Univention Bugzilla – Bug 41115
Adjust UCS@school LDAP ACL's
Last modified: 2019-07-09 16:53:41 CEST
The LDAP ACL's have to be adjusted for UCS@school to include the new attributes/options for the specific user roles. 1. All user containers should be replicated to all school DC's. cn=(admins|lehrer|schueler|lehrer und mitarbeiter|mitarbeiter),cn=users,ou=… 2. All school DC's must be able to read all user objects which have ucsschoolSchool=$OU. 3. All current rules have to be adjusted to work with the new uscschoolSchool attribute.
We should also make sure that this has no side effects as only a part of the OU structure is replicated. This might lead to noObject exceptions if trying to use the ucsschool-lib for some objects in a not completely replicated OU.
In point 1. only the containers not the contents should be readable!
4. The ACL's must allow to access cn=groups,$OU with scope=one to be able to resolve the (primary) groups of all users on the DC Slave.
A closer look at svn r69292 should be done. All changes there should be documented.
(In reply to Florian Best from comment #4) > A closer look at svn r69292 should be done. All changes there should be > documented. Please add them to the YAML file.
in svn r69291 I added a script ldap_acl_dump.py which writes an LDIF for every object it finds containing the permissions for each attribute. e.g. dn: ou=oldschool,dc=school,dc=local displayName: =rscxd objectClass: =rscxd ou: =rscxd ucsschoolClassShareFileServer: =rscxd ucsschoolHomeShareFileServer: =rscxd univentionObjectType: =rscxd univentionPolicyReference: =rscxd
*** Bug 25869 has been marked as a duplicate of this bug. ***
The ACL's have been adjusted. cn=users, cn=examuser and cn=groups underneath of a UCS@school OU are replicated to all DC Slaves. School DC's as well as school users can read every object belonging to one of the own schools. ucs-school-ldap-acls-master (14.0.1-1): r69691 | Bug #41115: whitespace cleanup r69690 | Bug #41115: prevent read access to every object by all school objects r69564 | Bug #41115: revert regression which caused failed.ldif during join r69322 | Bug #41115: adjust LDAP ACL for new school structure r69292 | Bug #41115: adjust broken/untidy ACL rules r69291 | Bug #41115: adjust LDAP ACL for new school structure r69265 | Bug #41115: adjust LDAP ACL for new school structure r69247 | Bug #41115: simplify ACL logic, this seems to be unnecessary r69246 | Bug #41115: adjust LDAP ACL for new school structure r69245 | Bug #41115: remove unneeded rules r69130 | Bug #41115: adjust LDAP ACL for new school structure r69129 | Bug #41115: adjust LDAP ACL for new school structure r69089 | Bug #41115: adjust LDAP ACL for new school structure r69088 | Bug #41115: preserve permissions instead of dropping them r69087 | Bug #41115: revert last commit r68899 | Bug #41115: start LDAP ACL adjustment to use ucsschoolSchool attribute
Bug 41720 has been opened for a minor/medium issue. Everything else looked ok during manual comparison. See Bug 41116.
UCS@school 4.1 R2 has been released: http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf If this error occurs again, please use "Clone This Bug".