Univention Bugzilla – Bug 36255
LDAP filter for policies
Last modified: 2015-07-03 14:10:51 CEST
It should be possible to specify a LDAP filter for policies that restricts the scope of the policy to objects that match to the given LDAP filter. E.g. a policy that matches to all domaincontroller slaves with Samba 4 would be achieved by setting the LDAP filter "(&(univentionService=Samba 4)(univentionServerRole=slave))". Required steps: - new LDAP attribute at policy objects for a free text LDAP filter - patch for univention-policy-result to evaluate the LDAP filter (note: maybe easy to implement by merging the LDAP filter with the "required objectclass" code) - new widget at policy objects for the free text LDAP filter (UMC in tab "Advanced settings" → group "Object") - new UDM_Syntax for LDAP-Filter (syntax.py) (only simple syntax check, no additional tests; if one wants to break it he/she should be able to do so ;-)
Move to UCS 4.0-2-errata. Once it has been fixed for UCS 4, we should check a backport to UCS 3.2.
Created attachment 6931 [details] patch Got a working patch. (In reply to Sönke Schwardt-Krummrich from comment #0) > Required steps: > - new LDAP attribute at policy objects for a free text LDAP filter Added, I named it "ldapFilter" → OK? > - patch for univention-policy-result to evaluate the LDAP filter > (note: maybe easy to implement by merging the LDAP filter with the > "required objectclass" code) Hmm, afaics it is not that easy as it seems a new search is required to evaluate the search filter. I could merge the (objectClass=...) and (!(objectClass=...)) part into the search filter. > - new widget at policy objects for the free text LDAP filter (UMC in tab > "Advanced settings" → group "Object") yes, just using "TextBox" I would suggest?! > - new UDM_Syntax for LDAP-Filter (syntax.py) > (only simple syntax check, no additional tests; if one wants to break it > he/she should be able to do so ;-) Hmm... It wouldn't be nice if the filter contains a null-byte. Can we prevent this via the schema?
Is it OK to add a dependency on univention-ldap-config in libunivention-policy0 ? Before I commit every policy handler module now, are the following strings OK? short_description=_('LDAP filter') long_description=_('A LDAP search filter string which defines the objects this policy is applied to.')
(In reply to Florian Best from comment #3) > Is it OK to add a dependency on univention-ldap-config in > libunivention-policy0 ? I think you have to check for dependency loops. Why do you need it? > Before I commit every policy handler module now, are the following strings > OK? > > short_description=_('LDAP filter') > long_description=_('A LDAP search filter string which defines the objects > this policy is applied to.') An alternative long description: "This policy applies only to objects which matches this LDAP filter."
(In reply to Stefan Gohmann from comment #4) > (In reply to Florian Best from comment #3) > > Is it OK to add a dependency on univention-ldap-config in > > libunivention-policy0 ? > > I think you have to check for dependency loops. Why do you need it? Because the policy schema must contain the "ldapFilter" attribute otherwise the C functions will segfault when trying to access that attribute. > "This policy applies only to objects which matches this LDAP filter." yes, thank you.
(In reply to Florian Best from comment #5) > (In reply to Stefan Gohmann from comment #4) > > (In reply to Florian Best from comment #3) > > > Is it OK to add a dependency on univention-ldap-config in > > > libunivention-policy0 ? > > > > I think you have to check for dependency loops. Why do you need it? > Because the policy schema must contain the "ldapFilter" attribute otherwise > the C functions will segfault when trying to access that attribute. hmm, I cannot reproduce the segfault (development version?!) so I reverted the dependency in svn r61121.
univention-ldap (11.0.12-7): r61079 | Bug #36255: add attribute ldapFilter to policy schema univention-policy (6.0.2-8): r61081 | Bug #36255: fix version in debian/changelog r61080 | Bug #36255: evaluate attribute "ldapFilter" of policies univention-directory-manager-modules (10.0.29-51): r61125 | Bug #36255: add ldapFilter property to all policy handlers univention-python (8.0.3-5): r61085 | Bug #36255: getPolicies: evaluate ldapFilter
Do we already have bugs for corresponding test cases? I think this would be very helpful for us.
