In a multi school customer environment, a user who is in the domain admins group cannot add a user in the standard users module, school module is working. udm log shows: 10.07.20 14:32:51.515 ADMIN ( ERROR ) : Creating u'uid=s.strand,cn=users,dc=schein,dc=me' failed: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add raise univention.admin.uexceptions.permissionDenied permissionDenied The user has also the ucsschoolAdministrator objectClass set, which causes the permissionDenied. If you remove the ucsschoolAdministrator flag, everything works fine again. This issue seems to be introduced between errata 589 and 652. With errata 589 it worked fine with this flag.
I could replicate the error as described in the Description. The change, described in comment 3 is implemented in [twenzel/51661_domain_admins_ldap_acls] 73a52b2f2 Bug #51661: change ldap-acl order An alternative version, which does not change the order but adds 'break' access to filter="(|(objectClass=ucsschoolAdministrator)(&(univentionObjectType=users/user)(!(objectClass=ucsschoolType))))" attrs=sambaNTPassword,userPassword,krb5Key,sambaPasswordHistory,pwhistory by self +0 break by set="user/objectClass & ([ucsschoolAdministrator] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolStudent])" +0 break by * +0 break does work as well. I.E. we first disallow ucsschoolAdministrator to modify non-school-users, but changes are still possible (e.g. by set="user & [cn=Domain Admins,cn=groups,dc=uni,dc=dtr]/uniqueMember*" write) [twenzel/51661_domain_admins_ldap_acls_v2] b349576a5 Bug #51661: ldap-acl add break for to non-school-users for ucsschoolAdministrator I'm not sure if this is 100% correct and will test this further as well as adding a test, thus I'm not changing the status.
I added a ucs-test which checks if users in the group cn=Domain Admins,cn=groups,$ldap_base having the objectClass ucsschoolAdministrator are able to write non-school users as well as school users (I'm only testing one role since this is already tested in 75_ldap_acls_specific_tests). [twenzel/51661_domain_admins_ldap_acls_v2] 0b2a38d0c Bug #51661: add ucs-test The test fails before the patches described in comment 5 and succeed after. Remarks for QA Make sure to increase the debian-version. Also the (pre-)joinscript has to be run and slapd has to be restarted for the changes to take effect. univention-run-join-scripts --force --run-scripts 70ucsschool-ldap-acls-master.inst /etc/init.d/slapd restart I would like to take the version implemented in twenzel/51661_domain_admins_ldap_acls_v2 since changes a fewer things, but I'm open for remarks. - Check if the test passes. - Create a user with the domain admin group and the ucsschoolAdministrator flag set and try to create a non-school user with it. Before the patch this should fail.
I increased the joinscript number, so it should not be needed to rerun the joinscript manually.
Unfortunately, both solutions described in comment 5 lead to a failure of 75_ldap_acls_password_data.py As discussed, the domain admin group now first receives +0 break for non-school users, which means no rights are changed but changes are possible (not like I wrote in comment 5). For this to be possible I had to move the code to 65ucsschool to use the replacement of the DOMAIN_ADMINS group. After the changes, 75_ldap_acls_*.py tests are all passing & I was able to create a user with the flag set. [twenzel/51661_domain_admins_ldap_acls_v2] ecd73fce7 Bug #51661: move domain admin acls to 65ucsschool [twenzel/51661_domain_admins_ldap_acls_v2] bfb21a803 Bug #51661: exclude domain admins
Tests pass now and a school admin who is also in the Domain Admins group can create any non school users again. Package: ucs-school-ldap-acls-master Version: 17.0.4-5A~4.4.0.202008031346 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-test-ucsschool Version: 6.0.125A~4.4.0.202008031349 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Since I did the merge and build please do final QA.
* OK: code review * OK: manual test: ucs-school-ldap-acls-master<17.0.4-5 → permission error when trying to create global user in UMC ucs-school-ldap-acls-master==17.0.4-5 → no problem creating global user * OK: automatic tests (on both multi-server and single-server): ucs-school-ldap-acls-master<17.0.4-5 → 75_* succeed, except for 75_ldap_acls_domain_admins.py which fails ucs-school-ldap-acls-master==17.0.4-5 → 75_* succeed, incl. 75_ldap_acls_domain_admins.py * OK: advisory * OK: Jenkins tests (on both multi-server and single-server)
UCS@school 4.4 v6 has been released. https://docs.software-univention.de/changelog-ucsschool-4.4v6-de.html If this error occurs again, please clone this bug.