Bug 49387 - allow adding "by" clause to monitor ACL
allow adding "by" clause to monitor ACL
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Florian Best
Felix Botner
Depends on:
  Show dependency treegraph
Reported: 2019-04-29 15:47 CEST by Felix Botner
Modified: 2019-07-03 14:13 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-04-29 15:47:59 CEST
we need something like

@@ -11,5 +11,8 @@
         print 'access to dn.subtree="cn=monitor"'
         print '   by dn.base="cn=admin,%s" read' % ldap_base
         print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" read' % (groups_default_domainadmins, ldap_base)
+        print '   by ..." read'
+        print '   by group/univentionGroup/uniqueMember="..." read'
+        print '   by set="user & [...]/uniqueMember*" read'
         print '   by * +0 break'
Comment 1 Florian Best univentionstaff 2019-05-07 13:17:55 CEST
We should introcude a UCR variable which allows access for further groups via the set syntax.
Comment 2 Florian Best univentionstaff 2019-05-15 23:27:06 CEST
Patch available in branch fbest/ldap-patches-49386-49391. Please test and reopen for merging.

ucr set ldap/monitor/acl/read/groups/foo="cn=Domain Users,cn=groups,$(ucr get ldap/base)".
Comment 3 Felix Botner univentionstaff 2019-05-27 12:26:07 CEST
OK, works fine 

-> ucr set ldap/monitor/acl/read/groups/domusers="cn=Domain Users,cn=groups,dc=four,dc=four"

-> univention-ldapsearch  -x -D uid=test1,cn=users,dc=four,dc=four -w univention -b cn=Monitor
Comment 4 Florian Best univentionstaff 2019-07-01 12:17:49 CEST
univention-ldap (15.0.0-21)
861ecba43398 | Bug #49387: allow further groups via UCR to acceess the cn=monitor backend

861ecba43398 | Bug #49387: allow further groups via UCR to acceess the cn=monitor backend
Comment 5 Felix Botner univentionstaff 2019-07-01 13:55:48 CEST
OK - univention-ldap.yaml
OK - ldap/create-ldap-server-policy UCRV description
OK - univention-ldap

-> univention-ldapsearch -LLL  -b 'cn=Monitor' -s sub '*' '+'
No such object (32)

-> ucr set ldap/monitor/acl/read/groups/backup_hosts='cn=DC Backup Hosts,cn=groups,dc=w2k12,dc=test'
-> service  slapd restart

-> univention-ldapsearch -LLL  -b 'cn=Monitor' -s sub '*' '+'
dn: cn=Monitor
objectClass: monitorServer
structuralObjectClass: monitorServer
cn: Monitor
createTimestamp: 20190628231239Z
modifyTimestamp: 20190628231239Z
description: This subtree contains monitoring/managing objects.
description: This object contains information about this server.
description: Most of the information is held in operational attributes, which must be explicitly requested.
monitoredInfo: OpenLDAP: slapd  (Aug  6 2018 15:28:57)
entryDN: cn=Monitor
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE
Comment 6 Arvid Requate univentionstaff 2019-07-03 14:13:58 CEST