Problem: UCS 5.2 - univention-export-anonymized-ldap fails with KeyError

MiracErde · July 25, 2025, 12:02pm

Problem:

The tool univention-export-anonymized-ldap fails with a KeyError when exporting an LDAP database containing entries missing the optional attribute krb5PrincipalName. This causes the script to terminate prematurely, resulting in an incomplete export and leftover temporary files. This occurs because the script does not check whether the krb5PrincipalName attribute is present in each LDAP entry before trying to process it.

Temporary files such as /tmp/tmpxxxx.ldif are also not deleted in the event of a crash, which may leave sensitive data on disk.

Product Version:

UCS 5.2-x

Description:

When executing the anonymization script on a UCS 5.2-x system, the following error occurs:

Run the following command on a UCS 5.2-x system:

/usr/bin/univention-export-anonymized-ldap --i-understand -o /root/univention-support/LDAP_copy_anonymized

Tracebacks:

Exporting LDAP database...
... saved online data at /tmp/tmpnlux1_01.ldif
... writing anonymized data to /root/univention-support/LDAP_copy_anonymized.ldif
Traceback (most recent call last):
  File "/usr/bin/univention-export-anonymized-ldap", line 185, in <module>
    main()
  File "/usr/bin/univention-export-anonymized-ldap", line 180, in main
    anonymize(ldap_database, output_file=_args.output)
  File "/usr/bin/univention-export-anonymized-ldap", line 83, in anonymize
    entry["krb5PrincipalName"] = [new_cn + b"@" + old.split(b"@")[1] for old in entry["krb5PrincipalName"]]
KeyError: 'krb5PrincipalName'

or

Exporting LDAP database...
The first database does not allow slapcat; using the first available one (2)
... saved online data at /tmp/tmpvo7r1_77.ldif
... writing anonymized data to /root/univention-support/LDAP_copy_anonymized_66659.ldif
Traceback (most recent call last):
  File "/usr/bin/univention-export-anonymized-ldap", line 185, in <module>
    main()
  File "/usr/bin/univention-export-anonymized-ldap", line 180, in main
    anonymize(ldap_database, output_file=_args.output)
  File "/usr/bin/univention-export-anonymized-ldap", line 126, in anonymize
    entry["krb5PrincipalName"] = [b"host/" + new_cn + b"." + entry.get("associatedDomain", [b"ucs.test"])[0] + b"@" + old.split(b"@")[1] for old in entry["krb5PrincipalName"]]
                                                                                                                                                    ~~~~~^^^^^^^^^^^^^^^^^^^^^
KeyError: 'krb5PrincipalName'

If any LDAP entry lacks the krb5PrincipalName attribute, the script crashes with a traceback and does not finish processing.

Root Cause:

The script incorrectly assumes the presence of the krb5PrincipalName attribute without verifying it exists in the LDAP entries.

Bug Report:
Bug 58387 – KeyError in univention-export-anonymized-ldap

Solution:

A patch has been provided that checks for the presence of the krb5PrincipalName attribute before attempting to modify it.

Download Patch File:
Patch Attachment 11330 (also available directly in the Bug Report)

How to Apply the Patch

Follow these steps to apply the patch:

Download the patch:

wget https://forge.univention.org/bugzilla/attachment.cgi?id=11330 -O NEW-univention-export-anonymized-ldap_patch.diff
Backup the original script:

cp /usr/bin/univention-export-anonymized-ldap /usr/bin/univention-export-anonymized-ldap.bak
Make the patch file executable:

chmod +x NEW-univention-export-anonymized-ldap_patch.diff
Install the patch utility if it’s not already available:

apt install patch
Apply the patch:

patch /usr/bin/univention-export-anonymized-ldap NEW-univention-export-anonymized-ldap_patch.diff

Output:

patching file /usr/bin/univention-export-anonymized-ldap

Final Result

After applying the patch, the tool should work as expected:

/usr/bin/univention-export-anonymized-ldap --i-understand -o /root/univention-support/univention-export-anon/LDAP_copy_anonymized

Exporting LDAP database...
... saved online data at /tmp/tmprpoy8yg3.ldif
... writing anonymized data to /root/univention-support/univention-export-anon/LDAP_copy_anonymized.ldif

We anonymized or removed what we considered worthy. Usernames, birthdays, mail addresses, etc. Please note that there may be remnants of technical data, e.g., server names, DNS data, etc. Also, maybe some user data that needed protection was saved in attributes we did not consider or we did not know of (objects can be extended by Apps, ...). Please check the file before sending somewhere: /root/univention-support/univention-export-anon/LDAP_copy_anonymized.ldif
... and removed online data again /tmp/tmprpoy8yg3.ldif