Univention Bugzilla – Bug 53725
[4.4] Creating users that are named like containers should be prevented
Last modified: 2021-09-15 18:08:01 CEST
Backport to UCS 4.4 +++ This bug was initially created as a clone of Bug #53102 +++ root@srv-ucsm01:~# univention-app info UCS: 4.4-7 errata873 Installed: letsencrypt=1.2.2-8 pkgdb=11.0 prometheus-node-exporter=1.1 samba4=4.10 ucsschool=4.4 v8 Upgradable: letsencrypt ucsschool Scenario: A member of "Domain Admins" created a user named "lehrer" in the container "cn=users,ou=schule11,dc=schule-musterstadt,dc=de". Observed behaviour: UCS created the user object just fine in OpenLDAP: uid=lehrer,cn=users,ou=schule11,dc=schule-musterstadt,dc=de However, there is also a container at the same level of the LDAP tree called: cn=lehrer,cn=users,ou=schule11,dc=schule-musterstadt,dc=de Things start to get messy, when Samba AD and the S4-Connector are involved. In AD, user object DNs don't start with "uid=" but with "cn=". So, the user object in AD would be: CN=lehrer,CN=users,OU=schule11,DC=schule-musterstadt,DC=de And now we have the same DN for the user object and the container object. At first, this will create a S4-Connector-Reject, because the S4-Connector can't add user attributes like objectSid to a container object. However, when we delete the user "lehrer", the S4-Connector will delete "CN=lehrer,CN=users,OU=schule11,DC=schule-musterstadt,DC=de", which is the container, with all its subordinate objects(!), e.g. all teacher accounts of that school. To prevent this, I think it should not be possible to create users with the same name as existing containers (at least on the same level of the LDAP tree).
Backported in: univention-python.yaml d58f6c7eef0a | YAML Bug #53725 univention-directory-manager-modules.yaml d58f6c7eef0a | YAML Bug #53725 univention-python (12.0.1-3) 7c05f78503bd | Bug #53725: introduce _ldap_pre_rename(newdn) and _ldap_post_rename(olddn) univention-directory-manager-modules (14.0.20-17) d305a74fd186 | Bug #53725: make sure uniqueness applies only for DN part 85d4ebfdfd92 | Bug #53725: simplify renaming by using new _ldap_pre_rename() method c969fc03925f | Bug #53725: users/user: cleanup move() logic 2b22953f41a7 | Bug #53725: ensure uniqueness of object names in the same subtree position 7c05f78503bd | Bug #53725: introduce _ldap_pre_rename(newdn) and _ldap_post_rename(olddn) f2b916d005e7 | Bug #53725: always call super() methods ucs-test (9.0.7-61) d305a74fd186 | Bug #53725: make sure uniqueness applies only for DN part 2b22953f41a7 | Bug #53725: ensure uniqueness of object names in the same subtree position 6123f4b07e2f | Bug #53725: Tests to prevent containers and users having the same name in the same position
Fix typo that _ldap_post_dn is called with olddn instead of newdn. univention-directory-manager-modules.yaml 7c68c3df5e17 | YAML Bug #53725 univention-directory-manager-modules (14.0.20-17) f62525914196 | fixup! Bug #53725: introduce _ldap_pre_rename(newdn) and _ldap_post_rename(olddn)
Verifed: * Code review (diff diff) As communicated via chat: the fixup f625259141 is not yet in 5.0-0
<https://errata.software-univention.de/#/?erratum=4.4x1049> <https://errata.software-univention.de/#/?erratum=4.4x1050>