Univention Bugzilla – Bug 51261
Nested groups don't work in Self Service white- and blacklists
Last modified: 2020-07-01 18:15:19 CEST
The self service internally has a function to resolve nested groups using the group memberships from the user object. It doesn't work or isn't used for the white and blacklists though. In fact I thought that nested groups weren't resolved at all for some conceptual reason in the self service but since there is a function to do that in there I doubt that now. Also we have ucs-school-selfservice-support to work around the missing function in school domains (which does not work in use cases with more than one server used for UMC, see bug 50761). Here is my test setup: - testgroup01 is a member of testgroup02 - user01 is a member of testgroup01, *should be allowed*, *but isn't* ucr set umc/self-service/passwordreset/whitelist/groups=testgroup02 log says: is_blacklisted(user01): neither black nor white listed - testgroup01 is a member of testgroup02 - user01 is a member of testgroup01, *should not be allowed*, because blacklists have priority over whitelists according to the variable description, but *is allowed* ucr set umc/self-service/passwordreset/whitelist/groups=testgroup01 ucr set umc/self-service/passwordreset/blacklist/groups="Administrators,Domain Admins,testgroup02" log says: -> is_blacklisted(user01): match in whitelisted groups
Actually, the nested group functionality was used. Unfortunately, it was buggy: The groups of the user were processed: The function used the UDM property "nestedGroup", which finds groups that are nested in this very group. Instead it should have used "memberOf", which finds groups where this very group is a member of. Unittests were added. univention-self-service 4.0.3-34A~4.4.0.202006252223
OK: nested groups are evaluated OK: test OK: yaml -> verified
<http://errata.software-univention.de/ucs/4.4/644.html>