Univention Bugzilla – Bug 53517
S4C: Creating users that are named like containers should be prevented
Last modified: 2022-09-16 13:49:38 CEST
We should investigate if we want to prevent this situation explicitly in the S4-Connector. +++ This bug was initially created as a clone of Bug #53102 +++ root@srv-ucsm01:~# univention-app info UCS: 4.4-7 errata873 Installed: letsencrypt=1.2.2-8 pkgdb=11.0 prometheus-node-exporter=1.1 samba4=4.10 ucsschool=4.4 v8 Upgradable: letsencrypt ucsschool Scenario: A member of "Domain Admins" created a user named "lehrer" in the container "cn=users,ou=schule11,dc=schule-musterstadt,dc=de". Observed behaviour: UCS created the user object just fine in OpenLDAP: uid=lehrer,cn=users,ou=schule11,dc=schule-musterstadt,dc=de However, there is also a container at the same level of the LDAP tree called: cn=lehrer,cn=users,ou=schule11,dc=schule-musterstadt,dc=de Things start to get messy, when Samba AD and the S4-Connector are involved. In AD, user object DNs don't start with "uid=" but with "cn=". So, the user object in AD would be: CN=lehrer,CN=users,OU=schule11,DC=schule-musterstadt,DC=de And now we have the same DN for the user object and the container object. At first, this will create a S4-Connector-Reject, because the S4-Connector can't add user attributes like objectSid to a container object. However, when we delete the user "lehrer", the S4-Connector will delete "CN=lehrer,CN=users,OU=schule11,DC=schule-musterstadt,DC=de", which is the container, with all its subordinate objects(!), e.g. all teacher accounts of that school. To prevent this, I think it should not be possible to create users with the same name as existing containers (at least on the same level of the LDAP tree).