LDAP user sync incorrectly proceeds when LDAP list or search fails

Bug #1607669 reported by Ghada El-Zoghbi on 2016-07-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Ghada El-Zoghbi
15.04
Medium
Unassigned
15.10
Medium
Unassigned
16.04
Medium
Unassigned
16.10
Medium
Ghada El-Zoghbi

Bug Description

Mahara: 16.04
DB: Postgres
OS: Linux

The LDAP user sync is incorrectly continuing when the search in the context fails to contact the server.

The following error is generated in the cron.log file:

Jul 29 00:01:05 server mahara-site: [WAR] 29 (auth/ldap/lib.php:937) ldap_list(): Search: Can't contact LDAP server
Jul 29 00:01:05 server mahara-site: Call stack (most recent first):
Jul 29 00:01:05 server mahara-site: * log_message("ldap_list(): Search: Can't contact LDAP server", 8, true, true, "/var/www/mahara-site/auth/ldap/lib.php", 937)
 at /var/www/mahara-site/lib/errors.php:489
Jul 29 00:01:05 server mahara-site: * error(2, "ldap_list(): Search: Can't contact LDAP server", "/var/www/mahara-site/auth/ldap/lib.php", 937, array(size 11)) a
t Unknown:0
Jul 29 00:01:05 server mahara-site: * ldap_list(resource(#87), "ou=people,o=ldapserver.xxx", "(uid=*)", array(size 5)) at /var/www/mahara-site/auth/ldap/lib.php:937
Jul 29 00:01:05 server mahara-site: * AuthLdap->ldap_get_users_scalable("auth_ldap_extusers_temp", "extusername", "") at /var/www/mahara-site/auth/ldap/lib.php:1
121
Jul 29 00:01:05 server mahara-site: * AuthLdap->sync_users() at /var/www/mahara-site/auth/ldap/lib.php:1614
Jul 29 00:01:05 server mahara-site: * PluginAuthLdap::auth_ldap_sync_cron() at Unknown:0
Jul 29 00:01:05 server mahara-site: * call_user_func_array(array(size 2), array(size 0)) at /var/www/mahara-site/lib/mahara.php:1714
Jul 29 00:01:05 server mahara-site: * call_static_method("PluginAuthLdap", "auth_ldap_sync_cron") at /var/www/mahara-site/lib/cron.php:89

It then proceeds to sync the users:

Jul 29 00:01:05 server mahara-site: [WAR] 29 (auth/ldap/lib.php:940) ldap_first_entry() expects parameter 2 to be resource, boolean given
Jul 29 00:01:05 server mahara-site: Call stack (most recent first):
Jul 29 00:01:05 server mahara-site: * log_message("ldap_first_entry() expects parameter 2 to be resou...", 8, true, true, "/var/www/mahara-site/auth/ldap/lib.php
", 940) at /var/www/mahara-site/lib/errors.php:489
Jul 29 00:01:05 server mahara-site: * error(2, "ldap_first_entry() expects parameter 2 to be resou...", "/var/www/mahara-site/auth/ldap/lib.php", 940, array(size
 12)) at Unknown:0
Jul 29 00:01:05 server mahara-site: * ldap_first_entry(resource(#87), false) at /var/www/mahara-site/auth/ldap/lib.php:940
Jul 29 00:01:05 server mahara-site: * AuthLdap->ldap_get_users_scalable("auth_ldap_extusers_temp", "extusername", "") at /var/www/mahara-site/auth/ldap/lib.php:1121
Jul 29 00:01:05 server mahara-site: * AuthLdap->sync_users() at /var/www/mahara-site/auth/ldap/lib.php:1614
Jul 29 00:01:05 server mahara-site: * PluginAuthLdap::auth_ldap_sync_cron() at Unknown:0
Jul 29 00:01:05 server mahara-site: * call_user_func_array(array(size 2), array(size 0)) at /var/www/mahara-site/lib/mahara.php:1714
Jul 29 00:01:05 server mahara-site: * call_static_method("PluginAuthLdap", "auth_ldap_sync_cron") at /var/www/mahara-site/lib/cron.php:89
Jul 29 00:01:05 server mahara-site:
Jul 29 00:01:05 server mahara-site: [WAR] 29 (auth/ldap/lib.php:971) ldap_free_result() expects parameter 1 to be resource, boolean given
Jul 29 00:01:05 server mahara-site: Call stack (most recent first):
Jul 29 00:01:05 server mahara-site: * log_message("ldap_free_result() expects parameter 1 to be resou...", 8, true, true, "/var/www/mahara-site/auth/ldap/lib.php", 971) at /var/www/mahara-site/lib/errors.php:489
Jul 29 00:01:05 server mahara-site: * error(2, "ldap_free_result() expects parameter 1 to be resou...", "/var/www/mahara-site/auth/ldap/lib.php", 971, array(size 13)) at Unknown:0
Jul 29 00:01:05 server mahara-site: * ldap_free_result(false) at /var/www/mahara-site/auth/ldap/lib.php:971
Jul 29 00:01:05 server mahara-site: * AuthLdap->ldap_get_users_scalable("auth_ldap_extusers_temp", "extusername", "") at /var/www/mahara-site/auth/ldap/lib.php:1121
Jul 29 00:01:05 server mahara-site: * AuthLdap->sync_users() at /var/www/mahara-site/auth/ldap/lib.php:1614
Jul 29 00:01:05 server mahara-site: * PluginAuthLdap::auth_ldap_sync_cron() at Unknown:0
Jul 29 00:01:05 server mahara-site: * call_user_func_array(array(size 2), array(size 0)) at /var/www/mahara-site/lib/mahara.php:1714
Jul 29 00:01:05 server mahara-site: * call_static_method("PluginAuthLdap", "auth_ldap_sync_cron") at /var/www/mahara-site/lib/cron.php:89
Jul 29 00:01:05 server mahara-site:
Jul 29 00:01:05 server mahara-site: [INF] 29 (auth/ldap/lib.php:1122) LDAP users found : 0
Jul 29 00:01:05 server mahara-site: [INF] 29 (auth/ldap/lib.php:1169) 0 users known to Mahara
Jul 29 00:01:05 server mahara-site: [INF] 29 (auth/ldap/lib.php:1232) 45161 users no longer in LDAP

