Bug 49387

Summary: allow adding "by" clause to monitor ACL
Product: UCS Reporter: Felix Botner <botner>
Component: LDAPAssignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: best
Version: UCS 4.4   
Target Milestone: UCS 4.4-0-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Feature Request What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Felix Botner univentionstaff 2019-04-29 15:47:59 CEST 
we need something like

conffiles/etc/ldap/slapd.conf.d/39monitor
@@ -11,5 +11,8 @@
         print 'access to dn.subtree="cn=monitor"'
         print '   by dn.base="cn=admin,%s" read' % ldap_base
         print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" read' % (groups_default_domainadmins, ldap_base)
+        print '   by ..." read'
+        print '   by group/univentionGroup/uniqueMember="..." read'
+        print '   by set="user & [...]/uniqueMember*" read'
         print '   by * +0 break'
Comment 1 Florian Best univentionstaff 2019-05-07 13:17:55 CEST 
We should introcude a UCR variable which allows access for further groups via the set syntax.
Comment 2 Florian Best univentionstaff 2019-05-15 23:27:06 CEST 
Patch available in branch fbest/ldap-patches-49386-49391. Please test and reopen for merging.

ucr set ldap/monitor/acl/read/groups/foo="cn=Domain Users,cn=groups,$(ucr get ldap/base)".
Comment 3 Felix Botner univentionstaff 2019-05-27 12:26:07 CEST 
OK, works fine 

-> ucr set ldap/monitor/acl/read/groups/domusers="cn=Domain Users,cn=groups,dc=four,dc=four"

-> univention-ldapsearch  -x -D uid=test1,cn=users,dc=four,dc=four -w univention -b cn=Monitor
...
Comment 4 Florian Best univentionstaff 2019-07-01 12:17:49 CEST 
univention-ldap (15.0.0-21)
861ecba43398 | Bug #49387: allow further groups via UCR to acceess the cn=monitor backend

univention-ldap.yaml
861ecba43398 | Bug #49387: allow further groups via UCR to acceess the cn=monitor backend
Comment 5 Felix Botner univentionstaff 2019-07-01 13:55:48 CEST 
OK - univention-ldap.yaml
OK - ldap/create-ldap-server-policy UCRV description
OK - univention-ldap

-> univention-ldapsearch -LLL  -b 'cn=Monitor' -s sub '*' '+'
No such object (32)

-> ucr set ldap/monitor/acl/read/groups/backup_hosts='cn=DC Backup Hosts,cn=groups,dc=w2k12,dc=test'
-> service  slapd restart

-> univention-ldapsearch -LLL  -b 'cn=Monitor' -s sub '*' '+'
dn: cn=Monitor
objectClass: monitorServer
structuralObjectClass: monitorServer
cn: Monitor
creatorsName:
modifiersName:
createTimestamp: 20190628231239Z
modifyTimestamp: 20190628231239Z
description: This subtree contains monitoring/managing objects.
description: This object contains information about this server.
description: Most of the information is held in operational attributes, which must be explicitly requested.
monitoredInfo: OpenLDAP: slapd  (Aug  6 2018 15:28:57)
entryDN: cn=Monitor
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE
...
Comment 6 Arvid Requate univentionstaff 2019-07-03 14:13:58 CEST 
<http://errata.software-univention.de/ucs/4.4/172.html>