Univention Bugzilla – Bug 53553
UDM filters search for "&(|(cn=*)(description=*b'')))" containing bytestrings
Last modified: 2024-02-23 13:43:37 CET
There are bytestrings in the log output of the LDAP filters generated by UDM: ``` import univention.management.console.log, sys, univention.admin from ucsschool.lib.models.computer import SchoolComputer lo, po = univention.admin.uldap.getMachineConnection() univention.management.console.log.log_init('/dev/stdout', 99) SchoolComputer.get_all(lo, 'DEMOSCHOOL', '(&(|(name=*)(description=*)))') ``` → ``` LDAP ( INFO ) : uldap.search filter=(&(objectClass=univentionHost)(objectClass=univentionClient)(!(objectClass=posixAccount))(&(objectClass=ucsschoolComputer)(&(|(cn=*b'')(description=*b''))))) base=cn=comp uters,ou=DEMOSCHOOL,l=school,l=dev scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0 … LDAP ( INFO ) : uldap.search filter=(&(objectClass=sambaSamAccount)(sambaAcctFlags=[I ])(&(objectClass=ucsschoolComputer)(&(|(cn=*)(description=*b''))))) base=cn=computers,ou=DEMOSCHOOL,l=school,l= dev scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0 … ``` Debugging session: Create a breakpoint at the place where the log message is created: ``` diff --git base/univention-python/modules/uldap.py base/univention-python/modules/uldap.py index 8d20eb2ad6..12b397826a 100644 --- base/univention-python/modules/uldap.py +++ base/univention-python/modules/uldap.py @@ -499,6 +499,8 @@ class access(object): """ univention.debug.debug(univention.debug.LDAP, univention.debug.INFO, 'uldap.search filter=%s base=%s scope=%s attr=%s unique=%d required=%d timeout=%d sizelimit=%d' % ( filter, base, scope, attr, unique, required, timeout, sizelimit)) + if "b''" in str(filter): + breakpoint() if not base: base = self.base ``` `scp base/univention-python/modules/uldap.py 10.200.XX.XX:/usr/lib/python3/dist-packages/univention/uldap.py` ``` # python3 repr.py (Pdb) bt /root/repr.py(5)<module>() -> SchoolComputer.get_all(lo, 'DEMOSCHOOL', '(&(|(name=*)(description=*)))') /usr/lib/python3/dist-packages/ucsschool/lib/models/base.py(991)get_all() -> for udm_obj in cls.lookup(lo, school, complete_filter, superordinate=superordinate): /usr/lib/python3/dist-packages/ucsschool/lib/models/computer.py(233)lookup() -> return super(SchoolComputer, cls).lookup(lo, school, school_computer_filter, superordinate) /usr/lib/python3/dist-packages/ucsschool/lib/models/base.py(1009)lookup() -> superordinate=superordinate, /usr/lib/python3/dist-packages/univention/admin/modules.py(953)lookup() -> tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit) /usr/lib/python3/dist-packages/univention/admin/handlers/computers/computer.py(133)lookup() -> res.extend(computer.lookup(co, lo, filter_s, base, superordinate, scope, unique, required, timeout, sizelimit)) /usr/lib/python3/dist-packages/univention/admin/handlers/computers/ipmanagedclient.py(261)lookup() -> for dn, attrs in lo.search(str(filter), base, scope, [], unique, required, timeout, sizelimit, serverctrls, response): /usr/lib/python3/dist-packages/univention/admin/uldap.py(669)search() -> return self.lo.search(filter, base, scope, attr, unique, required, timeout, sizelimit, serverctrls=serverctrls, response=response) /usr/lib/python3/dist-packages/univention/uldap.py(208)_decorated() -> return func(self, *args, **kwargs) > /usr/lib/python3/dist-packages/univention/uldap.py(505)search() -> if not base: (Pdb) up (Pdb) up (Pdb) up > /usr/lib/python3/dist-packages/univention/admin/handlers/computers/ipmanagedclient.py(261)lookup() (Pdb) filter conjunction('&', [expression('objectClass', 'univentionHost', '='), expression('objectClass', 'univentionClient', '='), conjunction('!', [expression('objectClass', 'posixAccount', '=')]), conjunction('&', [expression('objectClass', 'ucsschoolComputer', '='), conjunction('&', [conjunction('|', [expression('cn', b'', '=*'), expression('description', b'', '=*')])])])]) (Pdb) up > /usr/lib/python3/dist-packages/univention/admin/handlers/computers/computer.py(133)lookup() (Pdb) filter_s conjunction('&', [expression('objectClass', 