Bug 50052 - [UDM HTTP API] support read-only cn=admin connection
Summary: [UDM HTTP API] support read-only cn=admin connection
Status: RESOLVED WONTFIX
Alias: None
Product: UCS
Classification: Unclassified
Component: UDM - REST API
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UMC maintainers
QA Contact: UMC maintainers
URL:
Keywords:
Depends on: 50051
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-25 08:45 CEST by Daniel Tröder
Modified: 2024-06-27 12:09 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Workaround is available
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2019-08-25 08:45:59 CEST 
+++ This bug was initially created as a clone of Bug #50051 +++

UCS@school installs very complex LDAP ACLs.
Traversing them takes time → costs performance.
In some situations the identity of the client has already been verified and thus the backend code uses a cn=admin connection for performance reasons.
In dry-runs or when only retrieving information from LDAP, a connection that does not allow (accidentally) writing to LDAP is used.

Support using a read-only cn=admin connection with the UDM HTTP API.
Comment 1 Florian Best univentionstaff 2019-09-01 22:32:05 CEST 
There is no such thing as a read only cn=admin connection. cn=admin has all permissions and there is no way to restrict this.

If you want a read only connection, create any user which has read permissions to everything and write permissions to nothing. Then use that user.
I think this can be done in a UCS@school joinscript and ACL's.

What does the UDM REST API need to do here?
Comment 2 Daniel Tröder univentionstaff 2019-09-02 08:13:12 CEST 
(In reply to Florian Best from comment #1)
> There is no such thing as a read only cn=admin connection. cn=admin has all
> permissions and there is no way to restrict this.
> 
> If you want a read only connection, create any user which has read
> permissions to everything and write permissions to nothing. Then use that
> user.
The cn=admin user get's special treatment in the LDAP ACLs. That speeds up things a lot. Using that user is a requirement for a fast import.

If I connect with a user... let's say "admin-ro"... that should represent that cn=admin r/o connection, then I want the UDM REST API to use a cn=admin connection, but have all write operations disabled in the uldap Python code.

In UCS@school we have an implementation here:
https://git.knut.univention.de/univention/ucsschool/blob/4.4/ucs-school-import/modules/ucsschool/importer/utils/ldap_connection.py#L129
Comment 3 Jan-Luca Kiok univentionstaff 2024-06-27 12:09:42 CEST 
This issue has been filed against UCS 4.4.

UCS 4.4 is out of general maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.