Univention Bugzilla – Bug 50527
AD Member Mode breaks UDM REST API (configuration)
Last modified: 2021-09-01 10:55:42 CEST
* Standard UCS master (with UDM REST API) * ucr get directory/manager/rest/authorized-groups/domain-admins cn=Domain Admins,cn=groups,dc=autotest224,dc=local * AD Member Mode with german Windows AD server * during the Member Mode initialization the group cn=Domain Admins is renamed to cn=Domänen-Benutzer * now directory/manager/rest/authorized-groups/domain-admins holds the wrong group name and authentication to the REST API no longer works Workaround: $ ucr unset directory/manager/rest/authorized-groups/domain-admins $ univention-run-join-scripts --force --run-scripts 22univention-directory-manager-rest.inst
The UDM REST API default ACLs need to be updated if directory/manager/rest/authorized-groups/domain-admins changes.
(In reply to Ingo Steuwer from comment #1) > The UDM REST API default ACLs need to be updated if > directory/manager/rest/authorized-groups/domain-admins changes. Hm? The UCR-Variable is the ACL. The member mode must change directory/manager/rest/authorized-groups/domain-admins, later than the joinscript runs. So basically we need some hook mechanism in the AD member mode configuration which sets this UCR variable (and probably others as well).
(In reply to Florian Best from comment #2) > (In reply to Ingo Steuwer from comment #1) > > The UDM REST API default ACLs need to be updated if > > directory/manager/rest/authorized-groups/domain-admins changes. > Hm? > The UCR-Variable is the ACL. > The member mode must change > directory/manager/rest/authorized-groups/domain-admins, later than the > joinscript runs. > So basically we need some hook mechanism in the AD member mode configuration > which sets this UCR variable (and probably others as well). Ah, what I meant is not this UCR variable, my fault. The LDAP ACLs use a function of univention.lib.misc to identify the "Domain Admins" group, for example in slapd.conf template 60univention-ldap-server_acl-master: ---- from univention.lib.misc import custom_username, custom_groupname [...] groups_default_domainadmins = custom_groupname('Domain Admins') users_default_administrator = custom_username('Administrator') ---- We should have the same behaviour for the UDM REST API.
We already have this behavior: ~/git2/ucs/management/univention-directory-manager-rest $ git grep -A 2 custom_groupname 22univention-directory-manager-rest.inst:domain_admins_dn="$(umc_udm groups/group list --filter name="$(custom_groupname "Domain Admins")" | sed -ne 's/^DN: //p')" 22univention-directory-manager-rest.inst-ucr set \ 22univention-directory-manager-rest.inst- directory/manager/rest/authorized-groups/domain-admins?"$domain_admins_dn" \
For our internal Jenkins test a workaround has been commited, which should be reverted when this bug is fixed: 8d69bfb9d539 | Bug #50527: add workaround
(In reply to Florian Best from comment #4) > We already have this behavior: > > ~/git2/ucs/management/univention-directory-manager-rest > $ git grep -A 2 custom_groupname > 22univention-directory-manager-rest.inst:domain_admins_dn="$(umc_udm > groups/group list --filter name="$(custom_groupname "Domain Admins")" | sed > -ne 's/^DN: //p')" > 22univention-directory-manager-rest.inst-ucr set \ > 22univention-directory-manager-rest.inst- > directory/manager/rest/authorized-groups/domain-admins?"$domain_admins_dn" \ This is the join script? Then it is only applied during the initial installation. The rename of the group is done later during the configuration of the AD connection.
(In reply to Ingo Steuwer from comment #6) > This is the join script? Then it is only applied during the initial > installation. The rename of the group is done later during the configuration > of the AD connection. Yes.