Univention Bugzilla – Full Text Bug Listing |
Summary: | Adjust UCS@school LDAP ACL's | ||
---|---|---|---|
Product: | UCS@school | Reporter: | Florian Best <best> |
Component: | LDAP | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Sönke Schwardt-Krummrich <schwardt> |
Severity: | normal | ||
Priority: | P5 | CC: | ebersbach, schwardt |
Version: | UCS@school 4.1 | ||
Target Milestone: | UCS@school 4.1 R2 | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=41402 https://forge.univention.org/bugzilla/show_bug.cgi?id=49764 |
||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 49827, 41116, 41720, 42065, 43042 |
Description
Florian Best
2016-04-25 17:03:09 CEST
We should also make sure that this has no side effects as only a part of the OU structure is replicated. This might lead to noObject exceptions if trying to use the ucsschool-lib for some objects in a not completely replicated OU. In point 1. only the containers not the contents should be readable! 4. The ACL's must allow to access cn=groups,$OU with scope=one to be able to resolve the (primary) groups of all users on the DC Slave. A closer look at svn r69292 should be done. All changes there should be documented. (In reply to Florian Best from comment #4) > A closer look at svn r69292 should be done. All changes there should be > documented. Please add them to the YAML file. in svn r69291 I added a script ldap_acl_dump.py which writes an LDIF for every object it finds containing the permissions for each attribute. e.g. dn: ou=oldschool,dc=school,dc=local displayName: =rscxd objectClass: =rscxd ou: =rscxd ucsschoolClassShareFileServer: =rscxd ucsschoolHomeShareFileServer: =rscxd univentionObjectType: =rscxd univentionPolicyReference: =rscxd *** Bug 25869 has been marked as a duplicate of this bug. *** The ACL's have been adjusted. cn=users, cn=examuser and cn=groups underneath of a UCS@school OU are replicated to all DC Slaves. School DC's as well as school users can read every object belonging to one of the own schools. ucs-school-ldap-acls-master (14.0.1-1): r69691 | Bug #41115: whitespace cleanup r69690 | Bug #41115: prevent read access to every object by all school objects r69564 | Bug #41115: revert regression which caused failed.ldif during join r69322 | Bug #41115: adjust LDAP ACL for new school structure r69292 | Bug #41115: adjust broken/untidy ACL rules r69291 | Bug #41115: adjust LDAP ACL for new school structure r69265 | Bug #41115: adjust LDAP ACL for new school structure r69247 | Bug #41115: simplify ACL logic, this seems to be unnecessary r69246 | Bug #41115: adjust LDAP ACL for new school structure r69245 | Bug #41115: remove unneeded rules r69130 | Bug #41115: adjust LDAP ACL for new school structure r69129 | Bug #41115: adjust LDAP ACL for new school structure r69089 | Bug #41115: adjust LDAP ACL for new school structure r69088 | Bug #41115: preserve permissions instead of dropping them r69087 | Bug #41115: revert last commit r68899 | Bug #41115: start LDAP ACL adjustment to use ucsschoolSchool attribute Bug 41720 has been opened for a minor/medium issue. Everything else looked ok during manual comparison. See Bug 41116. UCS@school 4.1 R2 has been released: http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf If this error occurs again, please use "Clone This Bug". |