First Last Prev Next    This bug is not in your last search results.
Bug 41818 - administrative servers can't read users which are staff AND teacher at the same time anymore
administrative servers can't read users which are staff AND teacher at the sa...
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: LDAP
UCS@school 4.1 R2
Other Linux
: P5 normal (vote)
: UCS@school 4.1 R2 vXXX
Assigned To: Florian Best
Sönke Schwardt-Krummrich
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-18 15:56 CEST by Florian Best
Modified: 2016-10-06 21:18 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-07-18 15:56:07 CEST 
UCS@school DC Verwaltungsserver can't read users which are staff AND teacher at the same time anymore due to the LDAP ACL's.
Comment 1 Florian Best univentionstaff 2016-07-18 15:58:17 CEST 
diff --git a/ucs-school-ldap-acls-master/65ucsschool b/ucs-school-ldap-acls-master/65ucsschool
index ee55fe4..1367212 100644
--- a/ucs-school-ldap-acls-master/65ucsschool
+++ b/ucs-school-ldap-acls-master/65ucsschool
@@ -188,3 +188,3 @@ access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DI
 
-access to filter="(|(objectClass=ucsschoolStudent)(objectClass=ucsschoolTeacher))"
+access to filter="(|(objectClass=ucsschoolStudent)(&((objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))"
        by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
Comment 2 Florian Best univentionstaff 2016-07-18 16:01:11 CEST 
ucs-school-ldap-acls-master (14.0.1-10):
r71066 | Bug #41818: DC Verwaltungsserver can read teacher+staff users again

ucs-school-ldap-acls-master.yaml:
r71066 | Bug #41818: DC Verwaltungsserver can read teacher+staff users again
Comment 3 Florian Best univentionstaff 2016-07-18 16:02:55 CEST 
Workaround would be to remove the object class ucsschoolStaff,ucsschoolTeacher and the attribute ucsschoolSchool from that user. After this fix has been released the change would need to be reverted (e.g. by calling the migration script).
Comment 4 Arvid Requate univentionstaff 2016-07-19 20:23:36 CEST 
QA: Please also check the Jenkins tests, transient package version 14.0.1-10 had a bad ACL filter which caused the 65ucsschool ACL subfile to be rejected which in turn seems to have caused a join failure for other systems:

 https://hutten.knut.univention.de/pastebin/d406dc678

This should be fixed in Florians latest package version. I pushed the new packages to testing again.
Comment 5 Jens Thorp-Hansen univentionstaff 2016-08-04 16:45:45 CEST 
Ticket#2016080421000392 happened again - since behaviour can appear in more (if not almost all) school environments atm, a timely QA would be wonderful.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2016-08-08 14:25:23 CEST 
OK: functional change
OK: code change
OK: YAML
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2016-08-08 14:30:01 CEST 
Back to RESOLVED for additional ucs-test scripts.
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2016-08-15 12:33:27 CEST 
ucs-test-ucsschool (3.0.14-2):
r71591 | Bug #41818: check if administrative school server has read access to staff and teacher+staff but not teachers and students
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2016-08-19 14:36:54 CEST 
UCS@school 4.1 R2 v4 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.1R2v4-de.html

If this error occurs again, please clone this bug.
First Last Prev Next    This bug is not in your last search results.