Univention Bugzilla – Bug 55128
UDM should not allow multiple spaces in properties that define LDAP DNs
Last modified: 2022-08-23 21:05:54 CEST
This is a spinnoff of Bug #55117 where I found that python-ldap and at least OpenLDAP client tools are showing a peculiar behavior with DNs containing spaces. See Bug 55117 Comment 2. In a customer environment we now found a case where there are two child containers with a name that only differs in spaces (and both have different entryuuid values). From my intuition I thought that that is perfectly fine. But when I discovered that Samba compresses multiple spaces between words in attribute values into single spaces, I asked myself how python-ldap and ldapsearch/ldapadd would behave (and indeed the slapd itself). ``` >>> lo = ldap.initialize("ldaps://primary20.ucs50domain.net:7636") >>> lo.simple_bind_s("uid=Administrator,cn=users,dc=ucs50domain,dc=net", "univention") (97, [], 1, []) >>> lo.search_s(base='cn="Domain Admins" ,cn=groups ,dc=ucs50domain,dc= net', scope=ldap.SCOPE_BASE) [('cn=Domain Admins,cn=groups,dc=ucs50domain,dc=net', {'univentionObjectType': [b'groups/group'], 'univentionGroupType': [b'-2147483646'], 'cn': [b'Domain Admins'], 'sambaSID': [b'S-1-5-21-3845704857-3224404521-1219090489-512'], 'sambaGroupType': [b'2'], 'gidNumber': [b'5000'], 'memberUid': [b'Administrator'], 'uniqueMember': [b'uid=Administrator,cn=users,dc=ucs50domain,dc=net'], 'univentionPolicyReference': [b'cn=default-umc-all,cn=UMC,cn=policies,dc=ucs50domain,dc=net'], 'objectClass': [b'top', b'univentionObject', b'sambaGroupMapping', b'univentionGroup', b'posixGroup', b'univentionPolicyReference'], 'description': [b'Designated administrators of the domain']})] ``` Interesting... But at least adding yet another "Domain Admins" is rejected by slapd (as seen in server trace logs): ``` ldapadd -ZZ -D uid=Administrator,cn=users,dc=ucs50domain,dc=net -w univention <<%EOF dn: cn="Domain Admins",cn=groups,dc=ucs50domain,dc=net univentionObjectType: groups/group cn: Domain Admins gidNumber: 550001 memberUid: Guest uniqueMember: uid=Guest,cn=users,dc=ucs50domain,dc=net objectClass: univentionObject objectClass: univentionGroup objectClass: posixGroup description: Whitespace shadow administrators of the domain %EOF adding new entry "cn="Domain Admins",cn=groups,dc=ucs50domain,dc=net" ldap_add: Already exists (68) ``` Same with udm/python-ldap: ``` root@primary20:~# udm groups/group create --position "cn=groups,dc=ucs50domain,dc=net" --set name="Domain Admins" --set users="uid=Guest,cn=users,dc=ucs50domain,dc=net" E: Object exists: (group) Domain Admins ``` But creating an object with spaces works: ``` root@primary20:~# udm groups/group create --position "cn=groups,dc=ucs50domain,dc=net" --set name="Whitespace Admins" --set users="uid=Guest,cn=users,dc=ucs50domain,dc=net" Object created: cn=Whitespace Admins,cn=groups,dc=ucs50domain,dc=net ``` Now, if a customer renames the group, there will be problems: ``` root@primary20:~# ldapmodrdn -ZZ -D uid=Administrator,cn=users,dc=ucs50domain,dc=net -w univention -r 'cn=Whitespace Admins,cn=groups,dc=ucs50domain,dc=net' cn='Whitespace Admins' root@primary20:~# univention-ldapsearch -LLL cn="Whitespace Admins" cn dn: cn=Whitespace Admins,cn=groups,dc=ucs50domain,dc=net cn: Whitespace Admins root@primary20:~# univention-s4search cn="Whitespace Admins" cn # record 1 dn: CN=Whitespace Admins,CN=Groups,DC=ucs50domain,DC=net cn: Whitespace Admins ``` Now, maybe this is just a Samba/AD problem, but at least be warned that there may be dragons in OpenLDAP/UDM too.
Ah, I misread the output in the support session (grr teamviewer): The names of the two sister containers actually did differ in more than just spacing, it was also `- Tech` vs `Technik`. So I close this bug, but it's still good to have the strange LDAP behavior noted here.