Univention Bugzilla – Bug 53044
Group membership validation should be case-insensitive
Last modified: 2021-07-01 12:26:48 CEST
The validation code in the ucsschool.lib checks the group membership for users. It calculates the expected group name from the schools the user is a member of. Then it checks the users group membership. It does however not do that case-insensitive. Customer with old OUs found the problem: https://help.univention.com/t/fehler-beim-ucs-school-consistency-check/17638 All DN comparisons must be case-insensitive.
I implemented a fix in [twenzel/4.4/53044_case_insensitive_validation] ca9b7e227 Bug #53044: make validation case insensitive (part 2) [twenzel/4.4/53044_case_insensitive_validation] 516fc5fce Bug #53044: make validation case insensitive (part 1) with new tests. Since the consistency script and the school object validation, which is executed when creating/modifying/listing school objects do not share the code, this had to be modified in consistency.py & validation.py. Remark: Since the validation of groups, roles (& schools) is case insensitive, the logging e.g. in /var/log/univention/management-console-module-schoolwizards.log will be, too.
Please (manually) build an environment like the customer in the above forum post has and check that there are no errors. → Uppercase OU name → Rename Domain Users $OU group to have a lower case OU-part. The 'ucsschoolRole' attribute is case-insensitive. Please adapt the validation code to ignore the case in comparisions.
As discussed, this has already been implemented and tested as requested in comment 2 → resolve
QA suggestions were implemented in [twenzel/4.4/53044_case_insensitive_validation] 931851b95 fixup! fixup! Bug #53044: make validation case insensitive (part 1) [twenzel/4.4/53044_case_insensitive_validation] 728f1b4a0 fixup! fixup! Bug #53044: make validation case insensitive (part 2) [twenzel/4.4/53044_case_insensitive_validation] 7412e889e fixup! Bug #53044: make validation case insensitive (part 1) [twenzel/4.4/53044_case_insensitive_validation] dff941cf8 fixup! Bug #53044: make validation case insensitive (part 2) tests were passing on my machine.
# /usr/share/ucs-school-import/scripts/create_ou TestOU01 # univention-ldapsearch -LLL uid=studentou1 ucsschoolSchool memberOf dn: uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr ucsschoolSchool: TestOU01 memberOf: cn=Domain Users TestOU01,cn=groups,ou=TestOU01,dc=uni,dc=dtr memberOf: cn=TestOU01-Klasse1A,cn=klassen,cn=schueler,cn=groups,ou=TestOU01,dc=uni,dc=dtr memberOf: cn=schueler-TestOU01,cn=groups,ou=TestOU01,dc=uni,dc=dtr # rename groups # univention-ldapsearch -LLL uid=studentou1 ucsschoolSchool memberOf dn: uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr ucsschoolSchool: TestOU01 memberOf: cn=Domain Users testou01,cn=groups,ou=TestOU01,dc=uni,dc=dtr memberOf: cn=testou01-klasse1a,cn=klassen,cn=schueler,cn=groups,ou=TestOU01,dc=uni,dc=dtr memberOf: cn=schueler-testou01,cn=groups,ou=TestOU01,dc=uni,dc=dtr import logging import univention.admin.uldap from ucsschool.lib.models.users import Student from ucsschool.lib.models.validator import validate logging.basicConfig(level=logging.DEBUG) logger = logging.getLogger() lo, po = univention.admin.uldap.getAdminConnection() user = Student.from_dn("uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr", "TestOU01", lo) user_udm = user.get_udm_object(lo) print(user_udm["school"]) ['TestOU01'] # <== correct OU validate(user_udm, logger) # no error user_udm["school"] = ["DEMOSCHOOL"] # <== wrong OU validate(user_udm, logger) # lots of error user_udm["school"] = ["testou01"] # <== lower case OU validate(user_udm, logger) # no error ---------------------------- # /usr/share/ucs-school-umc-diagnostic/scripts/ucs-school-object-consistency --user_dn uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr # no error (expect unrelated ones, see bug #53211)
Please squash, merge, build, advisory.
squashed, merged & build in [4.4] 27781a43a Bug #53044: update advisory [4.4] 348be00bc Bug #53044: add changelog & advisory [4.4] 4df3b61e7 Bug #53044: make validation case insensitive Package: ucs-school-lib Version: 12.2.24A~4.4.0.202105041013 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-test-ucsschool Version: 6.0.219A~4.4.0.202105041015 Branch: ucs_4.4-0 Scope: ucs-school-4.4
OK: merge and build OK: tests succeed on single- and multi-master & replication node (Small improvement: [4.4 addca13af] Bug #53055: fix and improve test case id output) OK: advisory
Errata updates for UCS@school 4.4 v9 have been released. https://docs.software-univention.de/changelog-ucsschool-4.4v9-de.html If this error occurs again, please clone this bug.
QA: - udm users/user modify --dn "uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=baach-multi,dc=intranet" --set ucsschoolRole="student:school:demoschool" - rename group in UMC: Domain Users DEMOSCHOOL -> Domain Users demoschool - GET in kelvin on demo_student - Errors in /var/log/univention/ucsschool-kelvin-rest-api/http.log: 2021-06-28 11:00:46 ERROR d4ce64d9-ba5a-420f-bc1e-1c8bc84e15db UCS@school Object uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=baach-multi,dc=intranet with options {'ucsschoolAdministrator': False, 'ucsschoolExam': False, 'ucsschoolTeacher': False, 'ucsschoolStudent': True, 'ucsschoolStaff': False, 'pki': False} has validation errors: - is missing roles ['student:school:DEMOSCHOOL'] - is missing groups at positions ['cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,dc=baach-multi,dc=intranet'] - is not part of schools: ['demoschool']. - synced in new code, restarted kelvin - GET in kelvin on demo_student: no_errors => Ok, ready to merge and build
merged with [feature/kelvin] 24d5add72 Bug #53044: Merge branch 'twenzel/kelvin/53044_case_insensitive_validation' into feature/kelvin [feature/kelvin] eb796082a Bug #53044: case insensitive validation and build with ucsschool-kelvin-rest-api=1.4.4
Did final test as follows # get to primary: ssh uv11r ucr set repository/app_center/server=appcenter-test.software-univention.de ucr set appcenter/index/verify=false ucr set update/secure_apt=no univention-app update univention-app remove ucsschool-kelvin-rest-api univention-app install ucsschool-kelvin-rest-api univention-app info # confirm new version udm users/user modify --dn "uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=baach-multi,dc=intranet" --set ucsschoolRole="student:school:demoschool" # rename group in UMC: Domain Users DEMOSCHOOL -> Domain Users demoschool tail -f /var/log/univention/ucsschool-kelvin-rest-api/http.log # GET in kelvin openapi interface on demo_student # confirm no errors in http.log # Automated test univention-app shell ucsschool-kelvin-rest-api cd ucs-school-lib/modules/ucsschool/lib/tests/ pytest test_validation_* # All tests run through # => OK
The app ucsschool-kelvin-rest-api 1.4.4 has been released