Bug 49041 - Cannot use wildcards in ignorelist because they get escaped in mapping.py
Cannot use wildcards in ignorelist because they get escaped in mapping.py
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 5.0
All Linux
: P4 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on: 11658
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-19 15:58 CET by Arvid Requate
Modified: 2021-03-02 21:16 CET (History)
7 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-03-19 15:58:54 CET
In a customer scenario there is the requirement that the AD-Connector doesn't synchronize any groups that start with some common prefix. Now you would gess that this can be done simply by setting a wildcard filter like:

ucr set connector/s4/mapping/user/ignorelist="root,ucs-s4sync,gues*"

But since Bug #11658 has been fixed, this is not possible any longer, becasue it results in this ingore list in hte mapping.py:

ignore_filter='(|(uid=root)(CN=root)(uid=ucs-s4sync)(CN=ucs-s4sync)(uid=gues\\2a)(CN=gues\\2a))',


IMHO we shouldn't escape the values of this variable.


+++ This bug was initially created as a clone of Bug #11658 +++
Comment 1 Arvid Requate univentionstaff 2019-03-19 16:30:35 CET
If people want to ignore stuff like "group()group", it's their job to escape them properly (group\\28\\29group).
Comment 2 Florian Best univentionstaff 2021-03-02 21:16:12 CET
(In reply to Arvid Requate from comment #1)
> If people want to ignore stuff like "group()group", it's their job to escape
> them properly (group\\28\\29group).
I disagree: Administrator should not know anything about escaping because it's an implementation detail. If we would use the UCR variable also for comparing values it would fail with an escaped values.

Instead we should explicitly allow wildcards by not escaping them.
A patch which does this is:

diff --git services/univention-ad-connector/modules/univention/connector/ad/mapping.py services/univention-ad-connector/modules/univention/connector/ad/mapping.py
index 120ae02917..a6e061474e 100644
--- services/univention-ad-connector/modules/univention/connector/ad/mapping.py
+++ services/univention-ad-connector/modules/univention/connector/ad/mapping.py
@@ -49,11 +49,11 @@ def ignore_filter_from_tmpl(template, ucr_key, default=''):
 
        >>> ignore_filter_from_tmpl('(cn={0!e})',
        ... 'connector/ad/mapping/nonexistend/ignorelist',
-       ... 'one,two,three')
-       '(|(cn=one)(cn=two)(cn=three))'
+       ... 'one,two,th(r)ee*')
+       '(|(cn=one)(cn=two)(cn=th\\28r\\29ee*))'
        """
        variables = [v for v in configRegistry.get(ucr_key, default).split(',') if v]
-       filter_parts = [format_escaped(template, v) for v in variables]
+       filter_parts = [format_escaped(template, v).replace('\\2a', '*') for v in variables]
        if filter_parts:
                return '(|{})'.format(''.join(filter_parts))
        return ''