Univention Bugzilla – Bug 57267
Mechanism to track CRUD operations in OpenLDAP with attribute level detail
Last modified: 2024-06-13 12:31:41 CEST
To be able to propagate IAM operations on the level of UDM object changes, we want to make use of slapd-sock as overlay module to collect the details of LDAP CRUD operations in as much detail as required to reconstruct UDM object state on a per-change granularity to provision other UCS components in a similar way to what listener modules do today. https://www.openldap.org/software/man.cgi?query=slapd-sock The resulting data should be consumable by and extended version of https://pypi.org/project/slapdsock/ So we need to 1. patch slapd-sock to support "sockresps extendedresult" which should return an LDIF of each change (similar to what slapo-auditlog does) including LDAP response controls 2. adjust the UCR template for slapd.conf to configure slapd-sock (aka back_sock) 3. adjust univention-python uldap.py to pass serverctrls also for delete and modrdn 4. adjust UDM-modules + UDM-REST-API to request object attributes via Pre+PostReadControl The behavior shall be configurable with some kind of feature-flag (e.g. UCRVs) and not be activated by default in UCS 5.0-x.
442ae085b | team-souvap issue#414: enhance back-sock as future alternative to translog e7cf57478 | Assign bug Package: openldap Version: 2.4.47+dfsg-3+deb10u7A~5.0.7.202405171616 Branch: 5.0-0 Scope: errata5.0-7
Package cherry-picked via repo-ng into scope ucs5.0-8 and rebuilt: a9dbb239c | patch merged by repo-ng Package: openldap Version: 2.4.47+dfsg-3+deb10u7A~5.0.0.202406061255 Branch: ucs_5.0-0-ucs5.0-8 Scope: ucs5.0-8 Merged feature branch into ucs repo branch 5.0-8: 0793620861 | Support configuring the LDAP overlay slapd-sock c5e73ed80b | Make uldap delete pass serverctrls too afa37c1c27 | Feature flag: prepostread 2c44c7facf | Advisories 4d67ce5000 | Adjust slapd version in pre-depends 2e189935ac | register UCRV for subfile 978cff3ea3 | Advisory update 69a84bbdc5 | Adjust slapd-sock path for better isolation in k8s 56d5eb8f8e | Merge errata advisory content into release changelog 10edcc1e46 | Fix general spelling issues in release changelog be519756d7 | Remove obsolete entry from release changelog Package: univention-python Version: 13.0.7-3 Branch: 5.0-0 Scope: ucs5.0-8 Package: univention-ldap Version: 16.0.16-2 Branch: 5.0-0 Scope: ucs5.0-8
Package: openldap Version: 2.4.47+dfsg-3+deb10u7A~5.0.0.202406061255 Branch: ucs_5.0-0-ucs5.0-8 Scope: ucs5.0-8 not sure what happened here, but the version number is broken, should be ..5.0-8... apt-get -s install univention-ldap-server univention-ldap-server : PreDepends: slapd (>= 2.4.47+dfsg-3+deb10u7A~5.0.7.202405171616) but 2.4.47+dfsg-3+deb10u7A~5.0.1.202205211909 is to be installed apt-cache policy slapd slapd: Installed: (none) Candidate: 2.4.47+dfsg-3+deb10u7A~5.0.1.202205211909 Version table: 2.4.47+dfsg-3+deb10u7A~5.0.1.202205211909 500 500 file:/var/cache/univention-system-setup/packages ./ Packages 500 http://updates-test.knut.univention.de ucs508/main amd64 Packages we have 2.4.47+dfsg-3+deb10u7A~5.0.1.202205211909 from the previous releases and this version is higher than 2.4.47+dfsg-3+deb10u7A~5.0.0.202406061255
fixed by re-building the package with build-package-ng -r 5.0-0 -s ucs5.0-8 openldap Successful build Package: openldap Version: 2.4.47+dfsg-3+deb10u7A~5.0.8.202406071017 Branch: 5.0-0 Scope: ucs5.0-8 User: fbotner
cherry-picked, adjusted and build for 5.1-0 and 5.2-0: ucs-patches: b6f8dc9e5 | copy patch to 5.1-0 and 5.2-0 Package: openldap Version: 2.4.57+dfsg-3+deb11u1A~5.1.0.202406101647 Branch: ucs_5.1-0 ucs 5.1-0: 506b410e51 | Support configuring the LDAP overlay slapd-sock 822938eb6f | Make uldap delete pass serverctrls too 039bca6b74 | Feature flag: prepostread 316073cda3 | Adjust slapd version in pre-depends 49e5c210a1 | register UCRV for subfile 9700873cd3 | Adjust slapd-sock path for better isolation in k8s Package: univention-python Version: 14.0.9 Branch: ucs_5.1-0 Package: univention-ldap Version: 17.0.9 Branch: 5.1-0 ucs-patches: b2dec1dd0 | Adjust patch to upstream version Package: openldap Version: 2.5.13+dfsg-5A~5.2.0.202406101745 Branch: ucs_5.2-0 ucs 5.2-0: 041c5d7c78 | Support configuring the LDAP overlay slapd-sock aa2ca49711 | Make uldap delete pass serverctrls too b416c3273e | Feature flag: prepostread 7677af83c2 | Adjust slapd version in pre-depends 12c7d07d3c | register UCRV for subfile cd02d09ac3 | Adjust slapd-sock path for better isolation in k8s Package: univention-python Version: 15.0.4 Branch: ucs_5.2-0 Package: univention-ldap Version: 18.0.10 Branch: ucs_5.2-0
UCS 5.0-8 has been released: https://docs.software-univention.de/release-notes/5.0-8/en/ If this error occurs again, please use the 'Clone This Bug' option.