Univention Bugzilla – Bug 49390
allow to disable read to "*" LDAP ACL's in 60univention-ldap-server_acl-slave
Last modified: 2022-03-07 15:47:50 CET
we need something like -if configRegistry.is_false('ldap/acl/read/anonymous'): - print 'access to dn.subtree="%s" attrs=entry,uid' % (configRegistry['ldap/base'],) - ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips') - if ldap_acl_read_anonymous_ips: - for ip in ldap_acl_read_anonymous_ips.split(','): - print ' by peername.ip=%s read' % ip - print ' by anonymous auth' - print ' by * +0 break' - print '' -print 'access to *' -if configRegistry.is_false('ldap/acl/read/anonymous'): - print ' by users read' - ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips') - if ldap_acl_read_anonymous_ips: - for ip in ldap_acl_read_anonymous_ips.split(','): - print ' by peername.ip=%s read' % ip -else: - print ' by * read' -print +if baseConfig.get('$ABC/ldap-slave-role', '') == '' or baseConfig['server/role'] != "domaincontroller_slave": + if configRegistry.is_false('ldap/acl/read/anonymous'): + print 'access to dn.subtree="%s" attrs=entry,uid' % (configRegistry['ldap/base'],) + ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips') + if ldap_acl_read_anonymous_ips: + for ip in ldap_acl_read_anonymous_ips.split(','): + print ' by peername.ip=%s read' % ip + print ' by anonymous auth' + print ' by * +0 break' + print '' + print 'access to *' + if configRegistry.is_false('ldap/acl/read/anonymous'): + print ' by users read' + ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips') + if ldap_acl_read_anonymous_ips: + for ip in ldap_acl_read_anonymous_ips.split(','): + print ' by peername.ip=%s read' % ip + else: + print ' by * read' + print if configRegistry.get('ldap/replog', '').lower() in ('true', 'yes'): print "replogfile /var/lib/univention-ldap/replog/replog" no exactly this, just a way to disable this block
*** Bug 49389 has been marked as a duplicate of this bug. ***
Probably the better alternative is to get rid of the roles and make it a single-line-patch, whcich allows to specify the default readable attributes. This fixes also Bug #49389. diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave index 40bb6e3d7c..1b56355fef 100644 --- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave +++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave @@ -30,7 +30,7 @@ if configRegistry.is_false('ldap/acl/read/anonymous'): print ' by anonymous auth' print ' by * +0 break' print '' -print 'access to *' +print 'access to %s' % (configRegistry.get('ldap/default-readable-attributes', '*')) if configRegistry.is_false('ldap/acl/read/anonymous'): print ' by users read' ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
Patch available in branch fbest/ldap-patches-49386-49391. Please test and reopen for merging. Do we need the same for ldap/server/type == master? just for consistency?
ucr set ldap/acl/read/slave/default-attributes=entry,objectClass
I am not sure if this patch does what we need. In the customer fork both, the authentication rule and default rule are deactivated. (a) the default rule is probably replaced replaced by 49389, so we can use this patch here to create a new default rule ( ucr set ldap/acl/read/slave/default-attributes="attrs=entry,objectClass") access to attrs=entry,objectClass by users read which is different form the customers default rule access to attrs=entry,objectClass by * read break is this OK? (and there is a typo in the patch, the print statement needs a %s or so) (b) in the fork it seems to be possible to completely deactivate the authentication rule access to dn.subtree="dc=four,dc=four" attrs=entry,uid by anonymous auth by * +0 break this is not possible with the patch
(In reply to Felix Botner from comment #5) > I am not sure if this patch does what we need. In the customer fork both, > the authentication rule and default rule are deactivated. > > (a) > > the default rule is probably replaced replaced by 49389, so we can use this > patch here to create a new default rule ( ucr set > ldap/acl/read/slave/default-attributes="attrs=entry,objectClass") > > access to attrs=entry,objectClass > by users read > > which is different form the customers default rule > > access to attrs=entry,objectClass > by * read break > > is this OK? (and there is a typo in the patch, the print statement needs a > %s or so) > > (b) > in the fork it seems to be possible to completely deactivate the > authentication rule > > access to dn.subtree="dc=four,dc=four" attrs=entry,uid > by anonymous auth > by * +0 break > > this is not possible with the patch Oh, yes I oversaw that! a) If anonymous auth is deactivated "*" and "users" is similar, except that "users" excludes unauthenticated accounts. The UCS rule is "break", the customer rule is "stop". But as this is the very last rule, there is no other rule to continue with. So there is no practical difference to a standard UCS. So effectively, the customer allows read to objectClass,entry by * including anonymous users. I doubt that is wanted? But if it is, no problem, we can modify that. Let's discuss this patch again on monday.
Any progress here, do we need to talk?
(In reply to Felix Botner from comment #7) > Any progress here, do we need to talk? We need a concrete order from professional services that we should continue here.