Univention Bugzilla – Full Text Bug Listing |
Summary: | (accidental) schema removal/upgrade may break (arbitrary) LDAP search - broken validation using slapschema | ||
---|---|---|---|
Product: | UCS | Reporter: | Philipp Hahn <hahn> |
Component: | LDAP | Assignee: | Jürn Brodersen <brodersen> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P3 | CC: | brodersen, damrose, gohmann, scheinig |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=22112 https://forge.univention.org/bugzilla/show_bug.cgi?id=53455 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.143 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017102021000177 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Philipp Hahn
2017-10-20 14:52:40 CEST
PS: I remember a related problem, where a customer disabled an OpenLDAP overlay modules (memberof?), which provides an internal LDAP schema extension *when* enabled. After disabling the module, its LDAP attributes where still stored inside the MDB. Even after (temporarily) defining a custom schema extension re-using the same OID, deleting all references to that attribute, and removing the schema extension again, the MDB still contained a reference to the former attribute. Only after doing a full "slapcat | slapadd" dump/restore cycle the attribute was completely purged from the MDB file. OpenLDAP.org even somewhere states that "attribute removal" is not supported. So we should probably just prohibit schema removal. If I understand the slapschema code correctly, the return code is the result from last checked ldap object? (Which might have no schema problem) ldap_extension.py now checks the stdout as well. Code review: OK ucs-test: OK Manual tests: OK YAML: OK (fixed a typo: 36a2a720) |