Bug 48990 - 4.3: Could not get groups for u'Administrator': ldapError: Insufficient access
4.3: Could not get groups for u'Administrator': ldapError: Insufficient access
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Portal
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-3-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on: 48943
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-14 12:34 CET by Florian Best
Modified: 2019-04-10 14:35 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Ticket number: 2019030521000572, 2019031321000959, 2019032021000258
Bug group (optional): Error handling, External feedback, Workaround is available
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2019-03-14 12:34:22 CET
Bug for UCS 4.3:

+++ This bug was initially created as a clone of Bug #48943 +++

In a school environment the following traceback happens when accessing the portal:

08.03.19 13:10:07.792 MAIN ( ERROR ) : Could not get groups for u'Administrator': Traceback (most recent call last):
File "/usr/sbin/univention-management-console-web-server", line 380, in get_user_groups
user_dn = lo.searchDn(ldap.filter.filter_format('(&(uid=%s)(objectClass=person))', (self.username,)))[0]
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 750, in searchDn
raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Afaik this happens on a DC Master. Memberoverlay is activated.
Is something wrong with the LDAP ACL's for DC's in UCS@school?
Comment 1 Florian Best univentionstaff 2019-03-20 09:35:34 CET
See also Bug #49011 for an adjustment of server-password-change, that it does a UMC-reload (which would be capable then to re-establish the LDAP connection with the new credentials).
But I think this is not necessary if we change from univention.admin.uldap to univention.management.console.ldap.
Comment 2 Christina Scheinig univentionstaff 2019-03-28 19:32:25 CET
Two of the customer already asked for the fix.
Comment 3 Florian Best univentionstaff 2019-03-29 08:13:40 CET
I created a untested patch in fbest/48990-fix-reloading-machine-connection:
https://github.com/univention/univention-corporate-server/commit/7047dd45f697e21702cc90d09a33043243af9bb8
Comment 4 Florian Best univentionstaff 2019-04-02 08:29:06 CEST
Ok, the patch works.
It uses the univention.managment.console.ldap with write=False to connect to the local ldap server.

I applied the patch with one additional change: The LDAP credential cache is now also reset on a "service univention-management-console-web-server reload".

univention-management-console (10.0.6-21)
1aa4a2b45f5b | Bug #48990: Merge branch 'fbest/48990-fix-reloading-machine-connection' into 4.3-3

univention-management-console.yaml
1aa4a2b45f5b | Bug #48990: Merge branch 'fbest/48990-fix-reloading-machine-connection' into 4.3-3
Comment 5 Dirk Wiesenthal univentionstaff 2019-04-09 15:58:49 CEST
OK, works as expected.
Comment 6 Erik Damrose univentionstaff 2019-04-10 14:35:29 CEST
<http://errata.software-univention.de/ucs/4.3/475.html>