Univention Bugzilla – Bug 41494
Handling of UCS@school admins
Last modified: 2016-09-29 17:24:01 CEST
Currently the UCS@school admins are identified by their object class. But this will not work if a teacher is schooladmin in school A but only normal teacher in school B, C, ...
- UDM options for students/teachers/staff/OU-admins are now always editable → required for converting teachers to OU admins - added new objectclass ucsschoolAdministratorGroup to LDAP schema - added ucsschoolSchools via extended attributes to groups/group; required for OU admin groups in cn=ouadmins,cn=groups,$BASEDN - renamed ucs-school-migrate-users-to-4.1R2 to ucs-school-migrate-objects-to-4.1R2 - added handling of OU admin groups to ucs-school-migrate-objects-to-4.1R2 - changed UCR variable name for skipping the automatic migration of LDAP objects during the update from "ucsschool/update/users/41R2" to "ucsschool/update/ldap/41R2" - univention.lib.SchoolSearchBase now contains properties/variables for UCS@school group prefixes and the ou admins container DN. - fixed the LDAP ACL for OU admins for resetting password of users within it's own OU - reverted accidently committed ACL line ucs-school-lib (9.0.17-1): r69995 | Bug #41494: added variables for group prefixes to SchoolSearchBase ucs-school-import.yaml: r69993 | Bug #41494: updated release notes and ucs-school-import.yaml ucs-school-ldap-acls-master (14.0.1-3): r69997 | Bug #41494: access is better covered by new 'by' clause - removing old one r69996 | Bug #41494: fixed LDAP ACLs for OU admins ucs-school-import (14.0.6-1): r69994 | Bug #41494: changed UCR variable to ucsschool/update/ldap/41R2 r69992 | Bug #41494: added changelog entry r69991 | Bug #41494: renamed ucs-school-migrate-users-to-4.1R2 to ucs-school-migrate-objects-to-4.1R2 r69990 | Bug #41494: added extended attribute for ucsschoolSchool at groups/group r69989 | Bug #41494: make UDM options for users/user editable after creation r69988 | Bug #41494: added new objectclass for UCS@school admin groups to LDAP schema Missing: - manual update on how to create OU admins → new bug
(In reply to Sönke Schwardt-Krummrich from comment #1) > Missing: > - manual update on how to create OU admins → new bug → Bug 41499
ucs-school-import (14.0.9-1): r70094 | Bug #41494: also add objectclass ucsschoolType to old objects in ucs-school-migrate-objects-to-4.1R2, otherwise at least password resets will fail
(In reply to Sönke Schwardt-Krummrich from comment #1) > - UDM options for students/teachers/staff/OU-admins are now always editable > → required for converting teachers to OU admins OK > - added new objectclass ucsschoolAdministratorGroup to LDAP schema REOPEN: the objectclass has the same OID as the attribute ucsschoolSchool > - added ucsschoolSchools via extended attributes to groups/group; required > for > OU admin groups in cn=ouadmins,cn=groups,$BASEDN OK > - renamed ucs-school-migrate-users-to-4.1R2 to > ucs-school-migrate-objects-to-4.1R2 OK > - added handling of OU admin groups to ucs-school-migrate-objects-to-4.1R2 OK > - changed UCR variable name for skipping the automatic migration of LDAP > objects > during the update from "ucsschool/update/users/41R2" to > "ucsschool/update/ldap/41R2" OK > - univention.lib.SchoolSearchBase now contains properties/variables for > UCS@school group prefixes and the ou admins container DN. ~OK (The School class had already such functions) > - fixed the LDAP ACL for OU admins for resetting password of users within > it's own OU TODO: tests pending > - reverted accidently committed ACL line OK REOPEN: after creating a school the admin group doesn't have the ucsschoolSchool attribute set. No modification in the lib(s) was done.
(In reply to Florian Best from comment #4) > > - added new objectclass ucsschoolAdministratorGroup to LDAP schema > REOPEN: the objectclass has the same OID as the attribute ucsschoolSchool FIXED > REOPEN: after creating a school the admin group doesn't have the > ucsschoolSchool attribute set. No modification in the lib(s) was done. ucs-school-lib (9.0.19-1): r70220 | Bug #41494: automatically add ucsschoolSchool attribute to OU admin groups ucs-school-import (14.0.10-2): r70219 | Bug #41494: automatically add ucsschoolSchool attribute to OU admin groups r70214 | Bug #41494: fixed OID of ucsschoolAdministratorGroup
(In reply to Sönke Schwardt-Krummrich from comment #5) > (In reply to Florian Best from comment #4) > > > - added new objectclass ucsschoolAdministratorGroup to LDAP schema > > REOPEN: the objectclass has the same OID as the attribute ucsschoolSchool > > FIXED OK > > REOPEN: after creating a school the admin group doesn't have the > > ucsschoolSchool attribute set. No modification in the lib(s) was done. REOPEN: Now every group has this object class set (create_ou and lib) # univention-ldapsearch objectClass=ucsschoolAdministratorGroup -LLL dn dn: cn=OUlib-DC-Edukativnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=OUlib-Member-Edukativnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=OUlib-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=OUlib-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=admins-lib,cn=ouadmins,cn=groups,dc=nstx,dc=local dn: cn=schueler-lib,cn=groups,ou=lib,dc=nstx,dc=local dn: cn=lehrer-lib,cn=groups,ou=lib,dc=nstx,dc=local dn: cn=mitarbeiter-lib,cn=groups,ou=lib,dc=nstx,dc=local dn: cn=Domain Users lib,cn=groups,ou=lib,dc=nstx,dc=local dn: cn=OUlib-Klassenarbeit,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=OUimport-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=OUimport-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=OUimport-DC-Edukativnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=OUimport-Member-Edukativnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local dn: cn=admins-import,cn=ouadmins,cn=groups,dc=nstx,dc=local dn: cn=schueler-import,cn=groups,ou=import,dc=nstx,dc=local dn: cn=lehrer-import,cn=groups,ou=import,dc=nstx,dc=local dn: cn=mitarbeiter-import,cn=groups,ou=import,dc=nstx,dc=local dn: cn=Domain Users import,cn=groups,ou=import,dc=nstx,dc=local dn: cn=OUimport-Klassenarbeit,cn=ucsschool,cn=groups,dc=nstx,dc=local
- Added new option for groups/group - option is set in ucs-school-lib and create_ou - ucsschoolAdministratorGroup is now only set at groups called "admins-*" interim version - no changelog
(In reply to Sönke Schwardt-Krummrich from comment #7) > - Added new option for groups/group OK > - option is set in ucs-school-lib and create_ou OK > - ucsschoolAdministratorGroup is now only set at groups called "admins-*" OK > interim version - no changelog OK I added a hook script which detects the option correctly (as long as Bug #41580 is not fixed). ucs-school-import (14.0.11-7): r70253 | Bug #41494: add hook for extended attribute to add option (In reply to Florian Best from comment #4) > > - fixed the LDAP ACL for OU admins for resetting password of users within > > it's own OU > TODO: tests pending I could not verify this on my own System. But I saw it working on your VM. We need to adjust this in Bug #41592 as well, so this is OK currently.
UCS@school 4.1 R2 has been released: http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf If this error occurs again, please use "Clone This Bug".