Univention Bugzilla – Full Text Bug Listing |
Summary: | enhance LDAP ACL | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | LDAP | Assignee: | UCS maintainers <ucs-maintainers> |
Status: | RESOLVED DUPLICATE | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | CC: | requate |
Version: | UCS 4.1 | Flags: | best:
Patch_Available+
|
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=41115 | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Florian Best
2016-06-01 12:19:07 CEST
In UCS@school we define the following rule to prevent this (Bug #41115): # revert rule from UCS; Bug #41402 access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid by dn.sub="cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break by * +0 break As far as I can tell the point of the "by * read break" clause is the "break", simply. I guess historically the "read" was assumed to be the lowest access right. That was long before we disabled anonymous LDAP searches. (In reply to Arvid Requate from comment #2) > As far as I can tell the point of the "by * read break" clause is the > "break", simply. I guess historically the "read" was assumed to be the > lowest access right. That was long before we disabled anonymous LDAP > searches. That is my guess, too. So it wouldn't break anything to change it into: "by * +0 break" |