Univention Bugzilla – Bug 34092
UCS in Active Directory domain: Show attributes as readonly
Last modified: 2017-10-18 15:07:58 CEST
+++ This bug was initially created as a clone of Bug #34091 +++ Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False.
r47792: Add readonly_when_synced property description r47793: evaluate readonly_when_synce (when duniventionObjectFlag == synced) r47806: evalute readonly_when_synced in UDM handler modules r47821: only restrict properties synced from AD on object modification
TODO: The current implementation does not restrict specific options or policies. Easy would be to restrict policies and options in general. TODO: Restrict also moving of objects (This already happens in the frontend). TODO: Which attributes should be "readonly_when_synced"? All handlers/modules should be adapted with that property description.
> TODO: Restrict also moving of objects (This already happens in the frontend). → done
TODO: removal should also be restricted.
(In reply to Florian Best from comment #4) > TODO: removal should also be restricted. * r48013 restrict removal of synced objects * r48048 prevent removal and moving of objects also in navigation flavor (In reply to Florian Best from comment #2) > TODO: The current implementation does not restrict specific options or > policies. Easy would be to restrict policies and options in general. → Nothing done, as discussed. > TODO: Which attributes should be "readonly_when_synced"? All > handlers/modules should be adapted with that property description. → r48014 add readonly_when_synced flags to handler modules (OX-properties haven't been touched. Properties has been taken from branches/ucs-3.2/component/ucs-in-ad-domain/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping) other commits: * r48032 inverse boolean logic * r48049 workaround for users/user module: check valueMayChange also in _modify()
To enable the possibility to change synced objects: univention.admin.handlers.disable_ad_restrictions(disable=False)
Please merge the changes to UCS 3.2-2. It should be released as erratum.
Package: univention-management-console-module-udm Version: 4.0.97-25.449.201407031234 Scope: errata3.2-2 Package: univention-directory-manager-modules Version: 9.0.76-9.1208.201407021701 Scope: errata3.2-2 YAML: updated Changes merged into 4.0 branch
The password attribute of the user is not readonly. It looks like r48069 has not been merged.
(In reply to Stefan Gohmann from comment #9) > The password attribute of the user is not readonly. It looks like r48069 has > not been merged. yes, r48069 had a typo in the bug number (34902 instead of 34092). merged svn48069 and svn48073 into 3.2-2 and 4.0-0. YAML adapted.
QA: all restrictions must ofc. only occur when ad/member==true.
univention-lib (3.0.26-49) * admember.py: add dns/dns to show/adnotification UCR variables (Bug #34092)
Fields are not read-only in multi-edit. One object of them is synced => all (relevant) fields need to be read-only. Moving a container in navigation gives a rather good error message. Deleting a container though gives an untranslated cryptic message.
The MultiObjectWidgets are not read-only (the backend prevents saving, though): Have a look at a group's users or nested groups.
(In reply to Dirk Wiesenthal from comment #14) > The MultiObjectWidgets are not read-only (the backend prevents saving, > though): Have a look at a group's users or nested groups. Also the user's "Samba logon hours" widget
Can you recheck: 3/5 of a user's account deactivation attributes are editable. Multiple samba options, too (like samba privileges).
I have: dn: cn=WIN7PRO,cn=computers,dc=deadlock16,dc=local ... univentionObjectFlag: synced But I do not see any attributes marked read-only? I can even change the name.
(In reply to Dirk Wiesenthal from comment #17) > I have: > > dn: cn=WIN7PRO,cn=computers,dc=deadlock16,dc=local > ... > univentionObjectFlag: synced > > But I do not see any attributes marked read-only? I can even change the name. These attributes are synced by the connector: 'cn': univention.connector.attribute ( ucs_attribute='name', ldap_attribute='cn', con_attribute='cn', 'samAccountName': univention.connector.attribute ( ldap_attribute='uid', con_attribute='sAMAccountName', 'description': univention.connector.attribute ( ucs_attribute='description', ldap_attribute='description', con_attribute='description' 'operatingSystem': univention.connector.attribute ( ucs_attribute='operatingSystem', ldap_attribute='univentionOperatingSystem', con_attribute='operatingSystem' 'operatingSystemVersion': univention.connector.attribute ( ucs_attribute='operatingSystemVersion', ldap_attribute='univentionOperatingSystemVersion', con_attribute='operatingSystemVersion'
(In reply to Florian Best from comment #12) > univention-lib (3.0.26-49) > * admember.py: add dns/dns to show/adnotification UCR variables (Bug #34092) Is there anything synced from AD? Or is this just for a warning message? The default DNS objects are kept and can be edited/deleted etc.