'ucsschoolComputer', '='), conjunction('&', [conjunction('|', [expression('name', '', '=*'), expression('description', '', '=*')])])]) ``` > /usr/lib/python3/dist-packages/univention/admin/handlers/computers/computer.py(133)lookup() → still fixed > /usr/lib/python3/dist-packages/univention/admin/handlers/computers/ipmanagedclient.py(261)lookup() → broken → so, between those two stack frame the transformation broke it. now code review what happens there. ``` (Pdb) list 251 246 def lookup(co, lo, filter_s, base='', superordinate=None, scope='sub', unique=False, required=False, timeout=-1, sizelimit=0, serverctrls=None, response=None): 247 res = [] 248 filter_s = univention.admin.filter.replace_fqdn_filter(filter_s) 249 filter_s = univention.admin.handlers.dns.alias.lookup_alias_filter(lo, filter_s) 250 filter = univention.admin.filter.conjunction('&', [ 251 univention.admin.filter.expression('objectClass', 'univentionHost'), 252 univention.admin.filter.expression('objectClass', 'univentionClient'), 253 univention.admin.filter.conjunction('!', [univention.admin.filter.expression('objectClass', 'posixAccount')]), 254 ]) 255 256 if filter_s: (Pdb) 257 filter_p = univention.admin.filter.parse(filter_s) 258 univention.admin.filter.walk(filter_p, rewrite, arg=mapping) 259 filter.expressions.append(filter_p) 260 261 -> for dn, attrs in lo.search(str(filter), base, scope, [], unique, required, timeout, sizelimit, serverctrls, response): 262 res.append(object(co, lo, None, dn, attributes=attrs)) 263 return res ``` Now we define a breakpoint at the very top of the lookup() function and step through it: ``` (Pdb) filter_p conjunction('&', [expression('objectClass', 'ucsschoolComputer', '='), conjunction('&', [conjunction('|', [expression('name', '', '=*'), expression('description', '', '=*')])])]) (Pdb) n … (Pdb) n -> filter.expressions.append(filter_p) (Pdb) filter_p conjunction('&', [expression('objectClass', 'ucsschoolComputer', '='), conjunction('&', [conjunction('|', [expression('cn', b'', '=*'), expression('description', b'', '=*')])])]) (Pdb) list 13 ]) 14 15 if filter_s: 16 filter_p = univention.admin.filter.parse(filter_s) 17 univention.admin.filter.walk(filter_p, rewrite, arg=mapping) 18 -> filter.expressions.append(filter_p) 19 20 print(str(filter)) ``` So now we know, that `univention.admin.filter.walk(filter_p, rewrite, arg=mapping)` breaks it. Further debugging where it breaks: ``` from univention.admin.filter import conjunction, expression import univention.admin from univention.admin.handlers.computers.ipmanagedclient import mapping lo, po = univention.admin.uldap.getMachineConnection() filter_s = conjunction('&', [expression('objectClass', 'ucsschoolComputer', '='), conjunction('&', [conjunction('|', [expression('name', '', '=*'), expression('description', '', '=*')])])]) # extracted code print(repr(filter_s)) exp = filter_s.expressions[-1].expressions[-1].expressions[-1] univention.admin.mapping.mapRewrite(exp, mapping) print(repr(filter_s)) # the cause in mapRewrite() print(mapping.mapValue('description', 'x')) ``` The following patch fixes this: ``` diff --git management/univention-directory-manager-modules/modules/univention/admin/mapping.py management/univention-directory-manager-modules/modules/univention/admin/mapping.py index 0b9580fe78..3c575728a7 100644 --- management/univention-directory-manager-modules/modules/univention/admin/mapping.py +++ management/univention-directory-manager-modules/modules/univention/admin/mapping.py @@ -767,7 +767,7 @@ def mapRewrite(filter, mapping): if not mapping.shouldMap(key): return k = mapping.mapName(key) - v = mapping.mapValue(key, filter.value) + v = mapping.mapValueDecoded(key, filter.value) except KeyError: return if k: ```
Affected are search filters which use the UDM property name and not an LDAP attribute name (e.g. username=foo instead of uid=foo).
Fixed in: univention-directory-manager-modules.yaml 660322806fa3 | Bug #53553: fix broken LDAP filter generation containing bytestring-representations univention-directory-manager-modules (15.0.11-10) 660322806fa3 | Bug #53553: fix broken LDAP filter generation containing bytestring-representations
Tested by trying to recreate the problem. -> output is fixed Code reviewd -> OK
<https://errata.software-univention.de/#/?erratum=5.0x61>