Univention Bugzilla – Bug 45134
univention-adsearch misparses multi-attribute filters
Last modified: 2017-11-01 13:49:24 CET
When using univention-adsearch with multiple filters like # univention-ldapsearch "(&(userCertificate=*)(objectClass=computer))" the used filter is '(&(userCertificate=*)(objectClass=computer' which is simply wrong and ends up in a TraceBack.
Workaround: write the following into line 201: filter = filter_tmp
# univention-adsearch "($(objectClass=computer)(!(userCertificate=*)))" Traceback (most recent call last): File "/usr/sbin/univention-adsearch", line 204, in <module> msgid = lo.search_ext(configRegistry['%s/ad/ldap/base' % CONFIGBASENAME],ldap.SCOPE_SUBTREE,filter.encode('utf8'),serverctrls=[lc1,lc2]) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 548, in search_ext timeout,sizelimit, File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.FILTER_ERROR: {'desc': 'Bad search filter'}
I guess this should be fixed in UCS 4.0 as well as 4.1.
Created attachment 9091 [details] patch
Attached patch fixes this. The patch works for all filters like: ['objectSid=foo', '(&(objectType=computer)(objectsid=bar))', '(&(objectType=computer)(|(objectsid=bar)(objectSid=baz)))', 'foo=bar'] (In reply to Nico Stöckigt from comment #3) > I guess this should be fixed in UCS 4.0 as well as 4.1. No, UCS 4.0 is out of maintenance. New fixes which are not security relevant aren't fixed for UCS 4.1 anymore but only for UCS 4.2-1. A workaround is available by applying the attached patch to affected systems.
(In reply to Florian Best from comment #5) > Attached patch fixes this. The patch works for all filters like: > ['objectSid=foo', '(&(objectType=computer)(objectsid=bar))', > '(&(objectType=computer)(|(objectsid=bar)(objectSid=baz)))', 'foo=bar'] > > (In reply to Nico Stöckigt from comment #3) > > I guess this should be fixed in UCS 4.0 as well as 4.1. > No, UCS 4.0 is out of maintenance. New fixes which are not security relevant > aren't fixed for UCS 4.1 anymore but only for UCS 4.2-1. > A workaround is available by applying the attached patch to affected systems. I made a version typo, of course I meant it should be fixed in 4.2 and probably also in 4.1-4. btw. also negative filters are possible: "(&(objectType=computer)(!(badPasswordTime=0)))"
univention-ad-connector (11.0.6-21): r81929 | Bug #45134: use ucr.is_true() r81928 | Bug #45134: fix search filter in univention-adsearch univention-ad-connector.yaml: r81931 | YAML Bug #45134
(In reply to Florian Best from comment #7) > r81928 | Bug #45134: fix search filter in univention-adsearch ok: univention-adsearch "(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)" ok: univention-adsearch "(&(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)(!(lastLogoff=0)))" fail[1]: univention-adsearch "(objectsid=*)" fail[2]: univention-adsearch "(objectsid=S-1-5-21*)" fail[3]: univention-adsearch "(objectsid=\))" [1]: This is translated into `(objectSid=\01\05\00\00\00\00\00\05)`. The old behaviour produced several results. [2]: This should work, but fails with an error in `encode_object_sid_to_binary_ldapfilter()`. [3]: While not meaningful, I think this would break the regex. This results in a `ldap.FILTER_ERROR: {'desc': 'Bad search filter'}`, while the old behaviour was no results. Minor nitpick: I think the `objectsid_pattern.sub(..)` is rather unreadable. But I guess it is ok.
(In reply to Lukas Oyen from comment #8) > fail[1]: univention-adsearch "(objectsid=*)" > [1]: This is translated into `(objectSid=\01\05\00\00\00\00\00\05)`. The old > behaviour produced several results. No, the old behavior didn't produce any results. It encoded it wrong, too. I preserve this filter now. > fail[2]: univention-adsearch "(objectsid=S-1-5-21*)" > [2]: This should work, but fails with an error in > `encode_object_sid_to_binary_ldapfilter()`. The exception was the same before. Why should this work? I think there is no substring match rule for objectSid. I don't call encode_object_sid_to_binary_ldapfilter() anymore if the string contains a '*'. > fail[3]: univention-adsearch "(objectsid=\))" > [3]: While not meaningful, I think this would break the regex. This results > in a `ldap.FILTER_ERROR: {'desc': 'Bad search filter'}`, while the old > behaviour was no results. OK, using a positive lookbehind for this now. > Minor nitpick: I think the `objectsid_pattern.sub(..)` is rather unreadable. But I guess it is ok. I made it more readable. I added a doctest string which ensures that the values/filter are correct. univention-ad-connector (11.0.6-24): r82406 | Bug #45134: fix search filter replacing in univention-adsearch
(In reply to Florian Best from comment #9) > > fail[2]: univention-adsearch "(objectsid=S-1-5-21*)" > Why should this work? I think there is no substring match rule for objectSid. Right, let me rephrase that: There should not be a crude Python error. ok: univention-adsearch "(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)" ok: univention-adsearch "(&(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)(!(lastLogoff=0)))" ok: univention-adsearch "(objectsid=*)" ok: univention-adsearch "(objectsid=S-1-5-21*)" ok: univention-adsearch "(objectsid=\))" Changelog/YAML: Ok.
<http://errata.software-univention.de/ucs/4.2/205.html>