Bug 55480 – Unhandled univention.admin.uexceptions.permissionDenied on ldap.INSUFFICIENT_ACCESS for method service-specific-password

Bug 55480 - Unhandled univention.admin.uexceptions.permissionDenied on ldap.INSUFFICIENT_ACCESS for method service-specific-password


Summary:	Unhandled univention.admin.uexceptions.permissionDenied on ldap.INSUFFICIENT_...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-12-08 10:53 CET by Carlos García-Mauriño
Modified:	2022-12-08 10:54 CET (History)
CC List:	2 users (show)

See Also:	54438
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos García-Mauriño

2022-12-08 10:53:04 CET

I accidentally called service-specific-password from UDM REST API of a backup node and got this unhandled exception. Proabably because the backup cannot write to LDAP.

```
08.12.22 08:55:08       ERROR      (    20302) : Uncaught exception a9acd43d-c: POST /udm/users/user/uid=admin,cn=lehrer,cn=users,ou=school1,dc=school,dc=test/service-specific-password (0.0.0.0)
    HTTPServerRequest(protocol='http', host='backup1.school.test', method='POST', uri='/udm/users/user/uid=admin,cn=lehrer,cn=users,ou=school1,dc=school,dc=test/service-specific-password', version='HTTP/1.1', remote_ip='0.0.0.0')
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 806, in modify
        return self.lo.modify(dn, changes, serverctrls=serverctrls, response=response, rename_callback=rename_callback)
      File "/usr/lib/python3/dist-packages/univention/uldap.py", line 208, in _decorated
        return func(self, *args, **kwargs)
      File "/usr/lib/python3/dist-packages/univention/uldap.py", line 754, in modify
        self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
      File "/usr/lib/python3/dist-packages/univention/uldap.py", line 208, in _decorated
        return func(self, *args, **kwargs)
      File "/usr/lib/python3/dist-packages/univention/uldap.py", line 813, in modify_ext_s
        rtype, rdata, rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls)
      File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1253, in modify_ext_s
        return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
      File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
        return func(self,*args,**kwargs)
      File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 602, in modify_ext_s
        resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
      File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
        resp_ctrl_classes=resp_ctrl_classes
      File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
        ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
      File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
        reraise(exc_type, exc_value, exc_traceback)
      File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
        raise exc_value
      File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
        result = func(*args,**kwargs)
    ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access'}

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/tornado/web.py", line 1592, in _execute
        result = yield result
      File "/usr/lib/python3/dist-packages/tornado/gen.py", line 1133, in run
        value = future.result()
      File "/usr/lib/python3/dist-packages/univention/admin/rest/module.py", line 4032, in post
        await self.pool_submit(obj.modify)
      File "/usr/lib/python3/dist-packages/tornado/gen.py", line 1141, in run
        yielded = self.gen.throw(*exc_info)
      File "/usr/lib/python3/dist-packages/univention/admin/rest/module.py", line 370, in pool_submit
        return (yield future)
      File "/usr/lib/python3/dist-packages/tornado/gen.py", line 1133, in run
        value = future.result()
      File "/usr/lib/python3.7/concurrent/futures/_base.py", line 425, in result
        return self.__get_result()
      File "/usr/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
        raise self._exception
      File "/usr/lib/python3.7/concurrent/futures/thread.py", line 57, in run
        result = self.fn(*self.args, **self.kwargs)
      File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1273, in modify
        return super(object, self).modify(*args, **kwargs)
      File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 650, in modify
        dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
      File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1366, in _modify
        self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response, rename_callback=wouldRename.on_rename)
      File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 812, in modify
        raise univention.admin.uexceptions.permissionDenied()
    univention.admin.uexceptions.permissionDenied
```