Univention Bugzilla – Bug 41592
New ACL's disallow read access by school administrators of users under another OU
Last modified: 2019-09-25 12:32:00 CEST
# slapacl -D uid=d.krause1,cn=admins,cn=users,ou=gsmitte,dc=nstx,dc=local -b uid=teacher,cn=lehrer,cn=users,ou=lib,dc=nstx,dc=local -d0 2>&1 | grep -e ucsschoolSchool -e uid -e userPassword authcDN: "uid=d.krause1,cn=admins,cn=users,ou=gsmitte,dc=nstx,dc=local" uid=teacher: =0 uidNumber=2283: =0 userPassword=****: =0 creatorsName=uid=Administrator,cn=users,dc=nstx,dc=local: =0 ucsschoolSchool=lib: =0 ucsschoolSchool=gsmitte: =0 modifiersName=uid=Administrator,cn=users,dc=nstx,dc=local: =0 Both users are part of 'gsmitte' but lie under different OU positions. No attributes are readable while they should.
I've marked it as 'Development Internal'. If it is likely that it happens, please re-tag it.
root@master63:~# univention-ldapsearch -LLL uid=d.lehmann1 ucsschoolSchool dn: uid=d.lehmann1,cn=lehrer,cn=users,ou=gsmitte,dc=nstx,dc=local ucsschoolSchool: gsmitte ucsschoolSchool: gymli root@master63:~# univention-ldapsearch -LLL uid=lule ucsschoolSchool dn: uid=lule,cn=lehrer,cn=users,ou=gymli,dc=nstx,dc=local ucsschoolSchool: gymli root@master63:~# slapacl -D uid=d.lehmann1,cn=lehrer,cn=users,ou=gsmitte,dc=nstx,dc=local -b uid=lule,cn=lehrer,cn=users,ou=gymli,dc=nstx,dc=local -d0 2>&1 | grep -e ucsschoolSchool -e uid -e userPassword authcDN: "uid=d.lehmann1,cn=lehrer,cn=users,ou=gsmitte,dc=nstx,dc=local" uidNumber=3354: =rscxd uid=lule: =rscxd ucsschoolSchool=gymli: =rscxd creatorsName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd userPassword=****: =rscxd modifiersName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd =========> teacher reads teacher: OK root@master63:~# slapacl -D uid=d.lehmann1,cn=lehrer,cn=users,ou=gsmitte,dc=nstx,dc=local -b uid=lule,cn=lehrer,cn=users,ou=gymli,dc=nstx,dc=local -d0 2>&1 | grep -e ucsschoolSchool -e uid -e userPassword authcDN: "uid=d.lehmann1,cn=lehrer,cn=users,ou=gsmitte,dc=nstx,dc=local" uidNumber=3354: =rscxd uid=lule: =rscxd ucsschoolSchool=gymli: =rscxd creatorsName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd userPassword=****: write(=wrscxd) modifiersName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd ==========> schooladmin (grp) reads teacher: OK root@master63:~# slapacl -D uid=d.lehmann1,cn=admins,cn=users,ou=gsmitte,dc=nstx,dc=local -b uid=lule,cn=lehrer,cn=users,ou=gymli,dc=nstx,dc=local -d0 2>&1 | grep -e ucsschoolSchool -e uid -e userPassword authcDN: "uid=d.lehmann1,cn=admins,cn=users,ou=gsmitte,dc=nstx,dc=local" uidNumber=3354: =rscxd uid=lule: =rscxd ucsschoolSchool=gymli: =rscxd creatorsName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd userPassword=****: write(=wrscxd) modifiersName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd ==========> schooladmin (grp+position) reads teacher: OK Works for me as expected
No, your tests weren't performed with schools admins underneath of cn=admins,cn=users,ou=…. # univention-ldapsearch -b uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local ucsschoolSchool -LLL | ldapsearch-wrapper dn: uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local ucsschoolSchool: gsmitte # univention-ldapsearch -b uid=ateacher2,cn=lehrer,cn=users,ou=newschool,dc=school,dc=local ucsschoolSchool -LLL | ldapsearch-wrapper dn: uid=ateacher2,cn=lehrer,cn=users,ou=newschool,dc=school,dc=local ucsschoolSchool: gsmitte ucsschoolSchool: newschool # univention-ldapsearch -b uid=anton1,cn=schueler,cn=users,ou=oldschool,dc=school,dc=local ucsschoolSchool -LLL | ldapsearch-wrapper dn: uid=anton1,cn=schueler,cn=users,ou=oldschool,dc=school,dc=local ucsschoolSchool: oldschool ucsschoolSchool: gsmitte # univention-ldapsearch