Univention Bugzilla – Bug 54040
A school-spanning teacher/admin can add users of only one school to workgroups of other schools
Last modified: 2022-07-15 08:31:09 CEST
root@ucs-001:~# univention-app info UCS: 4.4-8 errata1087 Installed: admindiary-backend=1.0 admindiary-frontend=1.0 radius=5.0 self-service=4.0 self-service-backend=4.0 ucsschool=4.4 v9 ucsschool-id-connector=2.0.1 ucsschool-kelvin-rest-api=1.5.0 ucsschool-veyon-proxy=1.1 Upgradable: ucsschool-id-connector Scenario: - a "school teacher 1" is properly assigned to the schools "School A" and "School B" - we have "student 2" only at "School A" - we have "student 3" only at "School B" => "school teacher 1" is able to create a new workgroup at "School A" and add *both* "student 2" and "student 3" to this workgroup. The user object of "student 3" is inconsistent afterwards: root@ucs-001:~# univention-ldapsearch -LLL uid=student3 memberOf dn: uid=student3,cn=schueler,cn=users,ou=SchoolB,dc=example,dc=org memberOf: cn=Domain Users SchoolB,cn=groups,ou=SchoolB,dc=example,dc=org memberOf: cn=SchoolB-1c,cn=klassen,cn=schueler,cn=groups,ou=SchoolB,dc=example,dc=org memberOf: cn=schueler-SchoolB,cn=groups,ou=SchoolB,dc=example,dc=org memberOf: cn=SchoolA-AG Georg,cn=schueler,cn=groups,ou=SchoolA,dc=example,dc=org ## <==== I think this should only be allowed if "student 3" would *also* be properly assigned to *both* "School A" and "School B".
I also think that is not the intended behavior. Work groups should only have members of the work groups school. In the situation of the _creation_ of a work group this is difficult for the UI: In the user-selection pop-up it has to only show users of the school that was chosen in the main window. What should happen, when users have been selected and the school is changed in the main window? I guess they must all be removed. The UI doesn't know which ones are in multiple schools. In the situation of the _modification_ of a work group this is simple: the filter in the pop-up must be fixed to the school of the work group. I fear this "unintended" behavior is already used by customers to have (email) groups with members from different schools, that can be managed by non-domain admins. Before changing this, we'd have to make sure we don't destroy those solutions or offer an alternative.
I would fix this Bug for a new release (UCS@school 5.0v2) and just implement it as intended by us. After including a clear statement about the behavior change in the changelog I would wait for complaints/feature requests regarding the unintended feature before implementing a solution for that edge case that we think solves the "problem"
After discussion with our professional service we will fix this Bug for UCS@school 5.0v2 only. The milestone on the bug was change accordingly.
MR merged (https://git.knut.univention.de/univention/ucsschool/-/merge_requests/96), package built (`ucs-school-umc-groups`: `10.0.5A~5.0.0.202206011523`) and advisory updated (https://git.knut.univention.de/univention/ucsschool/-/commit/3c5cc8ddbd343b34b7f895932d277a3224ab2715).
Created attachment 10957 [details] No option to add users from other schools in workgroups
Tested on a fresh instance as follows: ``` echo 'deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_5.0-0-ucs-school-5.0/all/' >>/etc/apt/sources.list echo 'deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_5.0-0-ucs-school-5.0/amd64/' >>/etc/apt/sources.list apt update apt install ucs-school-umc-groups=10.0.5A~5.0.0.202206011523 systemctl restart univention-management-console-server.service univention-management-console-web-server.service ``` Then from the web interface created a user in a school and tried to added it to a workgroup in DEMOSCHOOL, and couldn't as expected. See the attachment above. ``` root@ucs-8816:~# univention-app info UCS: 5.0-1 errata305 Installed: cups=2.2.1 samba4=4.13 squid=3.5 ucsschool=5.0 v1 4.4/ucsschool-veyon-proxy=1.1 Upgradable: ``` LGTM.
This breaks the test 90_ucsschool.72_radius_machine_authentication.test_radius_machine_authentication in https://univention-dist-jenkins.k8s.knut.univention.de/job/UCSschool-5.0/view/School/job/Install%20Singleserver/. The test creates workgroups and wants to put computer objects in those groups. That is apparently no longer possible with this change. /var/log/univention/management-console-module-schoolgroups.log 08.06.22 17:26:09.120 MODULE ( ERROR ) : Not adding not existing user 'cn=rowew18aaw,cn=computers,ou=testou8761,dc=five,dc=new' to group: WrongObjectType('Could not find object of type None with DN "Wrong objectClass: \'cn=rowew18aaw,cn=computers,ou=testou8761,dc=five,dc=new\' is not a \'User\'.".').
Thank you Felix. Should be fixed in https://git.knut.univention.de/univention/ucsschool/-/merge_requests/115 Non user objects should not be filtered out in _filter_users. Before these changes the tests for 90_ucsschool.72_radius_machine_authentication.test_radius_machine_authentication were not passing since the function was removing computer objects.
MR merged (https://git.knut.univention.de/univention/ucsschool/-/merge_requests/116), package built (`ucs-school-umc-groups`: `10.0.6A~5.0.0.202206140836` and `ucs-test-ucsschool`: `7.3.50A~5.0.0.202206140837`) and advisory updated (https://git.knut.univention.de/univention/ucsschool/-/commit/9788801cbba3b201700687c529c544d6fd917dfd).
The pipeline test that was failing is now passing. old(failing): https://univention-dist-jenkins.k8s.knut.univention.de/job/UCSschool-5.0/view/School/job/Install%20Singleserver/82/Config=s4-all-components,TestGroup=base1,UCSRelease=public/testReport/90_ucsschool/72_radius_machine_authentication/test_radius_machine_authentication/ latest (passing): https://univention-dist-jenkins.k8s.knut.univention.de/job/UCSschool-5.0/view/School/job/Install%20Singleserver/84/Config=s4-all-components,TestGroup=base1,UCSRelease=public/testReport/90_ucsschool/72_radius_machine_authentication/test_radius_machine_authentication/
ok. setting bug to verify. changelog, advisory + jenkins ok
UCS@school 5.0 v2 has been released. https://docs.software-univention.de/changelog-ucsschool-5.0v2-de.html If this error occurs again, please clone this bug.