Bug 43005 - UDM allows to add arbitrary invalid DNs as group member
UDM allows to add arbitrary invalid DNs as group member
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: UMC - Groups
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
:
: 25482 38317 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-18 17:00 CET by Ingo Steuwer
Modified: 2019-02-06 11:24 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017071421000391
Bug group (optional): External feedback, Troubleshooting, Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2016-11-18 17:00:31 CET
Reported by a customer: One can add arbitrary, even non-existing DNs as members in groups:

# udm groups/group modify --dn "cn=Domain Users,cn=groups,$ldap_base" --append users="cn=blabla,$ldap_base"
Object modified: cn=Domain Users,cn=groups,dc=sfwg,dc=local

The groups/group module adds this DN to the "uniqueMember" multivalue but memberUid is empty. The object is shown as "member" of the group even in UMC.
Comment 1 Florian Best univentionstaff 2016-11-21 12:05:04 CET
From Bug #38317
> We have to be careful with such a change. The connector needs to set users to groups which don't exists yet.
Comment 2 Florian Best univentionstaff 2016-11-21 12:05:11 CET
*** Bug 38317 has been marked as a duplicate of this bug. ***
Comment 3 Ingo Steuwer univentionstaff 2016-11-21 14:38:59 CET
(In reply to Florian Best from comment #1)
> From Bug #38317
> > We have to be careful with such a change. The connector needs to set users to groups which don't exists yet.

Would be nice to have this as a "special behaviour" so that an arbitraty user can't mess up the LDAP.
Comment 4 Florian Best univentionstaff 2016-11-21 15:01:30 CET
*** Bug 25482 has been marked as a duplicate of this bug. ***
Comment 5 Stefan Gohmann univentionstaff 2019-01-03 07:22:31 CET
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.