Because we've set the sync to suspend users, all LDAP users are then suspended.

Changed in mahara:
assignee: nobody → Ghada El-Zoghbi (ghada-z)
Changed in mahara:
importance: Undecided → Medium
status: New → Confirmed
milestone: none → 16.10.0

Reviewed: https://reviews.mahara.org/6758
Committed: https://git.mahara.org/mahara/mahara/commit/1daee33a1ef67a0e0fc0599c67de08896408519e
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit 1daee33a1ef67a0e0fc0599c67de08896408519e
Author: Ghada El-Zoghbi <email address hidden>
Date: Fri Jul 29 18:40:35 2016 +1000

bug#1607669: Validate the results of ldap_search() and ldap_list() when syncing users.

When retrieving data from the LDAP server, check the results retrieved from
ldap_search() and ldap_list(). If there is an error, do not continue.

Otherwise, the sync_users() will assume that zero users were retrieved
from LDAP. It will then deleted or suspended users when
'If a user is no longer present in LDAP' is set to either suspend
users or delete them.

behatnotneeded

Change-Id: Ib57901c61f769d96720cf932d2e0d7f643853a56

Mahara Bot (dev-mahara) wrote :

Patch for "15.10_STABLE" branch: https://reviews.mahara.org/6763

Mahara Bot (dev-mahara) wrote :

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/6764

Reviewed: https://reviews.mahara.org/6762
Committed: https://git.mahara.org/mahara/mahara/commit/b4298f9b4fc6edcb90c9914c6ad4af370b56a1a7
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit b4298f9b4fc6edcb90c9914c6ad4af370b56a1a7
Author: Ghada El-Zoghbi <email address hidden>
Date: Fri Jul 29 18:40:35 2016 +1000

bug#1607669: Validate the results of ldap_search() and ldap_list() when syncing users.

When retrieving data from the LDAP server, check the results retrieved from
ldap_search() and ldap_list(). If there is an error, do not continue.

Otherwise, the sync_users() will assume that zero users were retrieved
from LDAP. It will then deleted or suspended users when
'If a user is no longer present in LDAP' is set to either suspend
users or delete them.

behatnotneeded

Change-Id: Ib57901c61f769d96720cf932d2e0d7f643853a56
(cherry picked from commit 1daee33a1ef67a0e0fc0599c67de08896408519e)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6763
Committed: https://git.mahara.org/mahara/mahara/commit/533d0f93cb126f3a496dd0df30fc640a71a3fdc2
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 533d0f93cb126f3a496dd0df30fc640a71a3fdc2
Author: Ghada El-Zoghbi <email address hidden>
Date: Fri Jul 29 18:40:35 2016 +1000

bug#1607669: Validate the results of ldap_search() and ldap_list() when syncing users.

When retrieving data from the LDAP server, check the results retrieved from
ldap_search() and ldap_list(). If there is an error, do not continue.

Otherwise, the sync_users() will assume that zero users were retrieved
from LDAP. It will then deleted or suspended users when
'If a user is no longer present in LDAP' is set to either suspend
users or delete them.

behatnotneeded

Change-Id: Ib57901c61f769d96720cf932d2e0d7f643853a56
(cherry picked from commit 1daee33a1ef67a0e0fc0599c67de08896408519e)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6764
Committed: https://git.mahara.org/mahara/mahara/commit/fb75f13988a5ac28b3373c8f3eed76d041c8a597
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit fb75f13988a5ac28b3373c8f3eed76d041c8a597
Author: Ghada El-Zoghbi <email address hidden>
Date: Fri Jul 29 18:40:35 2016 +1000

bug#1607669: Validate the results of ldap_search() and ldap_list() when syncing users.

When retrieving data from the LDAP server, check the results retrieved from
ldap_search() and ldap_list(). If there is an error, do not continue.

Otherwise, the sync_users() will assume that zero users were retrieved
from LDAP. It will then deleted or suspended users when
'If a user is no longer present in LDAP' is set to either suspend
users or delete them.

behatnotneeded

Change-Id: Ib57901c61f769d96720cf932d2e0d7f643853a56
(cherry picked from commit 1daee33a1ef67a0e0fc0599c67de08896408519e)

Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
milestone: 16.10.0 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers