Univention Bugzilla – Full Text Bug Listing |
Summary: | Students can browse the AD directory | ||
---|---|---|---|
Product: | UCS@school | Reporter: | Christina Scheinig <scheinig> |
Component: | Samba 4 | Assignee: | Daniel Tröder <troeder> |
Status: | CLOSED FIXED | QA Contact: | Ole Schwiegert <schwiegert> |
Severity: | normal | ||
Priority: | P5 | CC: | best, brodersen, michelsmidt, requate, steuwer, troeder |
Version: | UCS@school 4.4 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=42182 https://forge.univention.org/bugzilla/show_bug.cgi?id=41115 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 4: A User would return the product |
User Pain: | 0.343 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2019062821000309 | Bug group (optional): | Security |
Max CVSS v3 score: | |||
Bug Depends on: | 49827 | ||
Bug Blocks: | |||
Attachments: | shows the access |
Description
Christina Scheinig
2019-07-01 09:37:31 CEST
That's normally a task of the AD administration to adjust this to the requirements of the customer. Maybe the UCS@school team has plans and ideas how to structure AD directory service access by defining directory service ACLs (DSACL), making use of the UCS@school group model. In that sense this bug is related to Bug 42182, but technically that requires different tools of implementation. Created attachment 10099 [details]
shows the access
The customers idea, what should not be shown: In particular, pupils but also members of the other two main user groups (teachers and employees) should be prevented from listing or searching the AD for users, groups, computers, and possibly also printers, or from displaying their content. In the meantime, I have suggested whether to hide the "Security Tab" via GPO I raised the "How will those affected feel about the bug?" to "User would return the product" because they will. They have to use Windows to be DSGVO conform. The customer tried everything he could to make sure students cannot browse the Samba4 directory, but the students have always found a way to bypass that. The AD browsing have to be blocked by ACLs on the server side. Possibilities hiding the AD from the user found in the web cannot really be used, because nearly everything is adjusted to OUs. The customer needs a patch until the end of the summer holiday which prevents students from browsing > The customer needs a patch until the end of the summer holiday which prevents students from browsing
My impression is that this case should be handled in a project, because the customer demands can be quite different. A quick search on the topic of DSGVO and "IAM", "IDM", "Active Directory" and the like didn't come up with best practice recommendations. Additionally, if the customer has a deadline, this should be handled in product development. Please discuss with PO to define a reliable aproach.
Please also note that this is an AD administration problem. I agree though that we may want to support the admins by providing customizable defaults that are useful for common scenarios - but these need to be identified first. Some links for technical approaches: * https://www.experts-exchange.com/questions/28785041/Active-Directory-prevent-users-from-enumerating-other-AD-users-and-groups.html * https://www.adaxes.com/tutorials_WebInterfaceCustomization_PreventUsersFromViewingTheADStructure.htm The AD administration "best practices" are blocked by Bug 49827. Based on a review with an external data protection officer, there is no general need to restrict the read access in more detail than it is done by default (restrict to the current school / entries replicated to the school slave host). There might be needs in case schools are big or the directory is used for more detailed information about pupils. To address these, we should support and document configuration options - I don't know if ACLs or GPOs are more appropriate. An SDB article, explaining how to setup OpenLDAP and Samba4 ACLs, has been published at https://help.univention.com/t/restrict-read-access-for-student/13465 Article reviewed. Article was made public in 5.11. |