(In reply to Dirk Wiesenthal from comment #19) > (In reply to Florian Best from comment #12) > > univention-lib (3.0.26-49) > > * admember.py: add dns/dns to show/adnotification UCR variables (Bug #34092) > > Is there anything synced from AD? Or is this just for a warning message? The > default DNS objects are kept and can be edited/deleted etc. Currently we don't sync the DNS settings between UCS and AD. By default all UCS systems use the AD DNS.
(In reply to Dirk Wiesenthal from comment #16) > Can you recheck: 3/5 of a user's account deactivation attributes are > editable. Multiple samba options, too (like samba privileges). These are currently not synced but maybe it makes sense to disable these attributes as well. I would suggest these: - Windows home drive - Windows home path - Samba privileges - Permitted times for Windows logins - All "Windows Terminal Server" attributes
(In reply to Dirk Wiesenthal from comment #13) > Fields are not read-only in multi-edit. One object of them is synced => all > (relevant) fields need to be read-only. > > Moving a container in navigation gives a rather good error message. Deleting > a container though gives an untranslated cryptic message. It is impossible to move and remove those objects via UMC. How did you do that? Error messages are: #udm container/cn move --dn cn=test,dc=system,dc=setup --position cn=users,dc=system,dc=setup Objects from Active Directory can not be moved. # udm container/cn remove --dn cn=test,dc=system,dc=setup This operation is not allowed on this object: Objects from Active Directory can not be removed.
* fixed multi edit mode * these error messages are OK (on CLI), univentionObjectFlag==synced was missing in e.g. cn=users and was fixed in svn52368 by Stefan * MultiObjectSelect → Bug #35519 TODO: set readonly_when_synced to synced attributes.
(In reply to Stefan Gohmann from comment #21) > (In reply to Dirk Wiesenthal from comment #16) > > Can you recheck: 3/5 of a user's account deactivation attributes are > > editable. Multiple samba options, too (like samba privileges). > > These are currently not synced but maybe it makes sense to disable these > attributes as well. I would suggest these: > > - Windows home drive > - Windows home path > - Samba privileges > - Permitted times for Windows logins > - All "Windows Terminal Server" attributes This has not been done, or am I mistaken?
(In reply to Dirk Wiesenthal from comment #24) > (In reply to Stefan Gohmann from comment #21) > > (In reply to Dirk Wiesenthal from comment #16) > > > Can you recheck: 3/5 of a user's account deactivation attributes are > > > editable. Multiple samba options, too (like samba privileges). > > > > These are currently not synced but maybe it makes sense to disable these > > attributes as well. I would suggest these: > > > > - Windows home drive > > - Windows home path > > - Samba privileges > > - Permitted times for Windows logins > > - All "Windows Terminal Server" attributes fixed with r52416 It seems to be not possible to show "Permitted times for Windows logins" as read only: Bug #35529
(In reply to Stefan Gohmann from comment #25) > > > - Windows home drive > > > - Windows home path > > > - Samba privileges > > > - Permitted times for Windows logins > > > - All "Windows Terminal Server" attributes > > fixed with r52416 > > It seems to be not possible to show "Permitted times for Windows logins" as > read only: Bug #35529 And the Windows Terminal Server attributes can't be set to read only due to Bug #35530: r52417
Set more windows attributes read only: r52419
Ok, works. Minor adaptions. YAML: Ok.
http://errata.univention.de/ucs/3.2/169.html
http://errata.univention.de/ucs/3.2/170.html