Bug 48533

Summary: LDAP registered ACL files are not removed during univention-join/resync of listener module
Product: UCS Reporter: Sönke Schwardt-Krummrich <schwardt>
Component: LDAPAssignee: UCS maintainers <ucs-maintainers>
Status: NEW --- QA Contact: UCS maintainers <ucs-maintainers>
Severity: normal    
Priority: P5    
Version: UCS 4.4   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086 Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:

Description Sönke Schwardt-Krummrich univentionstaff 2019-01-25 12:19:54 CET 
When analysing bug 48530 I noticed that the listener module ldap_extension.py does not remove existing LDAP ACL files previously written to disk if a resync of the listener module has been triggered (e.g. during a rejoin).

If LDAP ACLs are removed from the LDAP while the listener of the DC Backup/DC Slave is not replicating and a rejoin is performed, the old ACLs remain active.

This could lead to failed.ldifs, information disclosure and other bizarre problems.