54744 – slapd fails if lines in slapd.conf are too long

Bug 54744 - slapd fails if lines in slapd.conf are too long

Summary: slapd fails if lines in slapd.conf are too long

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.0-1-errata
Assignee:	Arvid Requate
QA Contact:	Julia Bremer

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	54790
	Show dependency tree / graph

Reported:	2022-05-12 13:18 CEST by Lukas Zumvorde
Modified:	2022-05-23 13:35 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.143
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Large environments
Customer ID:	02149
Max CVSS v3 score:

Attachments
Patch to the template file to split long ACL line (2.15 KB, patch) 2022-05-12 13:18 CEST, Lukas Zumvorde	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lukas Zumvorde

2022-05-12 13:18:14 CEST

Created attachment 10951 [details]
Patch to the template file to split long ACL line

When using the package univention-admingrp-user-passwordreset and having a lot of entries in the UCR variables
ldap/acl/user/passwordreset/protected/uid
ldap/acl/user/passwordreset/protected/gid
the filter in one of the ACLs can get to long. The limit of slapd for 2048 bites in a line of its config can be reached. This will result in slapd failing to start. Long lines can be split though. 

From the slapd.conf manpage
> If a line begins with white space, it is considered a
> continuation of the previous line. No physical line should be
> over 2000 bytes long

This line break can not be placed at any place in the filter statement of an ACL though. The attached patch is my suggestion for a fix for this issue on this one specific ACL. A general solution would be better though.


ps: The customer Dataport (phoenix project) is impacted by this issue.

Comment 1 Arvid Requate

2022-05-18 10:50:30 CEST

de58a8999c | Avoid slapd not starting due to exceeding line length
1504f0f79c | merge arequate/54744-slapd-line-too-long
2bc3998666 | Advisory update

Comment 2 Julia Bremer

2022-05-18 15:36:01 CEST

OK: install
OK: upgrade
OK: lines are split correctly
OK: No behavioral changes
OK: Tests

Verified

Comment 3 Erik Damrose

2022-05-18 15:48:41 CEST

<https://errata.software-univention.de/#/?erratum=5.0x308>