(In reply to Florian Best from comment #7) > univention-ldap (11.0.12-7): > r61079 | Bug #36255: add attribute ldapFilter to policy schema OK > univention-policy (6.0.2-8): > r61081 | Bug #36255: fix version in debian/changelog > r61080 | Bug #36255: evaluate attribute "ldapFilter" of policies OK > univention-directory-manager-modules (10.0.29-51): > r61125 | Bug #36255: add ldapFilter property to all policy handlers OK? > univention-python (8.0.3-5): > r61085 | Bug #36255: getPolicies: evaluate ldapFilter FIXED → Bug #38712 TODO: UMC Policy is currently broken (In reply to Alexander Kläser from comment #8) > Do we already have bugs for corresponding test cases? I think this would be > very helpful for us. r61276 | Bug #38663 ucs-test: UDM CLI tests ucs-test/tests/59_udm/ 01_requiredObjectClasses 02_prohibitedObjectClasses 03_ldapFilter 04_fixedAttributes 05_emptyAttributes Package: ucs-test Version: 5.0.148-18.1062.201506161256 Branch: ucs_4.0-0 Scope: errata4.0-2
(In reply to Philipp Hahn from comment #9) > (In reply to Florian Best from comment #7) > > univention-directory-manager-modules (10.0.29-51): > > r61125 | Bug #36255: add ldapFilter property to all policy handlers > OK? OK: grep -L '\<ldapFilter\>' handlers/policies/*.py FYI: handlers/legacy/policies/*.py were NOT modified. > TODO: UMC Policy is currently broken FIXED: r61344 → Bug #36256 OK: udm policies/dhcp_routing create --set name=test --set ldapFilter='(objectClass=' REOPEN: Missing ListToString for multivalue=False attribute; fix at end: patch --dry-run /usr/share/pyshared/univention/admincli/admin.py <<__DIFF__ 0a1 > #!/usr/bin/python2.7 1142a1144 > print value 1260a1263,1267 > > > if __name__ == '__main__': > import sys > print '\n'.join(doit(sys.argv)) __DIFF__ chmod +x /usr/share/pyshared/univention/admincli/admin.py /usr/share/pyshared/univention/admincli/admin.py udm policies/dhcp_routing create --set name=broken --set ldapFilter='(objectClass=*)' /usr/share/pyshared/univention/admincli/admin.py policies/dhcp_routing list # # # default-settings # default-settings # ['(objectClass=*)'] # ['(objectClass=*)'] # Traceback (most recent call last): # File "/usr/share/pyshared/univention/admincli/admin.py", line 1269, in <module> # print '\n'.join(doit(sys.argv)) # File "/usr/share/pyshared/univention/admincli/admin.py", line 394, in doit # out=_doit(arglist) # File "/usr/share/pyshared/univention/admincli/admin.py", line 1148, in _doit # out.append(' %s: %s' % (_2utf8(key), _2utf8(s2))) # File "/usr/share/pyshared/univention/admincli/admin.py", line 250, in _2utf8 # return text.decode( 'iso-8859-1' ) # AttributeError: 'list' object has no attribute 'decode' sed -i -e '/mapping.register(.ldapFilter/s/)/, None, univention.admin.mapping.ListToString)' /usr/share/pyshared/univention/admin/handlers/policies/*.py
* The legacy-policy modules have been adapted, too. * The listToString mapping is applied for all ldapFilter properties * The complete code for policy {mapping,layout,properties} have been moved into one base python module (this allows in future to easy adapt the helpstrings for fixed/emtpyAttributes without changing every file). Fix: svn r61372
(In reply to Florian Best from comment #11) > * The legacy-policy modules have been adapted, too. OK: # dpkg-query -W python-univention-directory-manager-legacy-ucd-tcs 10.0.29-53.1317.201506182015 # udm modules | grep policies/ | grep -cv /policy 27 # udm modules | grep policies/ | xargs -n1 udm | grep -c "ldapFilter" 27 ... > * The listToString mapping is applied for all ldapFilter properties OK: udm policies/dhcp_routing list > * The complete code for policy {mapping,layout,properties} have been moved > into one base python module (this allows in future to easy adapt the > helpstrings for fixed/emtpyAttributes without changing every file). OK > Fix: svn r61372 OK FIXED: 2015-05-28-univention-directory-manager-modules.yaml → r61377
The new python file causes problems during dist-upgrade.
(In reply to Florian Best from comment #13) > The new python file causes problems during dist-upgrade. Fixed in 10.0.29-55.1319.201506241654. It works when one sets the symlink in the preinst. (svn r61458, 61460)
OK: r61458 r61460 FAIL: <http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-2/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/50/testReport/01_base/99check_log_files/test/> >[2015-06-29 18:17:39.173062]Errors found in '/var/log/univention/listener.log': >[2015-06-29 18:17:39.173094] >[2015-06-29 18:17:39.173148] E: listener.log:10, 29.06.15 17:58:14.191 ADMIN ( ERROR ) : admin.modules.update: attribute "module" is missing in module 'univention.admin.handlers.policies.base' >[2015-06-29 18:17:39.173206] E: listener.log:36, 29.06.15 17:58:37.606 ADMIN ( ERROR ) : admin.modules.update: attribute "module" is missing in module 'univention.admin.handlers.policies.base' >[2015-06-29 18:17:39.173259] E: listener.log:53, 29.06.15 17:58:37.660 ADMIN ( ERROR ) : admin.modules.update: attribute "module" is missing in module 'univention.admin.handlers.policies.base' Perhaps move the the file "base.py" outsite the directory "handlers/" (as how-knows what walks those directories), or update the method "update()" to skip it?
(In reply to Philipp Hahn from comment #15) > Perhaps move the the file "base.py" outsite the directory "handlers/" (as > how-knows what walks those directories), or update the method "update()" to > skip it? Moved outside into univention.admin.policy.
OK: r61599 r61602 r61603 r61604 OK: python -c 'import univention.debug as ud;ud.init("/dev/stderr",1,1);from univention.admin.modules import update;update()' OK: udm modules OK: udm policies/dhcp_routing OK: ucs-test -E dangerous -s udm OK: 2015-05-28-univention-directory-manager-modules.yaml OK: errata-announce -V 2015-05-28-univention-directory-manager-modules.yaml
I've merged the 2015-06-05-univention-ldap.yaml file into the existing YAML file 2015-05-19-univention-ldap.yaml.
<http://errata.univention.de/ucs/4.0/216.html>
<http://errata.univention.de/ucs/4.0/221.html>
<http://errata.univention.de/ucs/4.0/217.html>
<http://errata.univention.de/ucs/4.0/222.html>