Bug 40651

Summary: replace self.lo.search() with getAttr() or get (uldap) if the search is meant to return attributes for a specific object
Product: UCS Reporter: Felix Botner <botner>
Component: UDM (Generic)Assignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Florian Best <best>
Severity: normal    
Priority: P5 CC: best, gohmann, michelsmidt
Version: UCS 4.1   
Target Milestone: UCS 4.1-1-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=40893
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 40652, 41518    
Attachments: udm.patch

Description Felix Botner univentionstaff 2016-02-12 16:40:39 CET 
Created attachment 7478 [details]
udm.patch

In setups with big databases and sldap size limits, creating a users fails:

udm users/user create ...
LDAP Error: Administrative limit exceeded


 uldap.search filter=(objectClass=*) base=cn=Domain Users,cn=groups,o=in8,o=orange scope=sub attr=['gidNumber'] unique=0 required=0 timeout=-1 sizelimit=0
12.02.16 15:49:51.490  ADMIN       ( ERROR   ) : Post-modify operation failed:   File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 781, in _create
    self._ldap_post_create()

  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py", line 1887, in _ldap_post_create
    self.__primary_group()

  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py", line 1701, in __primary_group
    searchResult=self.lo.search(base=self['primaryGroup'], attr=['gidNumber'])

  File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 355, in search
    raise univention.admin.uexceptions.ldapError, _err2str(msg)
12.02.16 15:50:42.808  ADMIN       ( ERROR   ) : Post-modify operation failed:   File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 781, in _create
    self._ldap_post_create()

The problem is this:

 self.lo.search(base=self['primaryGroup'], attr=['sambaSID'])

This search uses the ldap filter filter=(objectClass=*). Seems that slapd applies the filter and than checks the limits (before filtering the search base).

The search works with a proper scope "scope=base" but we may better use uldap.get or uldap.getAttr instead.

Attached a patch that fixes this problem for "udm users/user create" (with scope=base). But there are much more of those searches in our udm handlers.
Comment 1 Felix Botner univentionstaff 2016-02-23 15:59:52 CET 
fixed, see Bug #40652

scope: ucs_4.1-0-errata4.1-1
src: univention-directory-manager-modules
fix: 11.0.2-16.1370.201602231548

lets wait for the ucs tests
Comment 2 Felix Botner univentionstaff 2016-02-25 13:25:50 CET 
fixed

scope: ucs_4.1-0-errata4.1-1
src: univention-directory-manager-modules
fix: 11.0.2-18.1373.201602251321
Comment 3 Florian Best univentionstaff 2016-02-29 13:32:55 CET 
OK: New search behavior: OK
Code-Review: OK
Error handling: OK
YAML: OK
Comment 4 Philipp Hahn univentionstaff 2016-03-18 15:04:54 CET 
<http://errata.software-univention.de/ucs/4.1/131.html>