Univention Bugzilla – Bug 34554
UCS 3.2 regression: LDAP-ACLs deny access for DCs in cn=sub,cn=(dc|memberserver),cn=computers
Last modified: 2014-07-14 17:45:14 CEST
Created attachment 5873 [details] access_for_systems_in_subcontainers.patch The patch in Bug #29421 causes a regression for all machines below cn=sub,cn=dc,cn=computers,$ldap_base and cn=sub,cn=memberserver,cn=computers,$ldap_base The are denied access to quite a number of attributes and objects now, causing replication to fail at Ticket#: 2014041421005183. The attached patch should restore the old behavior. Actually the original Bug was a feature in this case. +++ This bug was initially created as a clone of Bug #29421 +++ Alle(!) LDAP-ACLs vom Typ .regexp sind fehlerhaft, weil die nicht mit ^ am Anfang und mit $ am Ende verankert sind. Dadurch können die ACLs teilweise trickreich umgangen werden, des es genügt, wenn die RegExp irgendo im Match-String vorkommt. Der Bug betrifft UCS-3.1, UCS-3.0, UCS-2.4 und vermutlich alle Versionen davor.
Without this patch, the join of this computer object "cn=slave,cn=subber,cn=sub,cn=dc,cn=computers,dc=w2k12,dc=test" was not possible (replication: object class violation while ...). With the patch, the join works just fine. ACL's for non cn=dc | cn=memberserver DN's and server password change also work. YAML: 2014-06-17-univention-ldap.yaml
Verified.
http://errata.univention.de/ucs/3.2/150.html