Univention Bugzilla – Attachment 5873 Details for
Bug 34554
UCS 3.2 regression: LDAP-ACLs deny access for DCs in cn=sub,cn=(dc|memberserver),cn=computers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
access_for_systems_in_subcontainers.patch
access_for_systems_in_subcontainers.patch (text/plain), 8.64 KB, created by
Arvid Requate
on 2014-04-15 13:05:15 CEST
(
hide
)
Description:
access_for_systems_in_subcontainers.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2014-04-15 13:05:15 CEST
Size:
8.64 KB
patch
obsolete
>Index: conffiles/etc/ldap/slapd.conf.d/70univention-ldap-server_acl-master-end >=================================================================== >--- conffiles/etc/ldap/slapd.conf.d/70univention-ldap-server_acl-master-end (Revision 49252) >+++ conffiles/etc/ldap/slapd.conf.d/70univention-ldap-server_acl-master-end (Arbeitskopie) >@@ -19,7 +19,7 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >- print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+ print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by * read break' > > print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base >@@ -28,7 +28,7 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >- print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+ print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by * read break' > > print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base >@@ -37,12 +37,12 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >- print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+ print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by * read break' > > print '## to prevent uidNumber=0 modifications' > print 'access to attrs=uidNumber value=0' >- print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) >+ print ' by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base ) > print ' by * read break' > > print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base ) >@@ -51,7 +51,7 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >- print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+ print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by * read break' > > print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts) >@@ -60,7 +60,7 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >- print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+ print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by * read break' > > print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base ) >@@ -69,7 +69,7 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >- print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+ print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by * read break' > > print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) >@@ -79,7 +79,7 @@ > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) > print ' by self %s' % ( usr ) >-print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) >+print ' by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base ) > print ' by * none' > > print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) >@@ -88,7 +88,7 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >-print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by self %s' % ( usr ) > print ' by * none' > >@@ -98,7 +98,7 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >-print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) > print ' by * read break' > > print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword' >@@ -107,8 +107,8 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >-print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >-print ' by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) >+print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+print ' by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) > print ' by * none' > > print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange' >@@ -117,8 +117,8 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >-print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >-print ' by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) >+print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+print ' by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) > print ' by * read break' > > print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base ) >@@ -127,8 +127,8 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >-print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >-print ' by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) >+print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+print ' by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) > print ' by * none' > > print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base ) >@@ -137,8 +137,8 @@ > print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) > else: > print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) >-print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >-print ' by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) >+print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) >+print ' by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) > print ' by * none' > > print 'access to *'
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5873">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 34554
: 5873