Univention Bugzilla – Full Text Bug Listing |
Summary: | add "monitor" backend for statistical information | ||
---|---|---|---|
Product: | UCS | Reporter: | Ingo Steuwer <steuwer> |
Component: | LDAP | Assignee: | Julia Bremer <bremer> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | enhancement | ||
Priority: | P5 | CC: | best, bremer, brodersen, damrose, gohmann, requate |
Version: | UCS 4.3 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.3-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://www.openldap.org/doc/admin24/monitoringslapd.html#Accessing%20Monitoring%20Information | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=15757 | ||
What kind of report is it?: | Feature Request | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Ingo Steuwer
2016-05-06 15:53:56 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected". There is a patch against univention-ldap in a customer scope to make this configurable. Ok the addition for univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database looks something like this: if configRegistry.is_true('ldap/monitor', False): print "database\tmonitor" print '' print 'access to dn.subtree="cn=monitor"' print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry print '\tby group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,%(ldap/base)s" read' % configRegistry print '\tby * none stop' print '' (In reply to Arvid Requate from comment #3) > if configRegistry.is_true('ldap/monitor', False): > > print "database\tmonitor" > print '' > print 'access to dn.subtree="cn=monitor"' > print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? > print '\tby group/univentionGroup/uniqueMember="cn=Domain > Admins,cn=groups,%(ldap/base)s" read' % configRegistry > print '\tby * none stop' Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). > Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? Only if you explicitly specify this with the "rootdn" directive per database. See also Bug #32015. > Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). May be a good idea, could you discuss the details / implications with Julia? She's put the cn=monitor config into a separate subfile, so you are right, a project could extend the ACLs for this. (In reply to Arvid Requate from comment #5) > > Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? > > Only if you explicitly specify this with the "rootdn" directive per database. > See also Bug #32015. Okay :-) > > Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). > > May be a good idea, could you discuss the details / implications with Julia? > She's put the cn=monitor config into a separate subfile, so you are right, a > project could extend the ACLs for this. Okay, we discussed it and came to the conclusion that it would be best to use the "+0 break" style. If no other ACL is defined everyone except cn=admin and Domain Admins doesn't have read/write/etc. permissions. b05893915d Bug #41213: yaml fdcf18ee12 Bug #41213: Changed access to cn=monitor f8264071d0 Bug #41213: YAML faea5054f9 Bug #41213: cn=monitor Successful build Package: univention-ldap Version: 14.0.2-43A~4.3.0.201902201212 Branch: ucs_4.3-0 Scope: errata4.3-3 User: jbremer 40a14ff80c Bug #41213: Merge branch 'jbremer/bug41213' into 4.4-0 Ok, this works. I've adjusted the Advisory a bit: d311faf156 | Advsiory wording Ah, could you please also add a description for the variable to debian/univention-ldap-server.univention-config-registry-variables ? fc203e1458 Bug #41213: Merge branch 'jbremer/bug41213' into 4.3-3 aad4d04f2a Bug #41213: yaml 9f0b54ca6d Bug #41213: Custom groupname for domain-admins and variable description Successful build Package: univention-ldap Version: 14.0.2-44A~4.3.0.201902211216 Branch: ucs_4.3-0 Scope: errata4.3-3 Ok, works, I adjusted the wording a bit to match my taste. 264b486492 | Adjust variable description wording for ldap/monitor (4.3-3) d751e133c1 | Advisory version update a540b92a33 | Adjust variable description wording for ldap/monitor (4.4-0) Anyone interested in the details of cn=monitor may check the link in the URL field of this bug. |