58652 – Access via management domain

Bug 58652 - Access via management domain

Summary: Access via management domain

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.2-3-errata
Assignee:	Felix Botner
QA Contact:	Florian Best

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:

Reported:	2025-09-23 09:27 CEST by Felix Botner
Modified:	2025-09-30 16:41 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2025-09-23 09:27:52 CEST

Comment 1 Felix Botner

2025-09-29 11:52:39 CEST

We want to support login from a "management domain". This is a external IDP in UCS keycloak, that provides a UUID and guardian role strings to authorize this account in the context of UDM delegative administration.

- UMC OIDC supports this login
- creates a "user/federated_account" object to block the ID as univentionObjectIdentifier
- uses OIDC claim.roles for UDM authorization

Comment 2 Felix Botner

2025-09-29 11:58:00 CEST

univention-ldap.yaml
b793c30c4d4 chore(ldap): update advisory

univention-directory-manager-modules.yaml
d15e773d1d3 chore(udm): update advisory

univention-management-console-module-udm.yaml
50e86c1ab12 chore(umc-udm): update advisory

univention-management-console.yaml
a43efa64f3d chore(umc): update advisory

univention-ldap
14860be5d80 feat(ldap): LDAP schema/acl for federated account

univention-directory-manager-modules
719b121033c feat(udm-authz): get roles from connection object
d1d9c1bac7c feat(udm): new udm type users/federated_account

univention-management-console-module-udm
c5e713d2535 feat(umc-udm): get guardian roles from request

univention-management-console
8eac83fcb85 feat(umc-oidc): federated account for OIDC auth
ecaecbf2114 fix(umc-acl): get user DN from session object

Comment 3 Felix Botner

2025-09-29 12:26:58 CEST

univention-ldap 18.3.0
univention-directory-manager-modules 17.3.2
univention-management-console 14.3.3
univention-management-console-module-udm (12.3.1)
ucs-test (12.3.14)

Comment 4 Florian Best

2025-09-30 11:06:56 CEST

OK: new users/federrated_account UDM module
OK~: OID for the above is registered at the Univention OID list (but it uses the blocklist prefix)
OK: authz-regexp configurable
OK: Jenkins tests
OK~: we account is created in UMC. It's a layering violation. Should be moved to keycloak provisioning.
OK~: workaround for overwriting actor roles (probably doesn't work on LDAP reconnection)
OK: performance enhancement: eliminate additional unnecessary search for users DN in ACL evaluation 
OK: leftover TODO to evaluate also roles in the UMC ACL system
OK: advisories

Comment 5 Christian Castens

2025-09-30 16:41:59 CEST

<https://errata.software-univention.de/#/?erratum=5.2x245>
<https://errata.software-univention.de/#/?erratum=5.2x246>
<https://errata.software-univention.de/#/?erratum=5.2x247>
<https://errata.software-univention.de/#/?erratum=5.2x248>