Univention Bugzilla – Bug 41818
administrative servers can't read users which are staff AND teacher at the same time anymore
Last modified: 2016-10-06 21:18:41 CEST
UCS@school DC Verwaltungsserver can't read users which are staff AND teacher at the same time anymore due to the LDAP ACL's.
diff --git a/ucs-school-ldap-acls-master/65ucsschool b/ucs-school-ldap-acls-master/65ucsschool index ee55fe4..1367212 100644 --- a/ucs-school-ldap-acls-master/65ucsschool +++ b/ucs-school-ldap-acls-master/65ucsschool @@ -188,3 +188,3 @@ access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DI -access to filter="(|(objectClass=ucsschoolStudent)(objectClass=ucsschoolTeacher))" +access to filter="(|(objectClass=ucsschoolStudent)(&((objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
ucs-school-ldap-acls-master (14.0.1-10): r71066 | Bug #41818: DC Verwaltungsserver can read teacher+staff users again ucs-school-ldap-acls-master.yaml: r71066 | Bug #41818: DC Verwaltungsserver can read teacher+staff users again
Workaround would be to remove the object class ucsschoolStaff,ucsschoolTeacher and the attribute ucsschoolSchool from that user. After this fix has been released the change would need to be reverted (e.g. by calling the migration script).
QA: Please also check the Jenkins tests, transient package version 14.0.1-10 had a bad ACL filter which caused the 65ucsschool ACL subfile to be rejected which in turn seems to have caused a join failure for other systems: https://hutten.knut.univention.de/pastebin/d406dc678 This should be fixed in Florians latest package version. I pushed the new packages to testing again.
Ticket#2016080421000392 happened again - since behaviour can appear in more (if not almost all) school environments atm, a timely QA would be wonderful.
OK: functional change OK: code change OK: YAML
Back to RESOLVED for additional ucs-test scripts.
ucs-test-ucsschool (3.0.14-2): r71591 | Bug #41818: check if administrative school server has read access to staff and teacher+staff but not teachers and students
UCS@school 4.1 R2 v4 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v4-de.html If this error occurs again, please clone this bug.