Bug 34554 - UCS 3.2 regression: LDAP-ACLs deny access for DCs in cn=sub,cn=(dc|memberserver),cn=computers
UCS 3.2 regression: LDAP-ACLs deny access for DCs in cn=sub,cn=(dc|memberserv...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks: 35141 35142
  Show dependency treegraph
 
Reported: 2014-04-15 13:05 CEST by Arvid Requate
Modified: 2014-07-14 17:45 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Troubleshooting
Max CVSS v3 score:
requate: Patch_Available+


Attachments
access_for_systems_in_subcontainers.patch (8.64 KB, patch)
2014-04-15 13:05 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-04-15 13:05:15 CEST
Created attachment 5873 [details]
access_for_systems_in_subcontainers.patch

The patch in Bug #29421 causes a regression for all machines below

  cn=sub,cn=dc,cn=computers,$ldap_base

and

  cn=sub,cn=memberserver,cn=computers,$ldap_base

The are denied access to quite a number of attributes and objects now, causing replication to fail at Ticket#: 2014041421005183.

The attached patch should restore the old behavior. Actually the original Bug was a feature in this case.



+++ This bug was initially created as a clone of Bug #29421 +++

Alle(!) LDAP-ACLs vom Typ .regexp sind fehlerhaft, weil die nicht mit ^ am Anfang und mit $ am Ende verankert sind.
Dadurch können die ACLs teilweise trickreich umgangen werden, des es genügt, wenn die RegExp irgendo im Match-String vorkommt.
Der Bug betrifft UCS-3.1, UCS-3.0, UCS-2.4 und vermutlich alle Versionen davor.
Comment 1 Felix Botner univentionstaff 2014-06-18 09:51:18 CEST
Without this patch, the join of this computer object "cn=slave,cn=subber,cn=sub,cn=dc,cn=computers,dc=w2k12,dc=test" was not possible (replication: object class violation while ...).

With the patch, the join works just fine.

ACL's for non cn=dc | cn=memberserver DN's and server password change also work.

YAML: 2014-06-17-univention-ldap.yaml
Comment 2 Arvid Requate univentionstaff 2014-07-02 19:11:39 CEST
Verified.
Comment 3 Moritz Muehlenhoff univentionstaff 2014-07-14 10:51:14 CEST
http://errata.univention.de/ucs/3.2/150.html