Bug 54395 - Service Specific Password (Radius): Add univentionRadiusPassword attribute
Service Specific Password (Radius): Add univentionRadiusPassword attribute
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Dirk Wiesenthal
Julia Bremer
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-31 02:36 CET by Dirk Wiesenthal
Modified: 2022-03-23 14:14 CET (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2022-01-31 02:36:16 CET
New attribute for users: univentionRadiusPassword

ACLs: Nobody may write; hosts may read.
Comment 1 Florian Best univentionstaff 2022-03-16 09:46:57 CET
Jenkins shows:

Traceback (most recent call last):
  File "/usr/share/ucs-test/45_radius/12_acls_service_specific_password.py", line 75, in test_acl_admin_may_write
    lo.modify(dn, (('univentionRadiusPassword', b'', ssp[1]),))
  File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 814, in modify
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
univention.admin.uexceptions.ldapError: Inappropriate matching: modify/add: univentionRadiusPassword: no equality matching rule


Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 803, in modify
    return self.lo.modify(dn, changes, serverctrls=serverctrls, response=response, rename_callback=rename_callback)                                                                                                
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 208, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 754, in modify
    self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 208, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 813, in modify_ext_s
    rtype, rdata, rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1253, in modify_ext_s
    return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 602, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)                                                                                                         
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.INAPPROPRIATE_MATCHING: {'desc': 'Inappropriate matching', 'info': 'modify/add: univentionRadiusPassword: no equality matching rule'}
Comment 2 Florian Best univentionstaff 2022-03-16 10:47:15 CET
I give you a hint:

base/univention-python/modules/uldap.py in access:modify() has 3 ways to specify the LDAP operation which is used ;-) One(Two) does not need a equality matching rule.

>>> lo.modify(dn, [('univentionRadiusPassword', [b''], [b'asdf'])])
#ml=[(2, 'univentionRadiusPassword', [b'asdf'])]
>>> lo.getAttr(dn, 'univentionRadiusPassword')
[b'asdf']

>>> lo.modify(dn, [('univentionRadiusPassword', [b'asdf'], [b'foobar'])])
#ml=[(2, 'univentionRadiusPassword', [b'foobar'])]
>>> lo.getAttr(dn, 'univentionRadiusPassword')
[b'foobar']

>>> lo.modify(dn, [('univentionRadiusPassword', [b'foobar'], [b''])])
#ml=[(2, 'univentionRadiusPassword', [b''])]
>>> lo.getAttr(dn, 'univentionRadiusPassword')
[b'']
Comment 3 Dirk Wiesenthal univentionstaff 2022-03-22 15:54:47 CET
Package: univention-ldap
Version: 16.0.7-18A~5.0.0.202203181059
Branch: ucs_5.0-0
Scope: errata5.0-1
Comment 4 Julia Bremer univentionstaff 2022-03-22 16:13:48 CET
univentionRadiusPassword only readable by computer objects (and Domain Admins)
on primary/backup and replica: OK 
Only Admins can write: OK
Schema: OK
No equalityMatchingRule: OK

Tests: OK
Verified