Bug 38663

Summary:	requiredObjectClass not evaluated in getPolicies() python lib
Product:	UCS	Reporter:	Florian Best <best>
Component:	UMC - Policies	Assignee:	Florian Best <best>
Status:	CLOSED FIXED	QA Contact:	Philipp Hahn <hahn>
Severity:	normal
Priority:	P5	CC:	gohmann, klaeser, walkenhorst
Version:	UCS 4.0
Target Milestone:	UCS 4.0-2-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	---	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:
Bug Depends on:	36256
Bug Blocks:	38712

Description Florian Best

2015-06-08 15:52:37 CEST

The requiredObjectClass and prohibitedObjectClasses attributes of a policy aren't evaluated in the python implementation of the policy-result in uldap:access.getPolicies().

This is currently not used very widely. It resulted in errors when displaying the policy result in UMC and the following modules are using it:
* UMC-ACL evaluation
 → univention-management-console/src/univention/management/console/acl.py
* univention-python/modules/password.py
* univention-directory-reports/modules/univention/directory/reports/admin.py
* univention-printquota/univention-printquota-setuser
* univention-s4-connector/modules/univention/s4connector/s4/password.py

The C implementation of the policy-result also uses strcmp() to compare the object classes. This is wrong as object classes are case insensitive.

Comment 1 Florian Best

2015-06-08 15:56:40 CEST

(In reply to Florian Best from comment #0)
> The C implementation of the policy-result also uses strcmp() to compare the
> object classes. This is wrong as object classes are case insensitive.
This applies also to fixedAttributes and emptyAttributes.

Comment 2 Florian Best

2015-06-08 16:40:54 CEST

univention-policy (6.0.2-8):
r61121 | Bug #38663: case insensitive comparision

univention-python (8.0.3-5):
r61122 | Bug #38663: getPolicies: evaluate requiredObjectClass and prohibitedObjectClasses

Comment 3 Alexander Kläser

2015-06-09 11:00:00 CEST

Do we already have bugs for corresponding test cases? I think this would be very helpful for us.

Comment 4 Philipp Hahn

2015-06-16 16:53:01 CEST

(In reply to Alexander Kläser from comment #3)
> Do we already have bugs for corresponding test cases? I think this would be
> very helpful for us.

r61276 | Bug #38663 ucs-test: UDM CLI tests
 ucs-test/tests/59_udm/
  01_requiredObjectClasses
  02_prohibitedObjectClasses
  03_ldapFilter
  04_fixedAttributes
  05_emptyAttributes

Package: ucs-test
Version: 5.0.148-18.1062.201506161256
Branch: ucs_4.0-0
Scope: errata4.0-2

(In reply to Florian Best from comment #2)
> univention-policy (6.0.2-8):
> r61121 | Bug #38663: case insensitive comparision

OK

> univention-python (8.0.3-5):
> r61122 | Bug #38663: getPolicies: evaluate requiredObjectClass and
> prohibitedObjectClasses

FIXED → Bug #38712

OK: apt-get install python-univention
OK: 2015-06-05-univention-python.yaml
OK: errata-announce -V 2015-06-05-univention-python.yaml

TODO: UMC Policy is currently broken

Comment 5 Philipp Hahn

2015-06-18 14:27:54 CEST

(In reply to Philipp Hahn from comment #4)
> TODO: UMC Policy is currently broken

FIXED: r61344 → Bug #36256

Comment 6 Janek Walkenhorst

2015-07-03 14:09:43 CEST

<http://errata.univention.de/ucs/4.0/221.html>

Comment 7 Janek Walkenhorst

2015-07-03 14:10:55 CEST

<http://errata.univention.de/ucs/4.0/222.html>