Univention Bugzilla – Bug 37532
User Password Admins can't change passwords via UMC
Last modified: 2019-01-03 07:17:01 CET
User Password Admins are regularly able to change the password of users. After they open a user object, default values for Comboboxes are set if the user doesn't have some attributes set. This could e.g. be: * ctx-* flags (fixed by Bug # * extended attributes * settings from any app, e.g. fetchmail sets 'Protocol' to 'IMAP' * primaryGroup for users without 'posix' option If default values are set these values are sent along with the save-request resulting in 'Access Denied' because the password-admin has only the LDAP-access rights to change the 'password' attribute of that user.
Is this still valid?
(In reply to Stefan Gohmann from comment #1) > Is this still valid? yes
(In reply to Florian Best from comment #2) > (In reply to Stefan Gohmann from comment #1) > > Is this still valid? > yes OK, but it happens only if you have installed Fetchmail or you have users without the POSIX option?
(In reply to Stefan Gohmann from comment #3) > (In reply to Florian Best from comment #2) > > (In reply to Stefan Gohmann from comment #1) > > > Is this still valid? > > yes > > OK, but it happens only if you have installed Fetchmail or you have users > without the POSIX option? Or any other app/extension which have extended attributes which adds comboboxes to users/user.
It is caused because ComboBoxes are setting default values if no value was provided.
I see the following options: * Disable those fields for which LDAP write access is not granted. * Upon save, validate which fields may be written to LDAP and prompt a confirmation dialogue that states that only the following values may be written. * Simply write all values into LDAP that may be written and ignore the others (or display a hint "BTW, only the following values could be saved").
(In reply to Alexander Kläser from comment #6) > I see the following options: > * Disable those fields for which LDAP write access is not granted. How to detect this? by writing a LDAP ACL parser? > * Upon save, validate which fields may be written to LDAP and prompt a > confirmation dialogue that states that only the following values may be > written. How to detect this case? Always asking for which values should be changed is disturbing. > * Simply write all values into LDAP that may be written and ignore the > others (or display a hint "BTW, only the following values could be saved"). Then we would have to make for every attribute one ldap-modify request which will break if 2 attributes depend on each other. I would see also the option to only send values from widgets which are visible, everything which is invisible on purpose can use the HiddenInput widget which is already currently used.
(In reply to Florian Best from comment #7) > I would see also the option to only send values from widgets which are > visible, everything which is invisible on purpose can use the HiddenInput > widget which is already currently used. err, well this does not work as there can ofc. also be visible widgets :(
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.