Bug 35423

Summary: Policies with requiredObjectClasses or prohibitedObjectClasses are not inherited correctly
Product: UCS Reporter: Dmitry Galkin <galkin>
Component: UMC - PoliciesAssignee: UMC maintainers <umc-maintainers>
Status: RESOLVED WORKSFORME QA Contact:
Severity: normal    
Priority: P5 CC: best, galkin, gohmann, hahn
Version: UCS 3.2   
Target Milestone: UCS 3.2-x   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=38712
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 35314    
Attachments: 'user 3' inherited password policy from the 'intermediate container'
'user 3' is not a samba user
policy of the intermediate container
'intermediate container policy' advanced settings

Description Dmitry Galkin univentionstaff 2014-07-21 12:03:28 CEST 
While writing a test for non-UCR policies (Bug #35314), noticed that policies with required or excluded object class are not inherited. For instance in the following structure:

Ldap/base:
  |--- Base Container (with own 'base container policy')
        |--- Intermediate container (with own 'intermediate container policy')
              |--- User 1 (No samba, but with own 'user policy')
              |--- User 2 (With samba, but no own user policy)
              |--- User 3 (No samba and no own user policy)


When intermediate container policy has the {'requiredObjectClasses': ["sambaSamAccount"]} setting, the 'User 3' should have the base container policy winning, since it is not a samba user and thus intermediate container policy should not be applied.

When checking 'User 3' policy via univention-policy-result tool the result is correct (i.e. 'User 3' has base container policy settings): root@backup11:~# univention-policy-result -D uid=Administrator,cn=users,dc=dgalkin,dc=dev -w univention -s uid=umc_test_user_bb5kgngvha,cn=intermediate_test_container,cn=base_test_container,dc=dgalkin,dc=dev

...
univentionPWHistoryLen="5"
univentionPWLength="5"


However, in the UMC same attributes are:
...
univentionPWHistoryLen="4"
univentionPWLength=""

(Those are the attributes inherited from the intermediate container policy)
Comment 1 Dmitry Galkin univentionstaff 2014-07-21 12:05:09 CEST 
Created attachment 6005 [details]
'user 3' inherited password policy from the 'intermediate container'
Comment 2 Dmitry Galkin univentionstaff 2014-07-21 12:05:43 CEST 
Created attachment 6006 [details]
'user 3' is not a samba user
Comment 3 Dmitry Galkin univentionstaff 2014-07-21 12:06:19 CEST 
Created attachment 6007 [details]
policy of the intermediate container
Comment 4 Dmitry Galkin univentionstaff 2014-07-21 12:07:38 CEST 
Created attachment 6008 [details]
'intermediate container policy' advanced settings
Comment 5 Philipp Hahn univentionstaff 2015-06-18 10:56:10 CEST 
Probably a duplicate of Bug #38712.
Need to check:
 after Bug #35423 is resolved, line 299 in the test should be uncommented
Comment 6 Florian Best univentionstaff 2017-04-24 16:57:02 CEST 
(In reply to Philipp Hahn from comment #5)
> Probably a duplicate of Bug #38712.
> Need to check:
>  after Bug #35423 is resolved, line 299 in the test should be uncommented
which test case?
Comment 7 Philipp Hahn univentionstaff 2017-04-25 08:39:05 CEST 
(In reply to Florian Best from comment #6)
> (In reply to Philipp Hahn from comment #5)
> > Probably a duplicate of Bug #38712.
> > Need to check:
> >  after Bug #35423 is resolved, line 299 in the test should be uncommented
> which test case?

$ git grep -n -A2 35423 -- test/ucs-test/tests/ 
test/ucs-test/tests/60_umc/06_udm_non_ucr_policies:213:         # Check commented due to Bug #35423,
test/ucs-test/tests/60_umc/06_udm_non_ucr_policies-214-         # should be uncommented after bug is resolved:
test/ucs-test/tests/60_umc/06_udm_non_ucr_policies-215-         #self.check_policies('5', '5', self.test_user_dn)
Comment 8 Florian Best univentionstaff 2017-05-02 17:43:00 CEST 
I reenabled the test:

ucs-test (7.0.21-15):
r78977 | Bug #35423: the underlying issue seems to be fixed