Bug 47625 - LDAP-ACLs: schooladmin in school A is unable to reset password of teacher (school A+B) in OU B
LDAP-ACLs: schooladmin in school A is unable to reset password of teacher (sc...
Product: UCS@school
Classification: Unclassified
Component: LDAP
UCS@school 4.3
Other Linux
: P5 normal (vote)
: UCS@school 4.3 v6-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
Depends on:
  Show dependency treegraph
Reported: 2018-08-21 09:30 CEST by Sönke Schwardt-Krummrich
Modified: 2018-12-12 17:24 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018080821000649
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2018-08-21 09:30:07 CEST
A school administrator whose user object is in OU A cannot reset the password for a teacher who is a member of schools A and B and whose user object is in OU B.
One reason for this is that the OU B and the containers for users and users of school A in OU B cannot read.
Additionally, there seems to be a problem in slapd in the evaluation of the ACL, which assigns the write access to the password attributes of the teachers to the school administrators.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2018-11-22 23:49:48 CET
I was able to recreate the problem with UCS 4.3-1. 

There were several causes:
1) A teacher A below OU A was not able to read OU B and its subcontainers. Therefore it was not possible for the password reset to find the affected users in LDAP. This has been fixed. Normal users can now read all OUs and their containers. Users below "foreign" OUs can only be read by teacher A if they are also members of teacher A's OU/School.

2) A typo in an LDAP ACL has been fixed. A closing parenthesis (%29) was missing, so this ACL silently failed.

3) Even after these two points were fixed, the problem still occurred with UCS 4.3-1, but not on a new UCS 4.3-2 test system. The content of slapd.conf and the slapd version were identical on both systems. After upgrading the 4.3-1 system to 4.3-2, the problem was fixed in both environments.

In order to easily reproduce the problem in both environments, ucs-test-ucsschool added the test 24_password_reset_acl to ucs-test-ucsschool.

Also, the ACLs have been modified to prevent students from reading password hashes from other users of the same school from LDAP.

I now wait for the nightly tests.

2c4874f87 Bug #47625: add changelog entry
18f1dd493 Bug #47625: add 24_password_reset_acl
9713701f8 Bug #47625: add advisory
ca905a423 Bug #47625: add changelog entry
89be1bce2 Bug #47625: bump join script version, so new ACL is imported to LDAP
4547ca273 Bug #47625: students may no longer read password attributes from other users (but all other attributes)
ba0b7aec5 Bug #47625: give users read permissions to other OU's user/group containers
0de7619fc Bug #47625: fix wrong LDAP filter in ACL

Package: ucs-school-ldap-acls-master
Version: 16.0.3-1A~
Branch: ucs_4.3-0
Scope: ucs-school-4.3
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2018-11-27 10:22:37 CET
Package: ucs-test-ucsschool
Version: 5.0.3-6A~
Branch: ucs_4.3-0
Scope: ucs-school-4.3
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2018-12-01 20:36:47 CET
On my KVM test machine, there is no error if the ucs-test script is executed. But on the EC2 instance, the test script fails with the following error:

(2018-11-30 23:32:06.123259) Traceback (most recent call last):
(2018-11-30 23:32:06.123299)   File "24_password_reset_acl", line 109, in <module>
(2018-11-30 23:32:06.123355)     main()
(2018-11-30 23:32:06.123380)   File "24_password_reset_acl", line 106, in main
(2018-11-30 23:32:06.123400)     testcases.run()
(2018-11-30 23:32:06.123419)   File "24_password_reset_acl", line 92, in run
(2018-11-30 23:32:06.123445)     self.test_pw_reset(self.teacher0, self.student2, RESULT_OK)
(2018-11-30 23:32:06.123464)   File "24_password_reset_acl", line 82, in test_pw_reset
(2018-11-30 23:32:06.123510)     lo.modify(target.dn, [[attr_name, old_values.get(attr_name), str(time.time())]])
(2018-11-30 23:32:06.123537)   File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 828, in modify
(2018-11-30 23:32:06.123585)     raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
(2018-11-30 23:32:06.123617) univention.admin.uexceptions.ldapError: Constraint violation: attribute 'sambaNTPassword' cannot have multiple values

This is exactly the problematic case that has to be solved.
The ACLs forbid to read the content of sambaNTPassword, so the modlist is
('sambaNTPassword', [], ['foobarbaz'])
which is interpreted as "adding a new value". Since sambaNTPassword is a single value, the constraint violation is raised.

So far no clue, why it happens. I adjusted the test script to print the slapd.conf to stderr prior to the test, for further investigation.
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2018-12-04 12:07:21 CET
(In reply to Sönke Schwardt-Krummrich from comment #3)
> So far no clue, why it happens. I adjusted the test script to print the
> slapd.conf to stderr prior to the test, for further investigation.

I found the bug. It happened only within the "upgrade from 4.2 to 4.3" environment. The cfg file for this environment updated the slave2082 to UCS 4.3 with latest UCS@school packages from *development scope* and master208 and slave2081 have been updated to latest version of testing app center (which contained not the latest packages). 
Therefore the LDAP ACLs had not been updated and the test script showed correctly the error message above.
After fixing the cfg file, there was no error in the next run.

Comment 5 Daniel Tröder univentionstaff 2018-12-10 10:38:37 CET
OK: students cannot read attributes krb5Key sambaLMPassword sambaNTPassword userPassword pwhistory of other students (and own account) anymore
OK: students can still change their password through the self-service UMC module
no-so-good-but-OK-for-now: student with object in schoolA can read sambaPasswordHistory of student with object in schoolB, if that student is also member of schoolA
OK: manual tests
OK: automated test
OK: users can read all user and group (incl computer_room) containers of other OUs
OK: fix of typo in LDAP ACLs
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-12-12 17:24:00 CET
UCS@school 4.3 v6 has been released.


If this error occurs again, please clone this bug.