Univention Bugzilla – Bug 47625
LDAP-ACLs: schooladmin in school A is unable to reset password of teacher (school A+B) in OU B
Last modified: 2018-12-12 17:24:00 CET
A school administrator whose user object is in OU A cannot reset the password for a teacher who is a member of schools A and B and whose user object is in OU B. One reason for this is that the OU B and the containers for users and users of school A in OU B cannot read. Additionally, there seems to be a problem in slapd in the evaluation of the ACL, which assigns the write access to the password attributes of the teachers to the school administrators.
I was able to recreate the problem with UCS 4.3-1. There were several causes: 1) A teacher A below OU A was not able to read OU B and its subcontainers. Therefore it was not possible for the password reset to find the affected users in LDAP. This has been fixed. Normal users can now read all OUs and their containers. Users below "foreign" OUs can only be read by teacher A if they are also members of teacher A's OU/School. 2) A typo in an LDAP ACL has been fixed. A closing parenthesis (%29) was missing, so this ACL silently failed. 3) Even after these two points were fixed, the problem still occurred with UCS 4.3-1, but not on a new UCS 4.3-2 test system. The content of slapd.conf and the slapd version were identical on both systems. After upgrading the 4.3-1 system to 4.3-2, the problem was fixed in both environments. In order to easily reproduce the problem in both environments, ucs-test-ucsschool added the test 24_password_reset_acl to ucs-test-ucsschool. Also, the ACLs have been modified to prevent students from reading password hashes from other users of the same school from LDAP. I now wait for the nightly tests. 2c4874f87 Bug #47625: add changelog entry 18f1dd493 Bug #47625: add 24_password_reset_acl 9713701f8 Bug #47625: add advisory ca905a423 Bug #47625: add changelog entry 89be1bce2 Bug #47625: bump join script version, so new ACL is imported to LDAP 4547ca273 Bug #47625: students may no longer read password attributes from other users (but all other attributes) ba0b7aec5 Bug #47625: give users read permissions to other OU's user/group containers 0de7619fc Bug #47625: fix wrong LDAP filter in ACL Package: ucs-school-ldap-acls-master Version: 16.0.3-1A~4.3.0.201811222349 Branch: ucs_4.3-0 Scope: ucs-school-4.3
Package: ucs-test-ucsschool Version: 5.0.3-6A~4.3.0.201811270931 Branch: ucs_4.3-0 Scope: ucs-school-4.3
On my KVM test machine, there is no error if the ucs-test script is executed. But on the EC2 instance, the test script fails with the following error: (2018-11-30 23:32:06.123259) Traceback (most recent call last): (2018-11-30 23:32:06.123299) File "24_password_reset_acl", line 109, in <module> (2018-11-30 23:32:06.123355) main() (2018-11-30 23:32:06.123380) File "24_password_reset_acl", line 106, in main (2018-11-30 23:32:06.123400) testcases.run() (2018-11-30 23:32:06.123419) File "24_password_reset_acl", line 92, in run (2018-11-30 23:32:06.123445) self.test_pw_reset(self.teacher0, self.student2, RESULT_OK) (2018-11-30 23:32:06.123464) File "24_password_reset_acl", line 82, in test_pw_reset (2018-11-30 23:32:06.123510) lo.modify(target.dn, [[attr_name, old_values.get(attr_name), str(time.time())]]) (2018-11-30 23:32:06.123537) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 828, in modify (2018-11-30 23:32:06.123585) raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) (2018-11-30 23:32:06.123617) univention.admin.uexceptions.ldapError: Constraint violation: attribute 'sambaNTPassword' cannot have multiple values This is exactly the problematic case that has to be solved. The ACLs forbid to read the content of sambaNTPassword, so the modlist is ('sambaNTPassword', [], ['foobarbaz']) which is interpreted as "adding a new value". Since sambaNTPassword is a single value, the constraint violation is raised. So far no clue, why it happens. I adjusted the test script to print the slapd.conf to stderr prior to the test, for further investigation.
(In reply to Sönke Schwardt-Krummrich from comment #3) > So far no clue, why it happens. I adjusted the test script to print the > slapd.conf to stderr prior to the test, for further investigation. I found the bug. It happened only within the "upgrade from 4.2 to 4.3" environment. The cfg file for this environment updated the slave2082 to UCS 4.3 with latest UCS@school packages from *development scope* and master208 and slave2081 have been updated to latest version of testing app center (which contained not the latest packages). Therefore the LDAP ACLs had not been updated and the test script showed correctly the error message above. After fixing the cfg file, there was no error in the next run. → RESOLVED
OK: students cannot read attributes krb5Key sambaLMPassword sambaNTPassword userPassword pwhistory of other students (and own account) anymore OK: students can still change their password through the self-service UMC module no-so-good-but-OK-for-now: student with object in schoolA can read sambaPasswordHistory of student with object in schoolB, if that student is also member of schoolA OK: manual tests OK: automated test OK: users can read all user and group (incl computer_room) containers of other OUs OK: fix of typo in LDAP ACLs
UCS@school 4.3 v6 has been released. http://docs.software-univention.de/changelog-ucsschool-4.3v6-de.html#changelog:ucsschool:2018-12-12 If this error occurs again, please clone this bug.