Bug 42526 - Prevent to move or remove the own object via UDM
Prevent to move or remove the own object via UDM
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Florian Best
Johannes Keiser
: 43350 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2016-09-28 14:20 CEST by Moritz Bunkus
Modified: 2017-07-05 13:06 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Error handling, External feedback, Usability
Max CVSS v3 score:
best: Patch_Available+

patch (932 bytes, patch)
2016-09-28 14:27 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Bunkus 2016-09-28 14:20:05 CEST
Today I wanted to move some of our user objects from their usual place in "cn=users,$base_dn" to a sub-container "cn=MitarbeiterInnen,cn=users,$base_dn". I logged in as user "mbunkus", navigated to the LDAP module, created the sub-container (including adding it to the default user container). Then I selected a couple of user objects in "cn=users" including the object "uid=mbunkus,cn=users,$base_dn" — the one I had used to log in to the UMC.

The move process started, but right in the middle of moving "uid=mbunkus" it aborted with something like "access to UMC denied". I then logged back in to UMC, again as "uid=mbunkus".

The result was a partial move of that user object "uid=mbunkus". It was indeed moved to the new sub-container, however, the group membership hadn't been updated completely.

In a couple of groups the old entry was still present as "uniqueMember: uid=mbunkus,cn=users,$base_dn". In other groups both the old entry and the new one were present:

[0 root@trinculo ~] univention-ldapsearch cn=kace-admins dn uniqueMember|ldapsearch-wrapper
# extended LDIF
# LDAPv3
# base <dc=bs,dc=linet-services,dc=de> (default) with scope subtree
# filter: cn=kace-admins
# requesting: dn uniqueMember

# kace-admins, groups, bs.linet-services.de
dn: cn=kace-admins,cn=groups,dc=bs,dc=linet-services,dc=de
uniqueMember: uid=mbunkus,cn=users,dc=bs,dc=linet-services,dc=de
uniqueMember: uid=mbunkus,cn=mitarbeiterinnen,cn=users,dc=bs,dc=linet-services,dc=de

Fixing it wasn't that hard, but tedious: edit each group, remove all occurrences of the affected user, re-add the user, save.
Comment 1 Florian Best univentionstaff 2016-09-28 14:27:59 CEST
Created attachment 8043 [details]

Maybe we should restrict moving "myself" in a first step.
I guess fixing this is a little bit complicated and this corner case must be kept in mind in further development.
Comment 2 Moritz Bunkus 2016-09-28 14:45:41 CEST
From a user POV I'd be perfectly fine with not being able to move myself as this is done very infrequently. Preventing having to clean up the mess afterwards is what would be important to me.
Comment 3 Florian Best univentionstaff 2017-01-17 13:05:43 CET
*** Bug 43350 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2017-06-28 17:18:36 CEST
The patch has been applied. Additionally removing is now also prevented (Bug #43350). This currently doesn't work when logged in via SAML because the DN comparison is case sensitive. This will be fixed generically in another bug.

univention-directory-manager-modules (12.0.17-22):
r80592 | Bug #42526: prevent to move and remove the own object

r80592 | Bug #42526: prevent to move and remove the own object
Comment 5 Johannes Keiser univentionstaff 2017-06-30 11:33:51 CEST
Tested with UMC and command line:
OK Moving and removing own object is not allowed

-> verified
Comment 6 Janek Walkenhorst univentionstaff 2017-07-05 13:06:32 CEST