jirutka/ssh-ldap-pubkey

1.3.1 breaks listing keys

cmclaughlin opened this issue · 11 comments

cmclaughlin commented 
# ssh-ldap-pubkey list -u cmclaughlin
dc=XXXmyorgXXX,dc=com 2 (&((objectclass=posixAccount))(uid=cmclaughlin))
Traceback (most recent call last):
  File "/usr/local/bin/ssh-ldap-pubkey", line 144, in <module>
    main(**kwargs)
  File "/usr/local/bin/ssh-ldap-pubkey", line 126, in main
    keys = ldapssh.find_pubkeys(login)
  File "/usr/local/lib/python2.7/site-packages/ssh_ldap_pubkey/__init__.py", line 209, in find_pubkeys
    return self._find_pubkeys(self.find_dn_by_login(login))
  File "/usr/local/lib/python2.7/site-packages/ssh_ldap_pubkey/__init__.py", line 241, in find_dn_by_login
    result = self._conn.search_s(conf.base, conf.scope, filter_s, ['dn'])
  File "/usr/local/lib64/python2.7/site-packages/ldap/ldapobject.py", line 854, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/local/lib64/python2.7/site-packages/ldap/ldapobject.py", line 847, in search_ext_s
    msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  File "/usr/local/lib64/python2.7/site-packages/ldap/ldapobject.py", line 843, in search_ext
    timeout,sizelimit,
  File "/usr/local/lib64/python2.7/site-packages/ldap/ldapobject.py", line 331, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/local/lib64/python2.7/site-packages/ldap/ldapobject.py", line 315, in _ldap_call
    result = func(*args,**kwargs)
ldap.FILTER_ERROR: {u'info': 'Resource temporarily unavailable', 'errno': 11, 'desc': u'Bad search filter'}

Downgrading to 1.3.0 made the problem go away.

Thanks

anjo-swe commented

Our cat /etc/ldap.conf

...
pam_filter objectClass=person
pam_login_attribute sAMAccountName
...

Execution & Error:

ssh-ldap-pubkey list -u USERNAME


Traceback (most recent call last):
  File "/usr/local/bin/ssh-ldap-pubkey", line 144, in <module>
    main(**kwargs)
  File "/usr/local/bin/ssh-ldap-pubkey", line 126, in main
    keys = ldapssh.find_pubkeys(login)
  File "/usr/local/lib/python3.6/dist-packages/ssh_ldap_pubkey/__init__.py", line 209, in find_pubkeys
    return self._find_pubkeys(self.find_dn_by_login(login))
  File "/usr/local/lib/python3.6/dist-packages/ssh_ldap_pubkey/__init__.py", line 240, in find_dn_by_login
    result = self._conn.search_s(conf.base, conf.scope, filter_s, ['dn'])
  File "/usr/local/lib/python3.6/dist-packages/ldap/ldapobject.py", line 854, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/local/lib/python3.6/dist-packages/ldap/ldapobject.py", line 847, in search_ext_s
    msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  File "/usr/local/lib/python3.6/dist-packages/ldap/ldapobject.py", line 843, in search_ext
    timeout,sizelimit,
  File "/usr/local/lib/python3.6/dist-packages/ldap/ldapobject.py", line 331, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/local/lib/python3.6/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/local/lib/python3.6/dist-packages/ldap/ldapobject.py", line 315, in _ldap_call
    result = func(*args,**kwargs)
ldap.FILTER_ERROR: {'desc': 'Bad search filter'}

Reason it fails is due to objectClass=person getting double wrapped.

(&((objectClass=person))(sAMAccountName=USERNAME))

Downgrading to 1.3.0 worked for us as well

chises commented

same problem, downgrade to 1.3.0 fixed it
pip uninstall ssh-ldap-pubkey pip install -I ssh-ldap-pubkey==1.3.0

Codonaut commented

Just chiming in with a "me too". Downgrading fixed our issues.

lecoueyl commented

Same issue here
Downgraded to 1.3.0

vishnubob commented

Just got hit by this, and I believe the problem is here. This line checks to see if there are parens around the filter term, and will add them if they are missing. The problem is the next formatting adds a second level of parens, which I'm guessing was the mistake, since there is a comment directly above this section that states:

# RFC4515 requires filters to be wrapped with parenthesis '(' and ')'.
# Over-wrapped filters are invalid! e.g. '((uid=x))'

I believe the fix is changing line 238 from:

filter_s = "(&(%s)(%s=%s))" % (filter_s, conf.login_attr, login

to:

filter_s = "(&%s(%s=%s))" % (filter_s, conf.login_attr, login

  • 👍2
ruchid123 commented

I too faced the same error and had to downgrade ssh-ldap-pubkey to 1.3.0

Downgrading fixed this problem

  • 👍1
surfer190 commented

@jirutka Yes, same for me, downgrading and it just worked.

The error I got was:

$ ssh-ldap-pubkey list
Traceback (most recent call last):
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/bin/ssh-ldap-pubkey", line 144, in <module>
    main(**kwargs)
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/bin/ssh-ldap-pubkey", line 126, in main
    keys = ldapssh.find_pubkeys(login)
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ssh_ldap_pubkey/__init__.py", line 209, in find_pubkeys
    return self._find_pubkeys(self.find_dn_by_login(login))
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ssh_ldap_pubkey/__init__.py", line 240, in find_dn_by_login
    result = self._conn.search_s(conf.base, conf.scope, filter_s, ['dn'])
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ldap/ldapobject.py", line 854, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ldap/ldapobject.py", line 847, in search_ext_s
    msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ldap/ldapobject.py", line 843, in search_ext
    timeout,sizelimit,
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ldap/ldapobject.py", line 331, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/Users/stephen/projects/ssh-ldap-pubkey/env/lib/python3.7/site-packages/ldap/ldapobject.py", line 315, in _ldap_call
    result = func(*args,**kwargs)
ldap.FILTER_ERROR: {'desc': 'Bad search filter'}
jirutka commented

I’m very sorry for such a long response time. I have some problem with GitHub email notifications, they somehow don’t work for my own repositories. So I’ve noticed this issue just now by accident.

  • 👍3
  • ❤️1
ruchid123 commented

Is it being fixed?

jirutka commented

Yes, it should be, in 1.3.2.

  • 👍1
ruchid123 commented

Thank you ! Will try