Univention Bugzilla – Full Text Bug Listing |
Summary: | Insufficient rights for student accounts in subcontainers of cn=schueler,cn=users,ou=$SchoolOU | ||
---|---|---|---|
Product: | UCS@school | Reporter: | Arvid Requate <requate> |
Component: | LDAP | Assignee: | UCS maintainers <ucsschool-maintainers> |
Status: | NEW --- | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | CC: | best, schwardt |
Version: | UCS@school 4.4 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | 41115 | ||
Bug Blocks: | 49764 |
Description
Arvid Requate
2019-07-09 16:53:41 CEST
(In reply to Arvid Requate from comment #0) > The content of subcontainers of cn=users,ou=$SchoolOU is not replicated to > schools. That unnecessarily restricts the options of UCS@school > administrators to sub-structure their users (and groups), e.g. to implement > access control on class granularity in Samba/AD with standard AD > administration tools. I'm not 100% sure if the replication is the main problem here. I think, that all objects (even subcontainers/OUs) are replicated, but several LDAP-ACLs for giving write permission rely on the exact position of certain LDAP objects. Ok, right, i can create cn=class2,cn=schueler,cn=users,ou=sun,dc=schein,dc=me e.g. as Administrator from Windows with ADSIedit and then use the Active Directory Users and Computers tool to move a student into that subcontainer. That works. I have adjusted the subject of the bug accordingly. |