Bug 39901

Summary: squid allows basic auth for deactivated accounts
Product: UCS Reporter: Jürn Brodersen <brodersen>
Component: SquidAssignee: Daniel Tröder <troeder>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: best, gohmann, klaeser, walkenhorst
Version: UCS 4.1   
Target Milestone: UCS 4.1-0-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Jürn Brodersen univentionstaff 2015-11-12 11:44:44 CET 
Squid allows basic auth for deactivated accounts.
Only after also locking all login methods squid refuses the login.

See also:
https://hutten.knut.univention.de/mediawiki/index.php/Produkttests_UCS_4.1_Apache_%26_Squid#Passwort-Auswertung_am_Proxy
Comment 1 Daniel Tröder univentionstaff 2015-11-26 18:08:38 CET 
the ldap query now checks for disabled posix and kerberos accounts

code: 65965
yaml: 65967 univention-squid.yaml
Comment 2 Felix Botner univentionstaff 2015-12-07 13:23:57 CET 
OK - univention-squid (if posix or kerberos is disabled for a user, that
     user can no longer use squid basic auth)
OK - YAML
Comment 3 Janek Walkenhorst univentionstaff 2015-12-09 16:46:21 CET 
<http://errata.software-univention.de/ucs/4.1/25.html>