Bug 49827
| Summary: | Insufficient rights for student accounts in subcontainers of cn=schueler,cn=users,ou=$SchoolOU | ||
|---|---|---|---|
| Product: | UCS@school | Reporter: | Arvid Requate <requate> |
| Component: | LDAP | Assignee: | UCS maintainers <ucsschool-maintainers> |
| Status: | NEW --- | QA Contact: | |
| Severity: | normal | ||
| Priority: | P5 | CC: | best, schwardt |
| Version: | UCS@school 4.4 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Bug Depends on: | 41115 | ||
| Bug Blocks: | 49764 | ||
|
Description
Arvid Requate
(In reply to Arvid Requate from comment #0) > The content of subcontainers of cn=users,ou=$SchoolOU is not replicated to > schools. That unnecessarily restricts the options of UCS@school > administrators to sub-structure their users (and groups), e.g. to implement > access control on class granularity in Samba/AD with standard AD > administration tools. I'm not 100% sure if the replication is the main problem here. I think, that all objects (even subcontainers/OUs) are replicated, but several LDAP-ACLs for giving write permission rely on the exact position of certain LDAP objects. Ok, right, i can create cn=class2,cn=schueler,cn=users,ou=sun,dc=schein,dc=me e.g. as Administrator from Windows with ADSIedit and then use the Active Directory Users and Computers tool to move a student into that subcontainer. That works. I have adjusted the subject of the bug accordingly. |