Univention Bugzilla – Bug 41402
enhance LDAP ACL
Last modified: 2018-04-14 13:44:07 CEST
60univention-ldap-server_acl-master defines the following LDAP ACL: access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=school,dc=local" write by * read break There is no explanation why the rule exists. The rule makes it hard for further rules to make adjustments as the rule must be reverted individually. Would it be okay to change the rule to end with: by * +0 break The read permissions will implicit be given back in the very bottom of 70univention-ldap-server_acl-master-end. We could also add another explicit rule to the bottom.
In UCS@school we define the following rule to prevent this (Bug #41115): # revert rule from UCS; Bug #41402 access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid by dn.sub="cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break by * +0 break
As far as I can tell the point of the "by * read break" clause is the "break", simply. I guess historically the "read" was assumed to be the lowest access right. That was long before we disabled anonymous LDAP searches.
(In reply to Arvid Requate from comment #2) > As far as I can tell the point of the "by * read break" clause is the > "break", simply. I guess historically the "read" was assumed to be the > lowest access right. That was long before we disabled anonymous LDAP > searches. That is my guess, too. So it wouldn't break anything to change it into: "by * +0 break"
*** This bug has been marked as a duplicate of bug 41715 ***