Bug 49390 - allow to disable read to "*" LDAP ACL's in 60univention-ldap-server_acl-slave
allow to disable read to "*" LDAP ACL's in 60univention-ldap-server_acl-slave
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
Felix Botner
:
: 49389 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-29 16:29 CEST by Felix Botner
Modified: 2022-03-07 15:47 CET (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-04-29 16:29:38 CEST
we need something like

-if configRegistry.is_false('ldap/acl/read/anonymous'):
-       print 'access to dn.subtree="%s" attrs=entry,uid' % (configRegistry['ldap/base'],)
-       ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
-       if ldap_acl_read_anonymous_ips:
-               for ip in ldap_acl_read_anonymous_ips.split(','):
-                       print '   by peername.ip=%s read' % ip
-       print '   by anonymous auth'
-       print '   by * +0 break'
-       print ''
-print 'access to *'
-if configRegistry.is_false('ldap/acl/read/anonymous'):
-       print '   by users read'
-       ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
-       if ldap_acl_read_anonymous_ips:
-               for ip in ldap_acl_read_anonymous_ips.split(','):
-                       print '   by peername.ip=%s read' % ip
-else:
-       print '   by * read'
-print
+if baseConfig.get('$ABC/ldap-slave-role', '') == '' or baseConfig['server/role'] != "domaincontroller_slave":
+       if configRegistry.is_false('ldap/acl/read/anonymous'):
+               print 'access to dn.subtree="%s" attrs=entry,uid' % (configRegistry['ldap/base'],)
+               ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
+               if ldap_acl_read_anonymous_ips:
+                       for ip in ldap_acl_read_anonymous_ips.split(','):
+                               print '   by peername.ip=%s read' % ip
+               print '   by anonymous auth'
+               print '   by * +0 break'
+               print ''
+       print 'access to *'
+       if configRegistry.is_false('ldap/acl/read/anonymous'):
+               print '   by users read'
+               ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
+               if ldap_acl_read_anonymous_ips:
+                       for ip in ldap_acl_read_anonymous_ips.split(','):
+                               print '   by peername.ip=%s read' % ip
+       else:
+               print '   by * read'
+       print

 if configRegistry.get('ldap/replog', '').lower() in ('true', 'yes'):
        print "replogfile /var/lib/univention-ldap/replog/replog"

no exactly this, just a way to disable this block
Comment 1 Florian Best univentionstaff 2019-05-07 13:41:57 CEST
*** Bug 49389 has been marked as a duplicate of this bug. ***
Comment 2 Florian Best univentionstaff 2019-05-07 13:44:45 CEST
Probably the better alternative is to get rid of the roles and make it a single-line-patch, whcich allows to specify the default readable attributes. This fixes also Bug #49389.

diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave
index 40bb6e3d7c..1b56355fef 100644
--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave
+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave
@@ -30,7 +30,7 @@ if configRegistry.is_false('ldap/acl/read/anonymous'):
        print '   by anonymous auth'
        print '   by * +0 break'
        print ''
-print 'access to *'
+print 'access to %s' % (configRegistry.get('ldap/default-readable-attributes', '*'))
 if configRegistry.is_false('ldap/acl/read/anonymous'):
        print '   by users read'
        ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
Comment 3 Florian Best univentionstaff 2019-05-15 23:25:02 CEST
Patch available in branch fbest/ldap-patches-49386-49391. Please test and reopen for merging.
Do we need the same for ldap/server/type == master? just for consistency?
Comment 4 Florian Best univentionstaff 2019-05-15 23:28:19 CEST
ucr set ldap/acl/read/slave/default-attributes=entry,objectClass
Comment 5 Felix Botner univentionstaff 2019-05-27 14:11:07 CEST
I am not sure if this patch does what we need. In the customer fork both, the authentication rule and default rule are deactivated.

(a)

the default rule is probably replaced replaced by 49389, so we can use this patch here to create a new default rule ( ucr set ldap/acl/read/slave/default-attributes="attrs=entry,objectClass") 

 access to attrs=entry,objectClass
   by users read

which is different form the customers default rule

 access to attrs=entry,objectClass
   by * read break

is this OK? (and there is a typo in the patch, the print statement needs a %s or so)

(b)
in the fork it seems to be possible to completely deactivate the authentication rule

 access to dn.subtree="dc=four,dc=four" attrs=entry,uid
   by anonymous auth
   by * +0 break

this is not possible with the patch
Comment 6 Florian Best univentionstaff 2019-06-28 16:00:39 CEST
(In reply to Felix Botner from comment #5)
> I am not sure if this patch does what we need. In the customer fork both,
> the authentication rule and default rule are deactivated.
> 
> (a)
> 
> the default rule is probably replaced replaced by 49389, so we can use this
> patch here to create a new default rule ( ucr set
> ldap/acl/read/slave/default-attributes="attrs=entry,objectClass") 
> 
>  access to attrs=entry,objectClass
>    by users read
> 
> which is different form the customers default rule
> 
>  access to attrs=entry,objectClass
>    by * read break
> 
> is this OK? (and there is a typo in the patch, the print statement needs a
> %s or so)
> 
> (b)
> in the fork it seems to be possible to completely deactivate the
> authentication rule
> 
>  access to dn.subtree="dc=four,dc=four" attrs=entry,uid
>    by anonymous auth
>    by * +0 break
> 
> this is not possible with the patch

Oh, yes I oversaw that!

a)
If anonymous auth is deactivated "*" and "users" is similar, except that "users" excludes unauthenticated accounts.
The UCS rule is "break", the customer rule is "stop".
But as this is the very last rule, there is no other rule to continue with. So there is no practical difference to a standard UCS.
So effectively, the customer allows read to objectClass,entry by * including anonymous users.
I doubt that is wanted? But if it is, no problem, we can modify that.

Let's discuss this patch again on monday.
Comment 7 Felix Botner univentionstaff 2019-11-25 12:21:17 CET
Any progress here, do we need to talk?
Comment 8 Florian Best univentionstaff 2019-11-26 10:44:36 CET
(In reply to Felix Botner from comment #7)
> Any progress here, do we need to talk?
We need a concrete order from professional services that we should continue here.