app, args) | File "/usr/lib/python3/dist-packages/univention/appcenter/actions/register.py", line 444, in _register_app | ldap_object = get_app_ldap_object(app, lo, pos, or_create=True) | File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 274, in get_app_ldap_object | return ApplicationLDAPObject(app, lo, pos, or_create) | File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 180, in __init__ | self._reload(app, create_if_not_exists) | File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 196, in _reload | self._create_obj(app) | File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 225, in _create_obj | obj = create_object_if_not_exists('appcenter/app', self._lo, self._pos, **attrs) | File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 102, in create_object_if_not_exists | obj.create() | File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 557, in create | dn = self._create(response=response, serverctrls=serverctrls) | File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1304, in _create | six.reraise(exc[0], exc[1], exc[2]) | File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise | raise value | File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1286, in _create | self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) | File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 767, in add | raise univention.admin.uexceptions.permissionDenied() | univention.admin.uexceptions.permissionDenied: Zugriff verweigert.