Univention Bugzilla – Bug 53139
Diagnose Check admin accounts gives misleading output
Last modified: 2021-07-01 12:08:42 CEST
UCS@school Administrators are configured with an objectclass 'ucsschoolAdministrator'. An administrator of a school should be a member of the respective admins-school group. The following problems were found: uid=orsine.gisker,cn=lehrer,cn=users,ou=one,dc=schein,dc=qa - is registered as admin but no member of the following schools: ['one'] ----- univention-ldapsearch -LLL uid=orsine.gisker memberof ucsschoolRole ucsschoolSchool objectClass dn: uid=orsine.gisker,cn=lehrer,cn=users,ou=one,dc=schein,dc=qa ucsschoolRole: teacher:school:one ucsschoolSchool: one memberOf: cn=Domain Users one,cn=groups,ou=one,dc=schein,dc=qa memberOf: cn=one-1a,cn=klassen,cn=schueler,cn=groups,ou=one,dc=schein,dc=qa memberOf: cn=one-1b,cn=klassen,cn=schueler,cn=groups,ou=one,dc=schein,dc=qa memberOf: cn=lehrer-one,cn=groups,ou=one,dc=schein,dc=qa objectClass: krb5KDCEntry objectClass: ucsschoolAdministrator objectClass: organizationalPerson objectClass: automount objectClass: top objectClass: inetOrgPerson objectClass: krb5Principal objectClass: person objectClass: ucsschoolTeacher objectClass: univentionMail objectClass: univentionObject objectClass: ucsschoolType objectClass: univentionPWHistory objectClass: shadowAccount objectClass: sambaSamAccount objectClass: posixAccount The school is set properly but the group is missing. The Module should show the missing group, like the consistency check does.
Is this the desired change? - is registered as admin but no member of the following schools: ['one'] + is registered as admin but no member of the following groups: ['admins-one']
(In reply to Daniel Tröder from comment #1) > Is this the desired change? > > - is registered as admin but no member of the following schools: ['one'] > + is registered as admin but no member of the following groups: > ['admins-one'] Yes, or even more better is the output of the consistency check giving the dn of the group. But 'admins-one' would do the job. - Not member of group cn=admins-one,cn=ouadmins,cn=groups,dc=schein,dc=qa Also a little bit inconsequential is that this check, does not complain about the role, although the check tests the admin account.
I committed a patch to troehmey/bug53139_check_admin_accounts_output with: 6b637710b Bug #53139: improved output for admin group membership check The output message was improved as suggested in the bug description. I tested the behavior by removing an admin from its admin-ou group and then executing the diagnostic module.
QA → reopen try: attr["uniqueMember"] except KeyError: # this group has no members attr["uniqueMember"] = [] → attr.get("uniqueMember", []) if not admin["dn"] in attr["uniqueMember"]: problematic_objects.setdefault(admin["dn"], []).append( _("is registered as admin but no member of the following groups: {}".format(dn)) ) → This does not seem to make sense for admins in multiple ous. Collect the dns of the missing groups and do something like this after the group-loop: if missing_group_dns: problematic_objects.setdefault(admin["dn"], []).append( _("is registered as admin but no member of the following groups: {}".format(missing_group_dns)) ) if not admin["schools"]: → move to outer loop (for admin in admins) Functionality before fix: uid=h.schlemmer,cn=lehrer,cn=users,ou=DEMOSCHOOL,dc=dc-we,dc=intranet - is registered as admin but no member of the following schools: ['DEMOSCHOOL'] after fix: uid=demo_admin,cn=lehrer,cn=users,ou=DEMOSCHOOL,dc=dc-we,dc=intranet - is registered as admin but no member of the following groups: cn=admins-demoschool,cn=ouadmins,cn=groups,dc=dc-we,dc=intranet
I applied the suggestions from comment #4 with 40c52e649 Bug #53139: fixup, improved printing
Fixup: 44e99bc82 Bug #53139: check if admin in wrong admins-ou group c1fd882bd Bug #53139: fixup search missing groups by schoolRole With the previous patch, teachers which are admin at a school but not at all schools were not handled correctly. Those are not expected to be in an admin group at every school just because their objectClass is set to "ucsschoolAdministrator" The requirements for those are the following: 1. objectClass = ucsschoolAdministrator 2. must be admin at at least one of his schools 2.1 must be member of cn=admin-ou 2.2 ucsschoolRole must be corresponding entry 3. must not be in any other cn=admin-ou group (of other school) The correct group memberships are now derived from the ucsschoolRole. Example: school_admin:school:DEMOSCHOOL -> this admin should be member of cn=admins-demoschool Also wrong group memberships now get detected.
Merged to 4.4 with 1e644f072 Bug #53139: added advisory ed4a1dcb3 Bug #53139: added changelog entry 63709a5d0 Bug #53139: Merge branch 'troehmey/bug53139_check_admin_accounts_output' into 4.4 89e42dd43 Bug #53139: check if admin in wrong admins-ou group 408a9c499 Bug #53139: improved output for admin group membership check Successful build: Package: ucs-school-umc-diagnostic Version: 1.0.0-23A~4.4.0.202106081652 Branch: ucs_4.4-0 Scope: ucs-school-4.4
QA: all OK changelog OK advisory OK merge OK jenkins happy
Create merge request to 5.0 with troehmey/5.0/53139_check_admin_accounts_output https://git.knut.univention.de/univention/ucsschool/-/merge_requests/23
Errata updates for UCS@school 4.4 v9 have been released. https://docs.software-univention.de/changelog-ucsschool-4.4v9-de.html If this error occurs again, please clone this bug.