Bug 48990 – 4.3: Could not get groups for u'Administrator': ldapError: Insufficient access

Bug 48990 - 4.3: Could not get groups for u'Administrator': ldapError: Insufficient access


Summary:	4.3: Could not get groups for u'Administrator': ldapError: Insufficient access

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Portal
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-3-errata
Assigned To:	Florian Best
QA Contact:	Dirk Wiesenthal

URL:
Keywords:

Depends on:	48943
Blocks:
	Show dependency tree / graph

Reported:	2019-03-14 12:34 CET by Florian Best
Modified:	2019-04-10 14:35 CEST (History)
CC List:	2 users (show)

See Also:	49011
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.257
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019030521000572, 2019031321000959, 2019032021000258
Bug group (optional):	Error handling, External feedback, Workaround is available
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2019-03-14 12:34:22 CET

Bug for UCS 4.3:

+++ This bug was initially created as a clone of Bug #48943 +++

In a school environment the following traceback happens when accessing the portal:

08.03.19 13:10:07.792 MAIN ( ERROR ) : Could not get groups for u'Administrator': Traceback (most recent call last):
File "/usr/sbin/univention-management-console-web-server", line 380, in get_user_groups
user_dn = lo.searchDn(ldap.filter.filter_format('(&(uid=%s)(objectClass=person))', (self.username,)))[0]
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 750, in searchDn
raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Afaik this happens on a DC Master. Memberoverlay is activated.
Is something wrong with the LDAP ACL's for DC's in UCS@school?

Comment 1 Florian Best

2019-03-20 09:35:34 CET

See also Bug #49011 for an adjustment of server-password-change, that it does a UMC-reload (which would be capable then to re-establish the LDAP connection with the new credentials).
But I think this is not necessary if we change from univention.admin.uldap to univention.management.console.ldap.

Comment 2 Christina Scheinig

2019-03-28 19:32:25 CET

Two of the customer already asked for the fix.

Comment 3 Florian Best

2019-03-29 08:13:40 CET

I created a untested patch in fbest/48990-fix-reloading-machine-connection:
https://github.com/univention/univention-corporate-server/commit/7047dd45f697e21702cc90d09a33043243af9bb8

Comment 4 Florian Best

2019-04-02 08:29:06 CEST

Ok, the patch works.
It uses the univention.managment.console.ldap with write=False to connect to the local ldap server.

I applied the patch with one additional change: The LDAP credential cache is now also reset on a "service univention-management-console-web-server reload".

univention-management-console (10.0.6-21)
1aa4a2b45f5b | Bug #48990: Merge branch 'fbest/48990-fix-reloading-machine-connection' into 4.3-3

univention-management-console.yaml
1aa4a2b45f5b | Bug #48990: Merge branch 'fbest/48990-fix-reloading-machine-connection' into 4.3-3

Comment 5 Dirk Wiesenthal

2019-04-09 15:58:49 CEST

OK, works as expected.

Comment 6 Erik Damrose

2019-04-10 14:35:29 CEST

<http://errata.software-univention.de/ucs/4.3/475.html>