Univention Bugzilla – Bug 50669
Restrict Access to LDAP Data for Non-Administrative Users
Last modified: 2020-08-24 13:15:54 CEST
For non-administrative users access to sensitive LDAP attributes should be restricted. Currently accessible are ie NTLM hashes. Currently it appears students hav only access to their own data which is fine. But teachers and staff have access to the school admins data which is no good. Additionally teach (or staff) have access to all stundents, teachers and staff data. Again, no good. Further details about tests performed and expected result table can be found in the ticket.
OK: code (ACL) changes OK: automatic tests 75_ldap_acls_* on developer VM OK: manual tests: Test were run like this (changing binddn and filter): ldapsearch -LLL -D uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,($ucr get ldap/base) -w univention -x -H ldap://localhost:7389/ uid=demo_teacher userPassword * admin → admin: denied * admin → global: denied * admin → staff: ok * admin → student: ok * admin → teacher: ok * global → admin: denied * global → global: denied * global → staff: denied * global → student: denied * global → teacher: denied * staff → admin: denied * staff → global: denied * staff → staff: denied * staff → student: denied * staff → teacher: denied * student → admin: denied * student → global: denied * student → staff: denied * student → student: denied * student → teacher: denied * teacher → admin: denied * teacher → global: denied * teacher → staff: denied * teacher → student: ok * teacher → teacher: denied OK: students and global users cannot read their own passwords. That is not required by this bug, but has already been like this before. This is not a regression. If this behavior is not desired, please open a new bug. WAIT: all good so far, will wait until tomorrow for the Jenkins tests.
(In reply to Daniel Tröder from comment #4) > WAIT: all good so far, will wait until tomorrow for the Jenkins tests. OK: all Jenkins jobs are green OK. advisory
Publised via Errata Update on the 10.06.2020. If this bug occurs again please clone this bug.
The bug needs to be publicly visible for the CVE assignment.