Univention Bugzilla – Bug 24457
Prevent deleting critical system objects
Last modified: 2019-01-03 07:19:58 CET
Wir sollten das Löschen von kritischen Systemobjekten verhindern, beispielsweise cn=default containers oder diverse cn=univention, Objekte oder cn=admin, uid=Administrator usw. Im AD gibt es dazu das Attribut isCriticalSystem Object.
Ggf. kann es auch notwendig sein, eine Eigenschaft wie bspw. isSingleton für ein UDM-Modul einzuführen, damit nur ein Objekt dieses Typs existieren kann.
Dies kann auch auf UCR-Variablen zutreffen.
Zusätzliche Keywords: critical system object
See also Bug 31042
*** Bug 31042 has been marked as a duplicate of this bug. ***
See also Bug 33568: Warning before removing dc master.
+1
*** Bug 40858 has been marked as a duplicate of this bug. ***
From Bug 40858: > Bug 31167 / Bug 37654 introduced the objectFlag / univentionObjectFlag > attribute supporting the values "hidden" and "functional". As originally > proposed by Sönke, we should also support "system" and make UDM protect > object attributed as such to avoid accidental deletion or renaming. > > Bug 32871 added the "hidden" flag to a couple of builtin user and group > accounts. > > For example for the krbtgt account (Bug 40763) and the dns-service accounts > the write protection would be useful. The S4-Connector could possibly map > this attribute value to the attribute isCriticalSystemObject: TRUE which is > used in Active Directory.
*** Bug 33568 has been marked as a duplicate of this bug. ***
Seen at Ticket #2018061121000851: udm users/user modify --dn "uid=dns-$(hostname),cn=users,$(ucr get ldap/base)" \ --set username=newname After that dynamic DNS updates are impossible and the "newname" account owns the service principal.
I suggest to set the "hidden" flag on all user accounts that are only used internally, like: - dns-<hostname> - http-proxy-<hostname> - krbtgt
Yes, Bug 40763 is connected via "see also".
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.