Bug 41402

Summary: enhance LDAP ACL
Product: UCS Reporter: Florian Best <best>
Component: LDAPAssignee: UCS maintainers <ucs-maintainers>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: P5 CC: requate
Version: UCS 4.1Flags: best: Patch_Available+
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=41115
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Florian Best univentionstaff 2016-06-01 12:19:07 CEST 
60univention-ldap-server_acl-master defines the following LDAP ACL:

access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
    by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=school,dc=local" write
    by * read break

There is no explanation why the rule exists. The rule makes it hard for further rules to make adjustments as the rule must be reverted individually.
Would it be okay to change the rule to end with:
    by * +0 break

The read permissions will implicit be given back in the very bottom of 70univention-ldap-server_acl-master-end. We could also add another explicit rule to the bottom.
Comment 1 Florian Best univentionstaff 2016-06-01 12:33:49 CEST 
In UCS@school we define the following rule to prevent this (Bug #41115):

# revert rule from UCS; Bug #41402
access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
    by dn.sub="cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break
    by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break
    by * +0 break
Comment 2 Arvid Requate univentionstaff 2016-06-01 15:37:35 CEST 
As far as I can tell the point of the "by * read break" clause is the "break", simply. I guess historically the "read" was assumed to be the lowest access right. That was long before we disabled anonymous LDAP searches.
Comment 3 Florian Best univentionstaff 2016-06-01 16:32:08 CEST 
(In reply to Arvid Requate from comment #2)
> As far as I can tell the point of the "by * read break" clause is the
> "break", simply. I guess historically the "read" was assumed to be the
> lowest access right. That was long before we disabled anonymous LDAP
> searches.
That is my guess, too. So it wouldn't break anything to change it into:
"by * +0 break"
Comment 4 Florian Best univentionstaff 2016-08-17 14:05:48 CEST 

*** This bug has been marked as a duplicate of bug 41715 ***