uniqueMember=uid=anton1,cn=schueler,cn=users,ou=oldschool,dc=school,dc=local dn -LLL | ldapsearch-wrapper dn: cn=schueler-gsmitte,cn=groups,ou=gsmitte,dc=school,dc=local dn: cn=Domain Users gsmitte,cn=groups,ou=gsmitte,dc=school,dc=local dn: cn=schueler-oldschool,cn=groups,ou=oldschool,dc=school,dc=local dn: cn=Domain Users oldschool,cn=groups,ou=oldschool,dc=school,dc=local dn: cn=oldschool-1C,cn=klassen,cn=schueler,cn=groups,ou=oldschool,dc=school,dc=local # slapacl -D uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local -b uid=anton1,cn=schueler,cn=users,ou=oldschool,dc=school,dc=local -d0 2>&1 | grep -e ucsschoolSchool -e uid -e userPassword authcDN: "uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local" uidNumber=2073: =0 userPassword=****: write(=wrscxd) uid=anton1: =0 ucsschoolSchool=oldschool: =0 ucsschoolSchool=gsmitte: =0 # slapacl -D uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local -b uid=ateacher2,cn=lehrer,cn=users,ou=newschool,dc=school,dc=local -d0 2>&1 | grep -e ucsschoolSchool -e uid -e userPassword authcDN: "uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local" uidNumber=2052: =0 userPassword=****: =0 ucsschoolSchool=gsmitte: =0 ucsschoolSchool=newschool: =0 uid=ateacher2: =0
(In reply to Florian Best from comment #3) > No, your tests weren't performed with schools admins underneath of > cn=admins,cn=users,ou=…. err... I would say I did: (In reply to Sönke Schwardt-Krummrich from comment #2) > root@master63:~# slapacl -D > uid=d.lehmann1,cn=admins,cn=users,ou=gsmitte,dc=nstx,dc=local -b > uid=lule,cn=lehrer,cn=users,ou=gymli,dc=nstx,dc=local -d0 2>&1 | grep -e > ucsschoolSchool -e uid -e userPassword > authcDN: "uid=d.lehmann1,cn=admins,cn=users,ou=gsmitte,dc=nstx,dc=local" > uidNumber=3354: =rscxd > uid=lule: =rscxd > ucsschoolSchool=gymli: =rscxd > creatorsName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd > userPassword=****: write(=wrscxd) > modifiersName=uid=Administrator,cn=users,dc=nstx,dc=local: =rscxd > ==========> schooladmin (grp+position) reads teacher: OK (In reply to Florian Best from comment #3) > # univention-ldapsearch -b > uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local ucsschoolSchool > -LLL | ldapsearch-wrapper > dn: uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local > ucsschoolSchool: gsmitte Is n.north member of the school-admin groups of gsmitte and newschool?
(In reply to Sönke Schwardt-Krummrich from comment #4) > (In reply to Florian Best from comment #3) > > No, your tests weren't performed with schools admins underneath of > > cn=admins,cn=users,ou=…. > > err... I would say I did: oh sorry, yes, I oversaw the last check of your comment. > (In reply to Florian Best from comment #3) > > # univention-ldapsearch -b > > uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local ucsschoolSchool > > -LLL | ldapsearch-wrapper > > dn: uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local > > ucsschoolSchool: gsmitte > > Is n.north member of the school-admin groups of gsmitte and newschool? Yes: # univention-ldapsearch -LLL uniqueMember=uid=s.north,cn=admins,cn=users,ou=gsmitte,dc=school,dc=local dn | ldapsearch-wrapper dn: cn=admins-newschool,cn=ouadmins,cn=groups,dc=school,dc=local dn: cn=admins-gsmitte,cn=ouadmins,cn=groups,dc=school,dc=local dn: cn=lehrer-gsmitte,cn=groups,ou=gsmitte,dc=school,dc=local dn: cn=Domain Users gsmitte,cn=groups,ou=gsmitte,dc=school,dc=local dn: cn=gsmitte-1B,cn=klassen,cn=schueler,cn=groups,ou=gsmitte,dc=school,dc=local dn: cn=gsmitte-1c,cn=klassen,cn=schueler,cn=groups,ou=gsmitte,dc=school,dc=local dn: cn=gsmitte-1d,cn=klassen,cn=schueler,cn=groups,ou=gsmitte,dc=school,dc=local
This issue has been filled against UCS@school 4.1 (R2). The maintenance with bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.