First Last Prev Next    This bug is not in your last search results.
Bug 40651 - replace self.lo.search() with getAttr() or get (uldap) if the search is meant to return attributes for a specific object
replace self.lo.search() with getAttr() or get (uldap) if the search is meant...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Felix Botner
Florian Best
:
Depends on:
Blocks: 40652 41518
  Show dependency treegraph
 
Reported: 2016-02-12 16:40 CET by Felix Botner
Modified: 2016-06-10 07:23 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
udm.patch (2.25 KB, patch)
2016-02-12 16:40 CET, Felix Botner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2016-02-12 16:40:39 CET 
Created attachment 7478 [details]
udm.patch

In setups with big databases and sldap size limits, creating a users fails:

udm users/user create ...
LDAP Error: Administrative limit exceeded


 uldap.search filter=(objectClass=*) base=cn=Domain Users,cn=groups,o=in8,o=orange scope=sub attr=['gidNumber'] unique=0 required=0 timeout=-1 sizelimit=0
12.02.16 15:49:51.490  ADMIN       ( ERROR   ) : Post-modify operation failed:   File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 781, in _create
    self._ldap_post_create()

  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py", line 1887, in _ldap_post_create
    self.__primary_group()

  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py", line 1701, in __primary_group
    searchResult=self.lo.search(base=self['primaryGroup'], attr=['gidNumber'])

  File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 355, in search
    raise univention.admin.uexceptions.ldapError, _err2str(msg)
12.02.16 15:50:42.808  ADMIN       ( ERROR   ) : Post-modify operation failed:   File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 781, in _create
    self._ldap_post_create()

The problem is this:

 self.lo.search(base=self['primaryGroup'], attr=['sambaSID'])

This search uses the ldap filter filter=(objectClass=*). Seems that slapd applies the filter and than checks the limits (before filtering the search base).

The search works with a proper scope "scope=base" but we may better use uldap.get or uldap.getAttr instead.

Attached a patch that fixes this problem for "udm users/user create" (with scope=base). But there are much more of those searches in our udm handlers.
Comment 1 Felix Botner univentionstaff 2016-02-23 15:59:52 CET 
fixed, see Bug #40652

scope: ucs_4.1-0-errata4.1-1
src: univention-directory-manager-modules
fix: 11.0.2-16.1370.201602231548

lets wait for the ucs tests
Comment 2 Felix Botner univentionstaff 2016-02-25 13:25:50 CET 
fixed

scope: ucs_4.1-0-errata4.1-1
src: univention-directory-manager-modules
fix: 11.0.2-18.1373.201602251321
Comment 3 Florian Best univentionstaff 2016-02-29 13:32:55 CET 
OK: New search behavior: OK
Code-Review: OK
Error handling: OK
YAML: OK
Comment 4 Philipp Hahn univentionstaff 2016-03-18 15:04:54 CET 
<http://errata.software-univention.de/ucs/4.1/131.html>
First Last Prev Next    This bug is not in your last search results.