Univention Bugzilla – Bug 54987
Cannot unmap binary data from LDAP in UDM
Last modified: 2022-10-12 17:49:31 CEST
With UCS 4.4 the Cool Solution univention-usercert works well. It cannot be migrated to UCS 5.0 because the unmapping of binary data from LDAP would not work. The UDM mapping also defines the encoding for each property, but this cannot be specified for extended attributes. Gitlab: https://git.knut.univention.de/univention/prof-services/cool-solutions/-/tree/ucs-5.0/master/univention-usercert Issue in Gitlab: https://git.knut.univention.de/univention/prof-services/cool-solutions/-/issues/ File "/usr/lib/python3/dist-packages/notifier/threads.py", line 80, in _run result = self._function() File "/usr/lib/python3/dist-packages/notifier/__init__.py", line 105, in __call__ return self._function(*tmp, **self._kwargs) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/__init__.py", line 521, in _get obj = module.get(ldap_dn) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 730, in get UDM_Error(exc).reraise() File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 365, in reraise six.reraise(self.__class__, self, self.exc_info[2]) File "/usr/lib/python3/dist-packages/six.py", line 692, in reraise raise value.with_traceback(tb) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 718, in get obj = self.module.object(None, ldap_connection, None, ldap_dn, superordinate, attributes=attributes) File "/usr/lib/python3/dist-packages/univention/admin/handlers/computers/__base.py", line 68, in __init__ univention.admin.handlers.simpleComputer.__init__(self, co, lo, position, dn, superordinate, attributes) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1860, in __init__ simpleLdap.__init__(self, co, lo, position, dn, superordinate, attributes) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 226, in __init__ oldinfo = self.mapping.unmapValues(self.oldattr) File "/usr/lib/python3/dist-packages/univention/admin/mapping.py", line 601, in unmapValues info = mapDict(self, oldattr) File "/usr/lib/python3/dist-packages/univention/admin/mapping.py", line 663, in mapDict v = mapping.unmapValue(key, value) File "/usr/lib/python3/dist-packages/univention/admin/mapping.py", line 595, in unmapValue raise univention.admin.uexceptions.valueInvalidSyntax(_('Invalid encoding for %s %r %r') % (unmap_name, value, encoding)) univention.management.console.modules.udm.udm_ldap.UDM_Error: Invalid syntax. Invalid encoding for userCertificate;binary [b'0\x82\x04\xfa0\x82\x03\xe2\xa0 … …'] 'UTF-8'
In Bug #43129 I wrote: (In reply to Florian Best from comment #26) > (In reply to Florian Best from comment #12) > > Created attachment 9246 [details] > > patch for configurable mapping/unmapping > > > > (In reply to Sönke Schwardt-Krummrich from comment #11) > > > (In reply to Florian Best from comment #10) > > > > udm settings/extended_attribute modify --dn "$DN" --set mapMethod=mapMyDate > > > > --set unmapMethod=unmapMyDate. > > > > > > > > What do you think? > > > > > > This only works flawlessly if mapping.d/* files are also registered in LDAP. > > Okay, I added the LDAP registration part to the patch. > > We could need this patch for the userCertificate cool solution problem in > UCS 5.0 in > https://git.knut.univention.de/univention/prof-services/cool-solutions/-/ > issues/2. We have to conceptionally think about if we really want something like this! Especially I dislike adding another "hook" directory for defining mapping functions. Maybe a workaround with the syntax class would be possible as well. Or just making pre-defined mapping functions configurable.
I had a review on this whith djokic@univention.de * the cool solution tries to access the userCertificate attribute of user and computer objects * 1. assumption is: it works with users because userCertificate is part of the product scope for users, but fails with computer objects because it is an extended attribute created by the cool solution * 2. assumption is: there is no other binary attribute needed by the cool solution To avoid a complex new API (hook or whatever) for extended attributes I propose to add the userCertificate attribute to computer objects with the same functionality as for user objects.
(In reply to Ingo Steuwer from comment #2) > I had a review on this whith djokic@univention.de > > * the cool solution tries to access the userCertificate attribute of user > and computer objects > * 1. assumption is: it works with users because userCertificate is part of > the product scope for users, but fails with computer objects because it is > an extended attribute created by the cool solution yes, users/user provides already all necessary information which are required in the cool solution. It is missing at least for computers/windows and users/ldap. > * 2. assumption is: there is no other binary attribute needed by the cool > solution yes > To avoid a complex new API (hook or whatever) for extended attributes I > propose to add the userCertificate attribute to computer objects with the > same functionality as for user objects. great! MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/454 The PKI integration has been added for users/ldap and computers/* in the above MR.
users/ldap and computers/* has been adjusted to provide userCertificate properties. test: pytest-3 -s -l -vv 59_udm/61_test_udm_users_unittests.py -k test_unmap_user_certificate A new module univention.admin.certificate has been added. In the past adding new modules caused tracebacks in the UDL modules. Maybe we should restart UDL and UDM REST API during the package upgrade. Let's see what the tests report tomorrow. univention-directory-manager-modules.yaml 20fc8446a34f | Bug #54987: add pki/userCertificate to users/ldap and computers/ univention-directory-manager-modules (15.0.13-9) c52aaf092a7a | style[udm]: add trailing commata to property definitions 20fc8446a34f | Bug #54987: add pki/userCertificate to users/ldap and computers/ ucs-test (10.0.7-26) 20fc8446a34f | Bug #54987: add pki/userCertificate to users/ldap and computers/
OK: (un)setting computers/* certificates via udm/umc OK: (un)setting users/ldap certificates via udm/umc OK: unmapping shown in udm OK: unmapping shown in umc OK: Upgrade OK: domain where some machines are upgraded and some aren't OK: Code review OK: Jenkins OK: YAML Verified Regarding the cool solution usercert: This feature makes a lot of the custom code obsolete, the cool solution source code has to be updated to use the now builtin attributes and be functional.
<https://errata.software-univention.de/#/?erratum=5.0x456>