Bug 40529 – 75_ldap_acls_* fail

Bug 40529 - 75_ldap_acls_* fail


Summary:	75_ldap_acls_* fail

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	ucs-test
Version:	UCS@school 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.1 R2 vXXX
Assigned To:	Florian Best
QA Contact:	Daniel Tröder

URL:
Keywords:	interim-2

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-01-28 14:32 CET by Florian Best
Modified:	2017-07-17 14:02 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2016-01-28 14:32:55 CET

http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20Singleserver/lastCompletedBuild/SambaVersion=s3/testReport/90_ucsschool/75_ldap_acls_teacher_and_staff/test/
http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20Singleserver/lastCompletedBuild/SambaVersion=s3/testReport/90_ucsschool/75_ldap_acls_teachers/test/
http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20Singleserver/lastCompletedBuild/SambaVersion=s3/testReport/90_ucsschool/75_ldap_acls_staff/test/
http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20Singleserver/lastCompletedBuild/SambaVersion=s3/testReport/90_ucsschool/75_ldap_acls_admins/test/

It seems nowadays the DC Slave objects have more permissions than some time ago.

Comment 1 Florian Best

2016-01-28 16:15:13 CET

Traceback (most recent call last):
  File "75_ldap_acls_teacher_and_staff", line 56, in <module>
    main()
  File "75_ldap_acls_teacher_and_staff", line 36, in main
    acl.assert_room(room.dn(), 'write')
  File "/usr/share/ucs-test/90_ucsschool/essential/acl.py", line 239, in assert_room
    self.assert_acl(target_dn, access, attrs, access_allowance='DENIED')
  File "/usr/share/ucs-test/90_ucsschool/essential/acl.py", line 157, in assert_acl
    access, self.auth_dn, target_dn, result))
essential.acl.FailAcl: Access (write) by (uid=hq17jol8tb,cn=lehrer und mitarbeiter,cn=users,ou=dr6c,dc=autotest200,dc=local) to (cn=tg602273nb,cn=raeume,cn=groups,ou=dr6c,dc=autotest200,dc=local) not expected 'write access to structuralObjectClass: ALLOWED'

Comment 2 Florian Best

2016-01-28 17:30:42 CET

This affects only the meta-attributes. It seems the output changed from 
slapd 2.4.40-1.211.201511242052 and slapd 2.4.42+dfsg-2.210.201511060842.

Fixed by removing the meta attributes. Should be okay.

ucs-test-ucsschool (3.0.5-7):
r67054 | Bug #40529: remove meta attributes from LDAP ACL checks
r67053 | Bug #40529: remove meta attributes from LDAP ACL checks

Comment 3 Daniel Tröder

2016-10-10 10:26:22 CEST

OK: automatic tests pass:
- 75_ldap_acls_admins
- 75_ldap_acls_nonedu_server
- 75_ldap_acls_staff
- 75_ldap_acls_teacher_and_staff
- 75_ldap_acls_teachers

(Where they failed recently, it is because of an unrelated HTTP 511 error.)