Univention Bugzilla – Bug 54341
Radius Joinscript modifies wrong extended Attribute
Last modified: 2022-01-26 17:21:21 CET
The radius Joinscript: services/univention-radius/80univention-radius.inst modifies the wrong LDAP extended attribute in lines 299 and Following The Bug probably only affects Systems that were initially shipped with the Joinscript version 1. Because the relevant section is only executed when updating from version 1 and not when installing version 2 or 3 In line 300 it should be "networkAccessGroups" instead of "NetworkAccessComputers" The reason is that lines 305 and following are equivalent to lines 242 and following instead of 205 and following Code: 200 » --set name='networkAccessComputers' \ 205 » --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for this computer.' \ 237 » --set name='networkAccessGroups' \ 242 » --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for members of this group.' \ 287 # update existing extended attributes created in version 1 288 if joinscript_check_specific_version_executed 1 ; then 289 » echo "Updating RADIUS extended attributes..." 290 » udm settings/extended_attribute modify "$@" \ 291 » » --dn "cn=networkAccessComputers,cn=custom attributes,cn=univention,$ldap_base" \ 292 » » --set groupName="RADIUS supplicant" \ 293 » » --set translationGroupName='"de_DE" "RADIUS-Supplicant"' \ 294 » » --set translationGroupName='"fr_FR" "Demandeur RADIUS"' \ 295 » » --set groupPosition=1 \ 296 » » --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for this computer.' \ 297 » » --set translationLongDescription='"de_DE" "Soll der Zugriff per RADIUS (z.B. über IEEE 802.1x) für diesen Computer erlaubt werden."' || exit "$?" 298 » » --set translationLongDescription='"fr_FR" "Autoriser l’accès via RADIUS (par exemple via IEEE 802.1x) pour cet ordinateur."' \ 299 » udm settings/extended_attribute modify "$@" \ 300 » » --dn "cn=networkAccessComputers,cn=custom attributes,cn=univention,$ldap_base" \ 301 » » --set groupName="RADIUS supplicant" \ 302 » » --set translationGroupName='"de_DE" "RADIUS-Supplicant"' \ 303 » » --set translationGroupName='"fr_FR" "Demandeur RADIUS"' \ 304 » » --set groupPosition=1 \ 305 » » --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for members of this group.' \ 306 » » --set translationLongDescription='"de_DE" "Soll der Zugriff per RADIUS (z.B. über IEEE 802.1x) für Mitglieder dieser Gruppe erlaubt werden."' || exit " $?" 307 » » --set translationLongDescription='"fr_FR" "Autoriser l’accès via RADIUS (par exemple IEEE 802.1x) pour les membres de ce groupe."' \ 308 fi +++ This bug was initially created as a clone of Bug #25935 +++
https://git.knut.univention.de/univention/ucs/-/merge_requests/253
[5.0-1] 44ab1ed4b9 doc[radius]: Update Debian packaging services/univention-radius/debian/control | 37 +++++++++++++++++++++-------- services/univention-radius/debian/rules | 6 ++--- .../univention-radius/usr/lib/univention-freeradius/setupCA.sh | 0 3 files changed, 29 insertions(+), 14 deletions(-) [5.0-1] f55f8a84ae style[radius]: shellcheck services/univention-radius/20univention-radius.uinst | 3 +++ services/univention-radius/80univention-radius.inst | 15 +++++++-------- services/univention-radius/debian/univention-radius.postinst | 1 + services/univention-radius/debian/univention-radius.postrm | 1 + services/univention-radius/usr/lib/univention-freeradius/setupCA.sh | 4 ++++ .../usr/lib/univention-server/server_password_change.d/univention-radius | 3 +-- 6 files changed, 17 insertions(+), 10 deletions(-) [5.0-1] f409e9f9d8 fix[radius]: networkAccessGroups in join script on update doc/errata/staging/univention-radius.yaml | 12 ++++++++++++ services/univention-radius/80univention-radius.inst | 6 +++--- services/univention-radius/debian/changelog | 6 ++++++ 3 files changed, 21 insertions(+), 3 deletions(-) [5.0-1] 660f345586 fix[radius]: Fortify SUID wrapper services/univention-radius/.gitignore | 1 + services/univention-radius/Makefile | 8 ++------ services/univention-radius/debian/univention-radius.install | 1 + 3 files changed, 4 insertions(+), 6 deletions(-) [5.0-1] 92218123e3 style[radius]: Log formatting services/univention-radius/modules/univention/radius/networkaccess.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) [5.0-1] 8c524cd6d6 style[radius]: build_access_dict services/univention-radius/modules/univention/radius/networkaccess.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) [5.0-1] 2cae780b26 refactor[radius]: evaluate_ldap_network_access services/univention-radius/modules/univention/radius/networkaccess.