Univention Bugzilla – Bug 35109
CSV-Import unusable for non-Domain Admins
Last modified: 2023-06-12 15:39:50 CEST
If a user who's not member of the group Domain Admins tries to use the wizard write access is denied. This is because the user's account is used to access the LDAP. The important use cases of allowing a non-admin user to import user accounts is therefore not given.
By default, the "wizards" are only available to Domain Admins. The LDAP ACLs do not permit the creation/deletion of users or classes by school admins. The wizards now use the LDAP connection of the UMC user to modify LDAP objects. Before UCS@school 3.2 R2 the import scripts have been called by the UMC module which used cn=admin for LDAP access. Possible fix: always use a cn=admin connection → this will only work on the DC master (as before) → the access control is done via UMC ACLs Side note: this also affects the CSVImport-Module and should be fixed there in the same way.
Please also consider Bug #35110. May be fixed with the same LDAP ACLs.
Please check if the CSV import module is installed only on a UCS master. If this is the case, it would be best, if cn=admin is used for the LDAP connection.
*** Bug 41388 has been marked as a duplicate of this bug. ***
Added tags from #41388.
This issue has been filled against UCS@school 3. The maintenance with bug and security fixes for the last UCS@school version for UCS 3.x (→ UCS@school 3.2) has ended on Dec 31, 2016. Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.