Univention Bugzilla – Bug 41720
LDAP ACLs: staff is able to modify shares - but should not
Last modified: 2016-11-23 12:36:58 CET
UCS@school staff users are now able to modify shares with new LDAP ACLs: dn: cn=Marktplatz,cn=shares,ou=schoolA,dc=nstx,dc=local +univentionShareWriteable: =wrscxd -univentionShareWriteable: =rscxd +univentionShareUid: =wrscxd -univentionShareUid: =rscxd +univentionShareSambaWriteable: =wrscxd -univentionShareSambaWriteable: =rscxd +univentionShareSambaStrictLocking: =wrscxd -univentionShareSambaStrictLocking: =rscxd +univentionShareSambaSecurityMode: =wrscxd -univentionShareSambaSecurityMode: =rscxd +univentionShareSambaPublic: =wrscxd -univentionShareSambaPublic: =rscxd +univentionShareSambaOplocks: =wrscxd -univentionShareSambaOplocks: =rscxd +univentionShareSambaNtAclSupport: =wrscxd -univentionShareSambaNtAclSupport: =rscxd +univentionShareSambaName: =wrscxd [...] Everything else for staff users seems to be ok. +++ This bug was initially created as a clone of Bug #41115 +++
ucs-school-ldap-acls-master (14.0.1-6): r70787 | Bug #41720: adjust joinscript version r70786 | Bug #41720: staff only users should not be able to modify shares ucs-school-ldap-acls-master.yaml: r70788 | YAML Bug #41720 Package: ucs-school-ldap-acls-master Version: 14.0.1-6.75.201607041226 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2
OLD: (|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator) (objectClass=ucsschoolStaff) ) NEW: (|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator) (&(objectClass=ucsschoolTeacher)(objectClass=ucsschoolStaff)) ) If I'm not mistaken, there is now redundancy in the search filter. → (|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator)) should be sufficient REOPEN: code change OK: YAML
You are right. ucs-school-ldap-acls-master (14.0.1-8): r70904 | Bug #41720: simplify filter
OK: code change OK: functional test OK: YAML
Back to RESOLVED for additional ucs-test scripts.
(In reply to Sönke Schwardt-Krummrich from comment #5) > Back to RESOLVED for additional ucs-test scripts. ucs-test-ucsschool (3.0.14-5): r71727 | Bug #41720: check if users are able to read but not able to modify shares objects
UCS@school 4.1 R2 v4 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v4-de.html If this error occurs again, please clone this bug.