Univention Bugzilla – Bug 50824
OX resource UDM module modifies user object to prevent deletion of resource admin
Last modified: 2020-02-13 16:26:40 CET
To prevent the deletion of a user that is the current administrator of an OX resource, the OX resource UDM module (oxresources.py) writes its own email address to an LDAP attribute "resourceMailAddress" of a users/user object. If a user object should be deleted and there is still an entry in its "oxResourceMailAddress" attribute, the deletion will be prevented. There are multiple problems with this approach and the implementation: 1. it only works, if the resource has an email address 2. multiple resources can have the same email address 3. when the resources email is changed or the resource is deleted, _all_ resource email addresses will be deleted from the user, not just the one of the resource being changed/deleted 4. it is generally not desirable to change another LDAP object, when one object is modified
A possible solution is to store the entryUUID of the resource admin in an attribute of the resource. To prevent the deletion of currently active resource admins, the LDAP can be searched for (&(objectClass=oxResourceObject)(admin=<my-entryUUID>)) when a user object is to be removed.