Univention Bugzilla – Full Text Bug Listing |
Summary: | univention-adsearch misparses multi-attribute filters | ||
---|---|---|---|
Product: | UCS | Reporter: | Nico Stöckigt <stoeckigt> |
Component: | AD Connector | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Lukas Oyen <oyen> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gohmann, grandjean, requate, stephan.hendl |
Version: | UCS 4.1 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS 4.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
http://forge.univention.org/bugzilla/show_bug.cgi?id=43319 http://forge.univention.org/bugzilla/show_bug.cgi?id=43189 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.046 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017080321000614 | Bug group (optional): | Workaround is available |
Max CVSS v3 score: | |||
Attachments: | patch |
Description
Nico Stöckigt
2017-08-04 11:10:08 CEST
Workaround: write the following into line 201: filter = filter_tmp # univention-adsearch "($(objectClass=computer)(!(userCertificate=*)))" Traceback (most recent call last): File "/usr/sbin/univention-adsearch", line 204, in <module> msgid = lo.search_ext(configRegistry['%s/ad/ldap/base' % CONFIGBASENAME],ldap.SCOPE_SUBTREE,filter.encode('utf8'),serverctrls=[lc1,lc2]) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 548, in search_ext timeout,sizelimit, File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.FILTER_ERROR: {'desc': 'Bad search filter'} I guess this should be fixed in UCS 4.0 as well as 4.1. Created attachment 9091 [details]
patch
Attached patch fixes this. The patch works for all filters like: ['objectSid=foo', '(&(objectType=computer)(objectsid=bar))', '(&(objectType=computer)(|(objectsid=bar)(objectSid=baz)))', 'foo=bar'] (In reply to Nico Stöckigt from comment #3) > I guess this should be fixed in UCS 4.0 as well as 4.1. No, UCS 4.0 is out of maintenance. New fixes which are not security relevant aren't fixed for UCS 4.1 anymore but only for UCS 4.2-1. A workaround is available by applying the attached patch to affected systems. (In reply to Florian Best from comment #5) > Attached patch fixes this. The patch works for all filters like: > ['objectSid=foo', '(&(objectType=computer)(objectsid=bar))', > '(&(objectType=computer)(|(objectsid=bar)(objectSid=baz)))', 'foo=bar'] > > (In reply to Nico Stöckigt from comment #3) > > I guess this should be fixed in UCS 4.0 as well as 4.1. > No, UCS 4.0 is out of maintenance. New fixes which are not security relevant > aren't fixed for UCS 4.1 anymore but only for UCS 4.2-1. > A workaround is available by applying the attached patch to affected systems. I made a version typo, of course I meant it should be fixed in 4.2 and probably also in 4.1-4. btw. also negative filters are possible: "(&(objectType=computer)(!(badPasswordTime=0)))" univention-ad-connector (11.0.6-21): r81929 | Bug #45134: use ucr.is_true() r81928 | Bug #45134: fix search filter in univention-adsearch univention-ad-connector.yaml: r81931 | YAML Bug #45134 (In reply to Florian Best from comment #7) > r81928 | Bug #45134: fix search filter in univention-adsearch ok: univention-adsearch "(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)" ok: univention-adsearch "(&(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)(!(lastLogoff=0)))" fail[1]: univention-adsearch "(objectsid=*)" fail[2]: univention-adsearch "(objectsid=S-1-5-21*)" fail[3]: univention-adsearch "(objectsid=\))" [1]: This is translated into `(objectSid=\01\05\00\00\00\00\00\05)`. The old behaviour produced several results. [2]: This should work, but fails with an error in `encode_object_sid_to_binary_ldapfilter()`. [3]: While not meaningful, I think this would break the regex. This results in a `ldap.FILTER_ERROR: {'desc': 'Bad search filter'}`, while the old behaviour was no results. Minor nitpick: I think the `objectsid_pattern.sub(..)` is rather unreadable. But I guess it is ok. (In reply to Lukas Oyen from comment #8) > fail[1]: univention-adsearch "(objectsid=*)" > [1]: This is translated into `(objectSid=\01\05\00\00\00\00\00\05)`. The old > behaviour produced several results. No, the old behavior didn't produce any results. It encoded it wrong, too. I preserve this filter now. > fail[2]: univention-adsearch "(objectsid=S-1-5-21*)" > [2]: This should work, but fails with an error in > `encode_object_sid_to_binary_ldapfilter()`. The exception was the same before. Why should this work? I think there is no substring match rule for objectSid. I don't call encode_object_sid_to_binary_ldapfilter() anymore if the string contains a '*'. > fail[3]: univention-adsearch "(objectsid=\))" > [3]: While not meaningful, I think this would break the regex. This results > in a `ldap.FILTER_ERROR: {'desc': 'Bad search filter'}`, while the old > behaviour was no results. OK, using a positive lookbehind for this now. > Minor nitpick: I think the `objectsid_pattern.sub(..)` is rather unreadable. But I guess it is ok. I made it more readable. I added a doctest string which ensures that the values/filter are correct. univention-ad-connector (11.0.6-24): r82406 | Bug #45134: fix search filter replacing in univention-adsearch (In reply to Florian Best from comment #9) > > fail[2]: univention-adsearch "(objectsid=S-1-5-21*)" > Why should this work? I think there is no substring match rule for objectSid. Right, let me rephrase that: There should not be a crude Python error. ok: univention-adsearch "(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)" ok: univention-adsearch "(&(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)(!(lastLogoff=0)))" ok: univention-adsearch "(objectsid=*)" ok: univention-adsearch "(objectsid=S-1-5-21*)" ok: univention-adsearch "(objectsid=\))" Changelog/YAML: Ok. |