Bug 55159 – Diagnostic module complains about univention-fetchmail ACLs

Bug 55159 - Diagnostic module complains about univention-fetchmail ACLs


Summary:	Diagnostic module complains about univention-fetchmail ACLs

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Mail
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-2-errata
Assigned To:	Mika Westphal
QA Contact:	Florian Best

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-09-01 18:13 CEST by Sönke Schwardt-Krummrich
Modified:	2022-09-13 17:50 CEST (History)
CC List:	2 users (show)

See Also:	54982
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.011
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2022-09-01 18:13:32 CEST

access to attrs=univentionFetchmailPasswd
    by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=my_domain,dc=intranet" write
    by set="user/univentionService & [Fetchmail]" write
    by dn.base="cn=admin,dc=my_domain,dc=intranet" write
    by * +0 stop

results in

62615877 /etc/ldap/slapd.conf: line 175: rootdn is always granted unlimited privileges.

The second but last line is the culprit and superfluous:
    by dn.base="cn=admin,dc=my_domain,dc=intranet" write

This error message is also shown by the diagnostics module for the LDAP ACL.

We can simply remove the corresponding line.

Comment 1 Sönke Schwardt-Krummrich

2022-09-02 09:45:37 CEST

See also:
https://help.univention.com/t/after-upgrade-to-ucs-5-0-2-system-diagnostic-gives-me-warning-validating-the-ldap-configuration-and-schema-files/20321/12

Comment 2 Mika Westphal

2022-09-09 09:55:15 CEST

univention-fetchmail (13.0.1-4)
01563e7349fb | Bug #55159: remove unnecessary LDAP ACL for cn=admin which always have all access rights

Comment 3 Florian Best

2022-09-09 10:10:02 CEST

OK: fixed for new installations
~OK: we can't touch the joinscript version, so it doesn't apply for upgrades but can be achieved manually via:
univention-run-join-scripts --run-scripts --force 92univention-fetchmail-schema
OK: `univention-run-diagnostic-checks -t 62_check_slapschema` doesn't show a warning anymore
OK: YAML

Comment 4 Julia Bremer

2022-09-13 17:50:18 CEST

<https://errata.software-univention.de/#/?erratum=5.0x421>