Bug 42533 – Show a warning in UMC instead of traceback (udm/query) when ldap limits are met in object search

Bug 42533 - Show a warning in UMC instead of traceback (udm/query) when ldap limits are met in object search


Summary:	Show a warning in UMC instead of traceback (udm/query) when ldap limits are m...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC - Domain management (Generic)
Version:	UCS 3.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-0-errata
Assigned To:	Florian Best
QA Contact:	Richard Ulmer

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-09-29 12:21 CEST by Daniel Orrego
Modified:	2017-06-15 17:57 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.006
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
patch (1.57 KB, patch) 2017-01-05 14:48 CET, Florian Best	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Orrego

2016-09-29 12:21:37 CEST

(Initially for UCS 3.X)
A traceback is shown on 'LDAP_ConnectionError: Administrative limit exceeded' (See traceback below). UMC should instead show a warning message.

See also Bug 29500 and Bug 29670 (for 'Size limit exceeded')

This happens when the user(or its group) meets the defined limits in LDAP.
In this particular case the 'size.unchecked' because one of the attributes in the "Default properties" is not in the defined LDAP indices in a directory with millions of objects.

Here the management-console-module-udm.log:
----
28.09.16 18:11:50.432  MODULE      ( INFO    ) : Executing ['udm/query']
28.09.16 18:11:50.436  MODULE      ( INFO    ) : Using open LDAP connection for user uid=ucstestuser,cn=portal users,ou=test,dc=domain,dc=local
28.09.16 18:11:50.436  MODULE      ( INFO    ) : Using open LDAP connection for user uid=ucstestuser,cn=portal users,ou=test,dc=domain,dc=local
28.09.16 18:11:50.436  MODULE      ( INFO    ) : Searching for LDAP objects: container = cn=users,ou=test,dc=domain,dc=local, filter = (|(uid=id20160822090316808512)(firstname=id20160822090316808512)(cAttrOne=id20160822090316808512)(lastname=id20160822090316808512)(mailPrimaryAddress=id20160822090316808512)), superordinate = None
28.09.16 18:11:50.441  MODULE      ( INFO    ) : LDAP operation for user uid=ucstestuser,cn=portal users,ou=test,dc=domain,dc=local has failed
28.09.16 18:11:50.456  MODULE      ( INFO    ) : Searching for LDAP objects: container = cn=users,ou=test,dc=domain,dc=local, filter = (|(uid=id20160822090316808512)(firstname=id20160822090316808512)(cAttrOne=id20160822090316808512)(lastname=id20160822090316808512)(mailPrimaryAddress=id20160822090316808512)), superordinate = None
28.09.16 18:11:50.531  MODULE      ( PROCESS ) : An internal error occurred:   File "/usr/lib/pymodules/python2.6/notifier/threads.py", line 82, in _run
    tmp = self._function()
  File "/usr/lib/pymodules/python2.6/notifier/__init__.py", line 104, in __call__
    return self._function( *tmp, **self._kwargs )
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/__init__.py", line 514, in _thread
    result = module.search( request.options.get( 'container' ), request.options[ 'objectProperty' ], request.options[ 'objectPropertyValue' ], superordinate, scope = request.options.get( 'scope'
, 'sub' ), hidden=request.options.get('hidden') )
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/udm_ldap.py", line 213, in wrapper_func
    raise LDAP_ConnectionError( str( e ) )

LDAP_ConnectionError: Administrative limit exceeded
----
* Warning: I tried to anonymize the log, so it may have unintentional syntax errors.

Comment 2 Florian Best

2016-09-29 12:52:39 CEST

The traceback after UCS 4.0-0-errata18 would be:

Execution of command 'udm/query groups/group' has failed:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 82, in _run
    tmp = self._function()
  File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__
    return self._function( *tmp, **self._kwargs )
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/__init__.py", line 543, in _thread
    result = module.search(container, objectProperty, objectPropertyValue, superordinate, scope=scope, hidden=hidden)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 87, in _decorated
    return method(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 135, in _decorated
    result = func(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 472, in search
    result = self.module.lookup(None, ldap_connection, filter_s, base=container, superordinate=superordinate, scope=scope, sizelimit=sizelimit)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1047, in lookup
    for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit):
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 339, in search
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Administrative limit exceeded

Comment 3 Florian Best

2017-01-05 14:48:14 CET

Created attachment 8337 [details]
patch

The most simple solution seems to raise univention.admin.uexceptions.ldapSizelimitExceeded also in case of the ADMIN limits. This causes an error message like the following to be displayed:

"""
The query you have entered yields too many matching entries. Please narrow down your search by specifying more query parameters. The current size limit of %s can be configured with the UCR variable directory/manager/web/sizelimit.
"""

Comment 4 Stefan Gohmann

2017-04-20 11:05:20 CEST

Florian, can the patch simply applied?

Comment 5 Florian Best

2017-04-21 13:21:19 CEST

(In reply to Stefan Gohmann from comment #4)
> Florian, can the patch simply applied?
Yes, but as said this would display an error message which refers to the UCR variable "directory/manager/web/sizelimit" which is not effective here as the admin-size-limit is set in slapd.conf (server) and not in the client. At least the traceback is not shown.

Comment 6 Florian Best

2017-04-25 18:06:51 CEST

The patch has been applied. Additionally the error handling in the UDM module has been improved, otherwise the fix wouldn't work in the LDAP directory tree and show a traceback there. It can be simply tested by setting "ucr set ldap/sizelimit='10'".

univention-management-console-module-udm (7.0.9-16):
r78923 | Bug #42533: fix admin size limit reached error message

univention-management-console-module-udm.yaml:
r78925 | YAML Bug #42533

univention-directory-manager-modules (12.0.16-6):
r78924 | Bug #42533: fix admin size limit reached error message

univention-directory-manager-modules.yaml:
r78925 | YAML Bug #42533

Comment 7 Richard Ulmer

2017-05-16 14:52:22 CEST

I was not fully able to reproduce the bug. For example opening the users module with 11 existing users and ldap/sizelimit='10' I got no traceback, but the error message the fix in Comment #6 was supposed to introduce.

In the "LDAP directory" module however I got a traceback, which the fix removed. -> Verified

Comment 8 Janek Walkenhorst

2017-06-15 17:57:57 CEST

<http://errata.software-univention.de/ucs/4.2/39.html>
<http://errata.software-univention.de/ucs/4.2/41.html>