Bug 48990

Summary:	4.3: Could not get groups for u'Administrator': ldapError: Insufficient access
Product:	UCS	Reporter:	Florian Best <best>
Component:	Portal	Assignee:	Florian Best <best>
Status:	CLOSED FIXED	QA Contact:	Dirk Wiesenthal <wiesenthal>
Severity:	normal
Priority:	P5	CC:	scheinig, wiesenthal
Version:	UCS 4.3	Flags:	best: Patch_Available+
Target Milestone:	UCS 4.3-3-errata
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=49011
What kind of report is it?:	Bug Report	What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains	How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.257	Enterprise Customer affected?:
School Customer affected?:	Yes	ISV affected?:
Waiting Support:	Yes	Flags outvoted (downgraded) after PO Review:
Ticket number:	2019030521000572, 2019031321000959, 2019032021000258	Bug group (optional):	Error handling, External feedback, Workaround is available
Max CVSS v3 score:
Bug Depends on:	48943
Bug Blocks:

Description Florian Best

2019-03-14 12:34:22 CET

Bug for UCS 4.3:

+++ This bug was initially created as a clone of Bug #48943 +++

In a school environment the following traceback happens when accessing the portal:

08.03.19 13:10:07.792 MAIN ( ERROR ) : Could not get groups for u'Administrator': Traceback (most recent call last):
File "/usr/sbin/univention-management-console-web-server", line 380, in get_user_groups
user_dn = lo.searchDn(ldap.filter.filter_format('(&(uid=%s)(objectClass=person))', (self.username,)))[0]
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 750, in searchDn
raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Afaik this happens on a DC Master. Memberoverlay is activated.
Is something wrong with the LDAP ACL's for DC's in UCS@school?

Comment 1 Florian Best

2019-03-20 09:35:34 CET

See also Bug #49011 for an adjustment of server-password-change, that it does a UMC-reload (which would be capable then to re-establish the LDAP connection with the new credentials).
But I think this is not necessary if we change from univention.admin.uldap to univention.management.console.ldap.

Comment 2 Christina Scheinig

2019-03-28 19:32:25 CET

Two of the customer already asked for the fix.

Comment 3 Florian Best

2019-03-29 08:13:40 CET

I created a untested patch in fbest/48990-fix-reloading-machine-connection:
https://github.com/univention/univention-corporate-server/commit/7047dd45f697e21702cc90d09a33043243af9bb8

Comment 4 Florian Best

2019-04-02 08:29:06 CEST

Ok, the patch works.
It uses the univention.managment.console.ldap with write=False to connect to the local ldap server.

I applied the patch with one additional change: The LDAP credential cache is now also reset on a "service univention-management-console-web-server reload".

univention-management-console (10.0.6-21)
1aa4a2b45f5b | Bug #48990: Merge branch 'fbest/48990-fix-reloading-machine-connection' into 4.3-3

univention-management-console.yaml
1aa4a2b45f5b | Bug #48990: Merge branch 'fbest/48990-fix-reloading-machine-connection' into 4.3-3

Comment 5 Dirk Wiesenthal

2019-04-09 15:58:49 CEST

OK, works as expected.

Comment 6 Erik Damrose

2019-04-10 14:35:29 CEST

<http://errata.software-univention.de/ucs/4.3/475.html>