Univention Bugzilla – Bug 48346
DenyList for usersync
Last modified: 2023-06-12 16:00:19 CEST
In principle, it would be great if you could specify an LDAP filter for each user role (teacher, student) via UCR to exclude certain LDAP accounts from the ASM sync.
The feature is implemented in oschwieg/4.4/48346 The UCRV asm/ldap_filter/students/* and asm/ldap_filter/staff/* were added. With them an LDAP filter can be entered that is given to the Student.get_all(lo, $SCHOOL, filter_str=$FILTER) call. With this a denylist can be realized. This filter is configurable per school. If a variable without specific school suffix is given, that filter is used as a fallback for all schools without specific filter. Example for School1, School2, School3: asm/ldap_filter/students/School1=SOME_FILTER asm/ldap_filter/students=OTHER_FILTER For School1 SOME_FILTER is used, since the filter was configured for the school. For School2 and School3 OTHER_FILTER is used, since they do not have a filter configured specifically for them. If neither variable is specified the current behavior (no filter) applies.
QA OK so far, please add ucs-test-ucsschool as discussed. - Code Review -> OK - UCR-V -> OK - functionality -> OK global fallback for students ucr set asm/ldap_filter/students="(uid=demo*)" -> OK: write uid=demo_* ucr set asm/ldap_filter/students="(sambaAcctFlags=[UD ])" -> OK: write disabled students school specific filter for students ucr set asm/ldap_filter/students/DEMOSCHOOL="(sambaAcctFlags=[UD ])" -> OK: write all students not part of DEMOSCHOOL, if no fallback or school specific filter is set and only disabled students of DEMOSCHOOL ucr set asm/ldap_filter/students/DEMOSCHOOL="(&(!(uid=demo_*))(!(sambaAcctFlags=[UD ])))" -> OK: write all students that are not disabled and do not start with "demo_*" global fallback for staff ucr set asm/ldap_filter/staff="(uid=demo*)" -> OK: write only uid=demo_* ucr set asm/ldap_filter/staff="(sambaAcctFlags=[UD ])" -> OK: write disabled teacher & staff school specific filter for staff ucr set asm/ldap_filter/staff/DEMOSCHOOL="(sambaAcctFlags=[UD ])" -> OK: write all teachers & staff not part of DEMOSCHOOL, if no fallback or school specific filter is set and only disabled teachers & staff of DEMOSCHOOL ucr set asm/ldap_filter/staff/DEMOSCHOOL="(&(!(uid=demo_*))(!(sambaAcctFlags=[UD ])))" -> OK: write all teacher & staff that are not disabled and do not start with "demo_*" of DEMOSCHOOL and all teachers & staff not part of DEMOSCHOOL, if no fallback or school specific filter is set
Test implemented. Package build in version 2.0.0-4 in TestAppCenter Apple School Manager version 2.2 Please check that everything works in the AppCenter and that the UCRv descriptions are understandable since this is the only documentation as far as I know.
QA -> All OK -> VERIFY UCR-V -> OK for me Changelog -> OK Tests -> OK Pakages uploaded to test-app center OK (test & connector) Installation OK (& tests pass) Upgrade (apple-school-manager=2.1 -> 2.2) OK (& test pass)