Univention Bugzilla – Bug 34420
Univention-directory-logger: undetectable base64 encoding
Last modified: 2016-10-26 17:09:00 CEST
base64 encoded attributes should be prefixed by "::" as in LDIF: $ cat /var/log/univention/directory-logger.log > DN: uid=z5kibcöa,cn=users,dc=phahn,dc=dev ... > New values: > uid: ejVraWJjw7Zh $ base64 -d <<<ejVraWJjw7Zh z5kibcöa
Ticket#2015061821000522 Reported again by customer and this is still the case for UCS 4. We should fix this as customers may use the logged LDIF's to restore LDAP-objects that were mistakenly deleted. Without the "::" prefix the base64 encoded attributes will be written to LDAP as strings and that may(will) lead to encoding problems down the road.
Created attachment 8006 [details] Suggested patch for /usr/lib/univention-directory-listener/system/directory_logger.py to add the prefix
(In reply to Julius Hinrichs from comment #2) > Created attachment 8006 [details] > Suggested patch for > /usr/lib/univention-directory-listener/system/directory_logger.py to add the > prefix The patch would write "foo::: bar" into the LDIF. By the way: There are libs in python to create LDIF's. Maybe that's better because they automatically handle this? (Not sure, I don't know the context of the listener).
(In reply to Florian Best from comment #3) > (In reply to Julius Hinrichs from comment #2) > > Created attachment 8006 [details] > > Suggested patch for > > /usr/lib/univention-directory-listener/system/directory_logger.py to add the > > prefix > > The patch would write "foo::: bar" into the LDIF. The patch would write "::foo: bar" instead of "foo:: bar".
Created attachment 8008 [details] Updated patch for /usr/lib/univention-directory-listener/system/directory_logger.py This should return the correct notation.
Your change calculates base64Filter(value) twice, I guess that can be coded more efficiently.
Created attachment 8044 [details] Alternative solution In this version the base64value is calculated only once.
Comment on attachment 8044 [details] Alternative solution If performance matters: def ldapEntry2string(entry): return ''.join( '%s%s %s\n' % (key, ':' if base64value == value else '::', base64value) for key, valuelist in entry.iteritems() for value, base64value in ((value, base64Filter(value)) for value in valuelist) )
Created attachment 8089 [details] base64 encoding base64 detection is incomplete as well - stolen from python-ldap
r73116 | Bug #34420 log: Fix base64 encoding Package: univention-directory-logger Version: 7.0.1-2.39.201610131121 Branch: ucs_4.1-0 Scope: errata4.1-3 r73131 | Bug #34420 log: Fix base64 encoding r73141 | Bug #25404,Bug #34916,Bug #34420,Bug #42665: univention-directory-logger YAML univention-directory-logger.yaml
Created attachment 8117 [details] 34420.diff b0275d1 Bug #34420 log: Fix base64 encoding
OK - base64 encoding OK - ldif: '::' for base64 encoded attributes OK - yaml OK - merged to 4.2
<http://errata.software-univention.de/ucs/4.1/317.html>