Bug 35109 – CSV-Import unusable for non-Domain Admins

Bug 35109 - CSV-Import unusable for non-Domain Admins


Summary:	CSV-Import unusable for non-Domain Admins

Status:	CLOSED WONTFIX

Product:	UCS@school
Classification:	Unclassified
Component:	UMC - CSV Import
Version:	UCS@school 3.2 R2
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Duplicates:	41388 (view as bug list)
Depends on:
Blocks:	35110 44641 44642
	Show dependency tree / graph

Reported:	2014-06-12 17:13 CEST by Jan Christoph Ebersbach
Modified:	2023-06-12 15:39 CEST (History)
CC List:	5 users (show)

See Also:	34983 35110
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.206
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Forked for project, Roadmap discussion
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan Christoph Ebersbach

2014-06-12 17:13:32 CEST

If a user who's not member of the group Domain Admins tries to use the wizard write access is denied.  This is because the user's account is used to access the LDAP.

The important use cases of allowing a non-admin user to import user accounts is therefore not given.

Comment 1 Sönke Schwardt-Krummrich

2014-06-12 17:32:54 CEST

By default, the "wizards" are only available to Domain Admins. The LDAP ACLs do not permit the creation/deletion of users or classes by school admins. The wizards now use the LDAP connection of the UMC user to modify LDAP objects.
Before UCS@school 3.2 R2 the import scripts have been called by the UMC module which used cn=admin for LDAP access.

Possible fix: 
always use a cn=admin connection → this will only work on the DC master (as before) → the access control is done via UMC ACLs

Side note:
this also affects the CSVImport-Module and should be fixed there in the same way.

Comment 2 Sönke Schwardt-Krummrich

2015-06-02 10:30:39 CEST

Please also consider Bug #35110. May be fixed with the same LDAP ACLs.

Comment 3 Sönke Schwardt-Krummrich

2015-06-18 15:33:20 CEST

Please check if the CSV import module is installed only on a UCS master. If this is the case, it would be best, if cn=admin is used for the LDAP connection.

Comment 4 Florian Best

2016-05-31 11:39:58 CEST

*** Bug 41388 has been marked as a duplicate of this bug. ***

Comment 5 Michel Smidt 2016-06-14 11:52:06 CEST

Added tags from #41388.

Comment 6 Sönke Schwardt-Krummrich

2019-02-05 21:49:51 CET

This issue has been filled against UCS@school 3. The maintenance with
bug and security fixes for the last UCS@school version for UCS 3.x 
(→ UCS@school 3.2) has ended on Dec 31, 2016.

Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). 
Please contact your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug"
or simply reopen the issue. In this case please provide detailed information on
how this issue is affecting you.