Comment 1 Erik Damrose 2019-01-28 13:42:18 CET

f98c8e0d univention-self-service
branch: ucs44/selfservice
package build by branchtest

Added listener selfservice-userattributes.py to create and modify LDAP ACLs for user attributes. The ACLs are based on a UCR policy in cn=univention. Registration is done with the ucs_registerLDAPExtension lib function.

Comment 2 Felix Botner 2019-02-04 12:30:23 CET

04.02.19 12:28:52.206  LISTENER    ( PROCESS ) : updating 'cn=domain,cn=portal,cn=univention,dc=four,dc=three' command m
04.02.19 12:28:52.295  LISTENER    ( PROCESS ) : updating 'cn=self-service-userattributes,cn=univention,dc=four,dc=three' command a
04.02.19 12:28:52.316  LISTENER    ( ERROR   ) : Error registering updated LDAP ACL!
 usage: univention-self-service-register-acl ACL_FILENAME ACL_VERSION

04.02.19 12:28:53.937  LISTENER    ( WARN    ) : received signal 15
23910
Restarting slapd (via systemctl): slapd.service.
04.02.19 12:29:30.394  DEBUG_INIT

Comment 3 Florian Best 2019-02-04 14:22:04 CET

univention-self-service/univention-self-service-invitation| line 75 error | undefined name 'prog'

Comment 4 Florian Best 2019-02-04 15:46:44 CET

FYI: you can replace the old PEP366 workaround in listeners with the following (see also Bug #42806):

-__package__ = ''  # workaround for PEP 366
+from __future__ import absolute_import

Comment 5 Erik Damrose 2019-02-04 17:10:44 CET

91e7ae85 
increase joinscript version
fix call of register script in listener
cleanup u-self-service-invitation script

Comment 6 Felix Botner 2019-02-06 09:29:29 CET

Looks good, maybe we could add a test for the LDAP ACL's

Comment 7 Erik Damrose 2019-02-07 16:23:40 CET

5472a050 Added test 05_modify_userattributes_and_ldap_acl

Comment 8 Felix Botner 2019-02-08 09:57:12 CET

(In reply to Erik Damrose from comment #7)
> 5472a050 Added test 05_modify_userattributes_and_ldap_acl

OK works,

i switch qa/assignee for the "merge" process

Comment 9 Felix Botner 2019-02-08 15:53:21 CET

switch again, frontend wants some changes

no UCR policy, just one UCR variable selfservice/userattributes with a space separated list of UDM attributes

Comment 10 Erik Damrose 2019-02-11 16:23:15 CET

660c533 Use dedicated UCR variable to configure LDAP ACLs
Test was adapted as well, it now tests if it is possible to modify an allowed attribute and if it is impossible to configure another attribute

Comment 11 Felix Botner 2019-02-12 13:36:15 CET

(In reply to Erik Damrose from comment #10)
> 660c533 Use dedicated UCR variable to configure LDAP ACLs
> Test was adapted as well, it now tests if it is possible to modify an
> allowed attribute and if it is impossible to configure another attribute

please merge to 4.4-0 branch

Comment 12 Erik Damrose 2019-02-12 14:30:21 CET

Sorry i did not see that you already merged the changes.

[4.4-0 59f49fe] Bug #48447 Merge branch 'ucs44/selfservice' into 4.4-0
[4.4-0 edf2ce5] Bug #48447: Use dedicated UCR variable to configure LDAP ACLs

Package: univention-self-service
Version: 4.0.1-4A~4.4.0.201902121426
Branch: ucs_4.4-0

Comment 13 Felix Botner 2019-02-13 14:20:53 CET

FAIL - changelog entry missing

OK - univention-self-service
OK - test

ucr set self-service/ldap_attributes='l'

adds

access to filter="univentionObjectType=users/user" attrs=l
    by self write
    by * none break

to slapd.conf

Comment 14 Florian Best 2019-02-13 14:35:51 CET

(In reply to Felix Botner from comment #13)
> FAIL - changelog entry missing
> 
> OK - univention-self-service
> OK - test
> 
> ucr set self-service/ldap_attributes='l'
> 
> adds
> 
> access to filter="univentionObjectType=users/user" attrs=l
>     by self write
>     by * none break
> 
> to slapd.conf

Please don't use "none" ! 
Use +0 instead. Otherwise other ldap ACLs which set write permissions prior to that line are not evaluated anymore.

Comment 15 Erik Damrose 2019-02-13 15:02:44 CET

(In reply to Florian Best from comment #14)
> Please don't use "none" ! 
> Use +0 instead. Otherwise other ldap ACLs which set write permissions prior
> to that line are not evaluated anymore.

Thanks, i adapted the ACL definition

04e7dbc1 Fix ACL, changelog

Package: univention-self-service
Version: 4.0.1-5A~4.4.0.201902131459
Branch: ucs_4.4-0

Comment 16 Felix Botner 2019-02-13 15:12:45 CET

OK

Comment 17 Florian Best 2019-02-28 11:43:34 CET

The implementation doesn't consider that mailPrimaryAddress or uid needs also ACLs for the temporary objects.

There is also an error in the error handling: IOError has no member "output".
Patch in branch fbest/48447-typo-in-error-handling:
https://git.knut.univention.de/univention/ucs/commit/65f142b1c93993419275a6012cf8ffffa6693829

The implementation allows things like:
ucr set self-service/ldap_attributes='@extensibleObject by * write stop'

Comment 18 Erik Damrose 2019-02-28 15:10:38 CET

(In reply to Florian Best from comment #17)
> The implementation doesn't consider that mailPrimaryAddress or uid needs
> also ACLs for the temporary objects.

The first version of managing user data covers attributes from the user contact tab. We do not block or forbid to configure other attributes, but that is not supported.

> There is also an error in the error handling: IOError has no member "output".
> Patch in branch fbest/48447-typo-in-error-handling:
> https://git.knut.univention.de/univention/ucs/commit/
> 65f142b1c93993419275a6012cf8ffffa6693829

Thanks, i incorporated the IOError fix.

> The implementation allows things like:
> ucr set self-service/ldap_attributes='@extensibleObject by * write stop'

Only admins can set this, and with admin level of access one already has domain wide control anyway. Initially the configuration of access control was a bit more clever, but we scaled that back for the first implementation.

Comment 19 Florian Best 2019-03-12 13:40:27 CET

UCS 4.4 has been released:
 https://docs.software-univention.de/release-notes-4.4-0-en.html
 https://docs.software-univention.de/release-notes-4.4-0-de.html

If this error occurs again, please use "Clone This Bug".