Description Julia Bremer 2023-08-22 22:09:56 CEST

In a customer environment, a custom listener module went "rogue" and added the objectClass nextcloudGroup to many objects, including umc policies.

Due to this, the portal sometimes but not always couldn't find modules for the users to show. 
This is due to the uldap.py function getPolicies assuming that only a certain set of objectclasses are on each policy and that there is only one additional one that defines the kind of policy it is, e.g umcPolicy
If there are more than one, it chooses sometimes one objectclass as the defining key in the result, or the other one.
This is the guilty code from /usr/lib/python3/dist-packages/univention/uldap.py


626  	        try:
627  	            classes = set(pattrs['objectClass']) - {b'top', b'univentionPolicy', b'univentionObject'}
628  ->	            ptype = classes.pop().decode('utf-8')
629  	        except KeyError:
630  	            return

This can be reproduced by adding any objectClass to e.g cn=default-umc-all and then running 

from univention.admin.uldap import getMachineConnection, getAdminConnection
lo, pos = getMachineConnection(ldap_master=False)
lo.getPolicies("cn=Domain Admins,cn=groups," + lo.base, policies=[], attrs={}, result={}, fixedattrs={})


I am not sure if this can/should be fixed somehow, but at least something should be logged if is more than one objectClass in "classes", because this was pretty hard to debug.