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) [5.0-1] 85079fae5f refactor[radius]: decode_stationId services/univention-radius/modules/univention/radius/networkaccess.py | 2 +- services/univention-radius/modules/univention/radius/utils.py | 14 ++------------ 2 files changed, 3 insertions(+), 13 deletions(-) [5.0-1] afaa1123b2 refactor[radius]: Drop duplicate UCR services/univention-radius/modules/univention/radius/networkaccess.py | 2 -- 1 file changed, 2 deletions(-) [5.0-1] 898ef93222 doc[radius]: PEP-484 type annotations services/univention-radius/debian/control | 1 + services/univention-radius/listener/univention-radius.py | 8 +++++++- services/univention-radius/modules/univention/radius/networkaccess.py | 22 +++++++++++++++++++--- services/univention-radius/modules/univention/radius/pyMsChapV2.py | 4 ++++ services/univention-radius/modules/univention/radius/utils.py | 2 ++ services/univention-radius/usr/bin/univention-radius-check-access | 1 + services/univention-radius/usr/bin/univention-radius-ntlm-auth | 1 + 7 files changed, 35 insertions(+), 4 deletions(-) [5.0-1] 688b9721ee test[radius]: Convert to unit test services/univention-radius/debian/control | 4 +++ services/univention-radius/debian/rules | 1 + services/univention-radius/debian/ucslint.overrides | 4 +++ services/univention-radius/modules/univention/__init__.py | 1 + .../modules/univention/radius/networkaccess.py | 24 ++----------- .../univention-radius/modules/univention/radius/pyMsChapV2.py | 31 ---------------- services/univention-radius/modules/univention/radius/utils.py | 55 +++++++++++++++++++++++++++++ services/univention-radius/pytest.ini | 7 ++++ services/univention-radius/setup.py | 2 +- services/univention-radius/tests/test_mschapv2.py | 30 ++++++++++++++++ ... 11 files changed, 128 insertions(+), 54 deletions(-) Package: univention-radius Version: 7.0.1-4A~5.0.0.202201201939 Branch: ucs_5.0-0 Scope: errata5.0-1 [5.0-1] f834208713 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201201939 doc/errata/staging/univention-radius.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
One of our diagnostic checks is currently failing: ###################### Start 31_file_permissions ####################### ## Check failed: 31_file_permissions - Überprüfe Datei Berechtigungen ## Datei '/etc/freeradius/ssl' hat den Besitzer 'freerad:freerad', während 'root:freerad' erwartet war. ####################### End 31_file_permissions ######################## I assume this change was made deliberately, so I would ask you to adjust the diagnostic check as well :)
(In reply to Julia Bremer from comment #3) > One of our diagnostic checks is currently failing: ... > Datei '/etc/freeradius/ssl' hat den Besitzer 'freerad:freerad', während > 'root:freerad' erwartet war. ... > I assume this change was made deliberately, so I would ask you to adjust the > diagnostic check as well :) The check was right and I broke it; thanks for the info. Fixed: [5.0-1] da497333c1 fix[radius]: /etc/freeradius/ssl permissions services/univention-radius/80univention-radius.inst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Package: univention-radius Version: 7.0.1-4A~5.0.0.202201210910 Branch: ucs_5.0-0 Scope: errata5.0-1 [5.0-1] d4b119ea29 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201210910 doc/errata/staging/univention-radius.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) OK: univention-run-diagnostic-checks -t 31_file_permissions --username Administrator --bindpwdfile <(echo univention) OK: ucs-test -E dangerous -s radius -c -F raw
###################### Start 31_file_permissions ####################### ## Check failed: 31_file_permissions - Überprüfe Datei Berechtigungen ## Datei '/etc/freeradius/ssl' hat Datei-Modus 2775, 2755 war erwartet. ####################### End 31_file_permissions ######################## The diagnostic check is still unhappy (for another reason) Since friday
(In reply to Julia Bremer from comment #5) > ## Check failed: 31_file_permissions - Überprüfe Datei Berechtigungen ## > Datei '/etc/freeradius/ssl' hat Datei-Modus 2775, 2755 war erwartet. [5.0-1] 748fe8c920 fix[radius]: /etc/freeradius/ssl permissions 2 services/univention-radius/80univention-radius.inst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Package: univention-radius Version: 7.0.1-4A~5.0.0.202201240936 Branch: ucs_5.0-0 Scope: errata5.0-1 [5.0-1] b72b4918b5 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201240936 doc/errata/staging/univention-radius.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) OK: univention-run-diagnostic-checks -t 31_file_permissions --username Administrator --bindpwdfile <(echo univention) OK: ucs-test -E dangerous -s radius -c -F raw
[5.0-1] 899ec4f2b5 doc[radius]: Fix spelling mistakes services/univention-radius/80univention-radius.inst | 2 +- services/univention-radius/debian/control | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) Package: univention-radius Version: 7.0.1-4A~5.0.0.202201251556 Branch: ucs_5.0-0 Scope: errata5.0-1 [5.0-1] 85130afe00 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201251556 doc/errata/staging/univention-radius.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
OK: text changes OK: joinscript OK: file permissions OK: YAML
<https://errata.software-univention.de/#/?erratum=5.0x199>