Comment 1 Florian Best 2015-12-01 18:22:09 CET

Having such an object in the LDAP (e.g. because that name was synched from AD to LDAP) causes also that the self-service cannot be used anymore:

Execution of command 'passwordreset/get_reset_methods' has failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 283, in execute function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 120, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 190, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 347, in get_reset_methods blacklisted = self.is_blacklisted(username) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 460, in is_blacklisted groups_dns.extend(self.get_nested_groups(group_dn)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 496, in get_nested_groups group = self.get_udm_group(groupdn) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 562, in get_udm_group group = self.groupmod.lookup(self.config, self.lo, filter_s=gidf, base=base)[0] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1100, in lookup for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit): File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 359, in search raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter)) ldapError: Bad search filter: (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))(cn=Foo-Gruppe (BAR)))

Comment 2 Florian Best 2015-12-01 18:29:34 CET

Oh no, this is a bug in the self service module itself.

Comment 3 Florian Best 2015-12-02 15:58:22 CET

Created attachment 7342 [details]
patch

The functions univention.admin.parentDn and univention.admin.explodeDn should also use the official functions from the ldap library.

Comment 5 Florian Best 2015-12-08 11:02:21 CET

Reported again, 4.0-4 errata363 (Walle)

Remark:
Hallo, Aufgrund diesen Fehler kann ich die Gruppe weder bearbeiten, noch umbennen oder löschen. Es klappt nicht über die management oberfläche und auch nicht über ssh.

Können Sie mir da weiterhelfen?

Comment 7 Florian Best 2016-06-23 19:58:45 CEST

All broken LDAP filter escaping in univention-directory-manager-modules has been fixed.

univention-directory-manager-modules (11.0.3-17):
r70589 | Bug #40129: escape ldap filters

Comment 8 Florian Best 2016-06-27 17:59:02 CEST

univention-python (9.0.1-4):
r70653 | Bug #40129: use official python-LDAP utilities

univention-directory-manager-modules.yaml:
r70599 | YAML Bug #41580, Bug #40041, Bug #40129, Bug #38110, Bug #40422

univention-directory-manager-modules (11.0.3-21):
r70620 | Bug #40129: fix filter formatting for multivalue fields
→ use only the first value of that multivalue, should be fixed correctly by Bug #7430

univention-python.yaml:
r70654 | YAML Bug #40129

Comment 9 Florian Best 2016-06-30 18:13:53 CEST

Found some more:

univention-directory-manager-modules (11.0.3-25):
r70751 | Bug #40129: more LDAP filter escaping

Comment 10 Philipp Hahn 2016-07-01 08:20:28 CEST

This seems to have broken the last Jenkins run: +280 failures like
<http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/66_udm-computers/01_all_roles_removal/test/>

Comment 11 Florian Best 2016-07-01 13:25:42 CEST

*** Bug 41111 has been marked as a duplicate of this bug. ***

Comment 12 Florian Best 2016-07-01 14:35:48 CEST

(In reply to Philipp Hahn from comment #10)
> This seems to have broken the last Jenkins run: +280 failures like
> <http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/
> AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/
> testReport/66_udm-computers/01_all_roles_removal/test/>

univention-directory-manager-modules (11.0.3-28):
r70768 | Bug #40129: fixup svn r70751

Comment 13 Florian Best 2016-07-04 15:06:13 CEST

Reported again, 4.1-2 errata206 (Vahr)

Remark: Gave OU a name with brackets in UMC.  Appeared to work on creation and moving a computer object into it.  However, subsequent renaming in Active directory computers and users exposed a problem with sync to openldap.  Subsequent attempts to rename, move computer object and delete OU all give the below search filter error.  Assume it's failing on brackets in the name.

Execution of command 'udm/nav/object/query navigation' has failed:

Traceback (most recent call last):
  File "%PY2.7%/notifier/threads.py", line 82, in _run
    tmp = self._function()
  File "%PY2.7%/notifier/__init__.py", line 104, in __call__
    return self._function( *tmp, **self._kwargs )
  File "%PY2.7%/univention/management/console/modules/udm/__init__.py", line 1035, in _thread
    for module, obj in list_objects(container, object_type=object_type):
  File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 1074, in list_objects
    yield (module, module.get(dn))
  File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 87, in _decorated
    return method(*args, **kwargs)
  File "%PY2.7%/univention/management/console/ldap.py", line 135, in _decorated
    result = func(*args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 507, in get
    obj.open()
  File "%PY2.7%/univention/admin/handlers/computers/windows.py", line 395, in open
    univention.admin.handlers.simpleComputer.open( self )
  File "%PY2.7%/univention/admin/handlers/__init__.py", line 1273, in open
    result=self.lo.search(base=self.lo.base, filter=searchFilter, attr=['dn'])
  File "%PY2.7%/univention/admin/uldap.py", line 363, in search
    raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter))
ldapError: Bad search filter: (&(objectclass=univentionGroup)(uniqueMember=cn=***,ou=Laptops \\(roaming\\),dc=***,dc=com,dc=au))

Comment 14 Stefan Gohmann 2016-07-06 10:00:04 CEST

Very good.

Code review: OK
         r70653 → OK
         r70589 → OK
         r70620 → OK
         r70751 → OK
         r70768 → OK

YAML: OK (minor adjustment r70835)

Tests: OK

Comment 15 Janek Walkenhorst 2016-07-07 14:31:28 CEST

<http://errata.software-univention.de/ucs/4.1/207.html>
<http://errata.software-univention.de/ucs/4.1/208.html>

Comment 16 Florian Best 2016-07-15 14:57:36 CEST

*** Bug 10687 has been marked as a duplicate of this bug. ***

Comment 17 Florian Best 2016-07-19 18:13:22 CEST

Reported again, 4.1-2 errata206 (Vahr)

Comment 18 Philipp Hahn 2016-07-20 10:35:26 CEST

*** Bug 34522 has been marked as a duplicate of this bug. ***

Comment 19 Florian Best 2016-09-15 13:47:02 CEST

*** Bug 34432 has been marked as a duplicate of this bug. ***