First Last Prev Next    This bug is not in your last search results.
Bug 50051 - [UDM HTTP API] support cn=admin connection
[UDM HTTP API] support cn=admin connection
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM - REST API
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-2
Assigned To: Florian Best
Daniel Tröder
:
Depends on:
Blocks: 50052
  Show dependency treegraph
 
Reported: 2019-08-25 08:44 CEST by Daniel Tröder
Modified: 2019-10-02 16:06 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2019-08-25 08:44:25 CEST 
UCS@school installs very complex LDAP ACLs.
Traversing them takes time → costs performance.
In some situations the identity of the client has already been verified and thus the backend code uses a cn=admin connection for performance reasons.

Support using a cn=admin connection with the UDM HTTP API.
Comment 1 Florian Best univentionstaff 2019-09-01 22:38:43 CEST 
Can you give more information on how you would like to use that, i.e. how would you authenticate?

Wouldn't it be a solution to add an LDAP ACL in UCS@school which fits your needs for a specially created user:

access to *
 by dn.base="cn=ucsschool-admin$,dc=ldap,dc=base" write stop
 by * +0 break
Comment 2 Daniel Tröder univentionstaff 2019-09-02 08:14:42 CEST 
Why do that, if there is already an account that fits the role?
Comment 3 Florian Best univentionstaff 2019-09-23 15:11:58 CEST 
The special username "cn=admin" can now be used to authenticate with the cn=admin connection.
As cn=admin is not part of any groups, it bypasses the ACL's which check the group membership.

univention-directory-manager-rest (9.0.16-3)
ba1bc4e4fca0 | Bug #27816: allow authentication via cn=admin
Comment 4 Daniel Tröder univentionstaff 2019-09-23 17:17:55 CEST 
univention-directory-mana 9.0.16-4A~4.4.0.2

OK: authentication with cn=admin is possible
Comment 5 Florian Best univentionstaff 2019-10-02 16:06:32 CEST 
UCS 4.4-2 has been released:
 https://docs.software-univention.de/release-notes-4.4-2-en.html
 https://docs.software-univention.de/release-notes-4.4-2-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.