Univention Bugzilla – Bug 50830
LDAP ACLs: prevent read access to unique-usernames/unique-email for domaincontroller_slave/memberserver
Last modified: 2020-07-30 15:15:20 CEST
LDAP ACLs: prevent read access to unique-usernames/unique-email for domaincontroller_slave and memberserver
[4.4] 203d70ac0 Bug #50830: update advisory [4.4] 3c734d941 Bug #50830: remove UCR variable and also block memberservers [4.4] bdd8c6fb4 Bug #50830: add advisory [4.4] 3c8766664 Bug #50830: add changelog entry [4.4] 80a37045f Bug #50830: limit read access to import counters for memberservers and domaincontroller slave Package: ucs-school-ldap-acls-master Version: 17.0.4-1A~4.4.0.202002241104 Branch: ucs_4.4-0 Scope: ucs-school-4.4 The following ACL block has been added and the join script version has been increased so the new ACLs are registered. # prevent replication of username and email counter objects to slaves and memberservers access to dn.children="cn=unique-usernames,cn=ucsschool,cn=univention,@%@ldap/base@%@" by set="user/univentionObjectType & [computers/domaincontroller_slave]" none by set="user/univentionObjectType & [computers/memberserver]" none by * +0 break access to dn.children="cn=unique-email,cn=ucsschool,cn=univention,@%@ldap/base@%@" by set="user/univentionObjectType & [computers/domaincontroller_slave]" none by set="user/univentionObjectType & [computers/memberserver]" none by * +0 break
(In reply to Sönke Schwardt-Krummrich from comment #0) > LDAP ACLs: prevent read access to unique-usernames/unique-email for > domaincontroller_slave and memberserver Why? What was the current state? Doesn't everyone have read access to it?
(In reply to Florian Best from comment #2) > (In reply to Sönke Schwardt-Krummrich from comment #0) > > LDAP ACLs: prevent read access to unique-usernames/unique-email for > > domaincontroller_slave and memberserver > > Why? What was the current state? Doesn't everyone have read access to it? We want to reduce the join time and replication load for UCS servers that will never use that data, because the UCS@school import will not run there.
Commits by Sönke: [4.4] 80a37045f Bug #50830: limit read access to import counters for memberservers and domaincontroller slave [4.4] 3c8766664 Bug #50830: add changelog entry [4.4] bdd8c6fb4 Bug #50830: add advisory [4.4] 3c734d941 Bug #50830: remove UCR variable and also block memberservers [4.4] 203d70ac0 Bug #50830: update advisory [4.4] d2bf3c5d5 Bug #50830: add ACL test for restricted access to import counter objects [4.4] 782c414ad Bug #50830: update ACL test for restricted access to import counter objects [4.4] f4935d8d2 Bug #50830: update advisory Packages built: ucs-school-ldap-acls-master (17.0.4-1A~4.4.0.202002241104) ucs-test-ucsschool (6.0.103) ---- OK: checked source code changed OK: automatic test (90_ucsschool/75_ldap_acls_specific_tests) succeeds OK: manual test: Ran the command on all roles: ldapsearch -LLL -H "ldap://$(ucr get ldap/master)" -x -w "$(</etc/machine.secret)" -D "$(ucr get ldap/hostdn)" -b "cn=ucsschool,cn=univention,$(ucr get ldap/base)" dn DC master: got all unique-* entries DC backup: got all unique-* entries DC slave (edu): got 0 unique-* entries DC slave (adm): got 0 unique-* entries DC slave (central): got 0 unique-* entries Member (central): got 0 unique-* entries OK: advisory
UCS@school 4.5 v5 has been released (errata update to the release). http://docs.software-univention.de/changelog-ucsschool-4.4v5-de.html#changelog:ucsschool:2020-04-27 If this error occurs again, please clone this bug.