Bug 37178
| Summary: | detection of users LDAP DN error prone | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Florian Best <best> |
| Component: | UMC (Generic) | Assignee: | Florian Best <best> |
| Status: | CLOSED FIXED | QA Contact: | Dirk Wiesenthal <wiesenthal> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann, walkenhorst |
| Version: | UCS 4.0 | ||
| Target Milestone: | UCS 4.0-0-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Attachments: | python script to reproduce | ||
*** Bug 35280 has been marked as a duplicate of this bug. *** I found another reason: If the join failed (univention-check-join-status returns often "Error: ldapsearch -x failed " the DN is also not detected, using UDM fails then. * using the user "root" with assigned ACL's for the UDM module. *** Bug 35348 has been marked as a duplicate of this bug. *** Created attachment 6513 [details] python script to reproduce (In reply to Florian Best from comment #4) > *** Bug 35348 has been marked as a duplicate of this bug. *** Attached a python script which reproduces exactly the behavior. The filter has been adapted to uid=%(escaped_username)s. If the LDAP DN could not be found a ERROR log output is done now (if the user is not root or __systemsetup__). In Bug #31828 the specific handling for the UDM module was implemented. I reproduced a LDAP timeout → Exception is raised. So the server would have been crashed. I wanted to user univention.admin.handlers.users.user.lookup_filter() for this, but this would prevent machine accounts to login into UMC. I guess we need this for the ipchange module. And maybe some useful purposes in the future. Fix: svn r56578 YAML: 2014-12-04-univention-management-console.yaml Package: univention-management-console (7.1.63-4) Downgradeable to UCS 3.2-4: yes, preferred. Reproducible: umc-acls allow -u root 'udm/*' Login in UMC as root, try to use the UDM module. Compare the log output in /var/log/univention/management-console-server.log for Administrator login and root login and a user without posix. Works now. Fine error message is shown. |
Currently this source code is used to detect the LDAP dn of the current logged in user in UMC: > self.lo, self.po = udm_uldap.getMachineConnection(ldap_master=False) > ldap_dn = self.lo.searchDn('(&(uid=%s)(objectClass=posixAccount))' % self.__username) This can fail in various ways. 1.) users without posix option will never have a LDAP dn, resulting in many various errors in UDM 2.) using ldap_master=False will prevent to find some DN's 3.) what if a LDAP timeout internally happens? Would this raise a exception? Or just return an empty list?