Bug 41213
| Summary: | add "monitor" backend for statistical information | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Ingo Steuwer <steuwer> |
| Component: | LDAP | Assignee: | Julia Bremer <bremer> |
| Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
| Severity: | enhancement | ||
| Priority: | P5 | CC: | best, bremer, brodersen, damrose, gohmann, requate |
| Version: | UCS 4.3 | Flags: | requate:
Patch_Available+
|
| Target Milestone: | UCS 4.3-3-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| URL: | https://www.openldap.org/doc/admin24/monitoringslapd.html#Accessing%20Monitoring%20Information | ||
| See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=15757 | ||
| What kind of report is it?: | Feature Request | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | Yes | |
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
|
Description
Ingo Steuwer
There is a Customer ID set so I set the flag "Enterprise Customer affected". There is a patch against univention-ldap in a customer scope to make this configurable. Ok the addition for
univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database
looks something like this:
if configRegistry.is_true('ldap/monitor', False):
print "database\tmonitor"
print ''
print 'access to dn.subtree="cn=monitor"'
print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry
print '\tby group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,%(ldap/base)s" read' % configRegistry
print '\tby * none stop'
print ''
(In reply to Arvid Requate from comment #3) > if configRegistry.is_true('ldap/monitor', False): > > print "database\tmonitor" > print '' > print 'access to dn.subtree="cn=monitor"' > print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? > print '\tby group/univentionGroup/uniqueMember="cn=Domain > Admins,cn=groups,%(ldap/base)s" read' % configRegistry > print '\tby * none stop' Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). > Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? Only if you explicitly specify this with the "rootdn" directive per database. See also Bug #32015. > Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). May be a good idea, could you discuss the details / implications with Julia? She's put the cn=monitor config into a separate subfile, so you are right, a project could extend the ACLs for this. (In reply to Arvid Requate from comment #5) > > Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? > > Only if you explicitly specify this with the "rootdn" directive per database. > See also Bug #32015. Okay :-) > > Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). > > May be a good idea, could you discuss the details / implications with Julia? > She's put the cn=monitor config into a separate subfile, so you are right, a > project could extend the ACLs for this. Okay, we discussed it and came to the conclusion that it would be best to use the "+0 break" style. If no other ACL is defined everyone except cn=admin and Domain Admins doesn't have read/write/etc. permissions. b05893915d Bug #41213: yaml fdcf18ee12 Bug #41213: Changed access to cn=monitor f8264071d0 Bug #41213: YAML faea5054f9 Bug #41213: cn=monitor Successful build Package: univention-ldap Version: 14.0.2-43A~4.3.0.201902201212 Branch: ucs_4.3-0 Scope: errata4.3-3 User: jbremer 40a14ff80c Bug #41213: Merge branch 'jbremer/bug41213' into 4.4-0 Ok, this works. I've adjusted the Advisory a bit: d311faf156 | Advsiory wording Ah, could you please also add a description for the variable to debian/univention-ldap-server.univention-config-registry-variables ? fc203e1458 Bug #41213: Merge branch 'jbremer/bug41213' into 4.3-3 aad4d04f2a Bug #41213: yaml 9f0b54ca6d Bug #41213: Custom groupname for domain-admins and variable description Successful build Package: univention-ldap Version: 14.0.2-44A~4.3.0.201902211216 Branch: ucs_4.3-0 Scope: errata4.3-3 Ok, works, I adjusted the wording a bit to match my taste. 264b486492 | Adjust variable description wording for ldap/monitor (4.3-3) d751e133c1 | Advisory version update a540b92a33 | Adjust variable description wording for ldap/monitor (4.4-0) Anyone interested in the details of cn=monitor may check the link in the URL field of this bug. |