Bug 50474 - 'CR/LF' in CN breaks Replication
'CR/LF' in CN breaks Replication
Status: NEW
Product: UCS
Classification: Unclassified
Component: Notifier (univention-directory-notifier)
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
: 51826 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-08 12:42 CET by Nico Stöckigt
Modified: 2021-07-05 13:07 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019110821000613
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2019-11-08 12:42:45 CET
Environment: UCS 4.4-2 e333 with ad-connector

A 'CR/LF' in the 'CN' of an Object causes the Listener/Notifier-Replication to stall due to an invalid Translog/Transaction entry. The ad-connector should reject such values.
Comment 1 Ingo Steuwer univentionstaff 2019-11-18 16:02:26 CET
As linebreak characters follow the LDAP standards the replication has to support them. This needs to be fixed in listener/notifier.
Comment 2 Florian Best univentionstaff 2019-12-02 17:23:50 CET
This probably only happens for objects where the CN is part of the DN?
So a newline-carriagereturn in the DN causes the error?
Comment 4 Sven Anders 2019-12-03 08:24:59 CET
Yes it was in the dn. In Our Case, it was an Object in

cn=temporary,cn=univention,dc=domain,dc=de

Sorry I do not rember which one. And we did not notice it in our ticket.
Comment 5 Florian Best univentionstaff 2020-08-17 14:11:47 CEST
*** Bug 51826 has been marked as a duplicate of this bug. ***
Comment 6 Florian Best univentionstaff 2020-08-25 19:04:13 CEST
Maybe we can write the DN as base64 into /var/lib/univention-ldap/notify/transaction.