Univention Bugzilla – Full Text Bug Listing |
Summary: | school LDAP ACLs: Teachers/staff/schooladmins cannot maintain self service profile attributes, permissionDenied traceback in school environments | ||
---|---|---|---|
Product: | UCS | Reporter: | Christina Scheinig <scheinig> |
Component: | Self Service | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | normal | ||
Priority: | P5 | CC: | best, botner, damrose, gohmann, heidelberger, michelsmidt, schwardt, schwiegert |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.286 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2019082021000383 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Christina Scheinig
2019-08-21 16:24:41 CEST
This is caused by a stop rule in the ucs@school ldap ACLs, as the problematic object is a teacher and thus has the objectclass ucsschoolTeacher. ./ucs-school-ldap-acls-master/65ucsschool line 257 If i remove that line, changing self-service attributes is possible. relevant part from a slapd.conf is below; the line "by set.expand..." corresponds to line 257 in the template. # Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.) # Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts access to dn.regex="^(.+,)?ou=([^,]+),dc=single,dc=intranet$$" by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop Maybe we can rearrange the order of the Self-Service ACL's here? That would probably the easiest solution. We should have a test case for this with all school user roles. (In reply to Florian Best from comment #2) > Maybe we can rearrange the order of the Self-Service ACL's here? That would > probably the easiest solution. > > We should have a test case for this with all school user roles. Full support for the proposal. The customer asked for an errata. I set the 'waiting support' flag in this case. I moved the section temporary beneath -------------------- # grant write access to users own UMC properties access to attrs="univentionUMCProperty" filter="objectClass=person" by self write by * none break access to filter="objectClass=person" attrs=objectClass value=univentionPerson by self write by * none break access to filter="univentionObjectType=users/user" attrs=jpegPhoto,mobile by self write by * +0 break --------------- and it works. The self service is a very common requirement, especially in school domains and even vital for certain scenarios, which is why I'm taking the freedom of increasing the user pain. Can you move the file to 64* instead of 65*, otherwise it's the same number as the UCS@school ACL's have and not clear that the order is on purpose. (In reply to Florian Best from comment #6) > Can you move the file to 64* instead of 65*, otherwise it's the same number > as the UCS@school ACL's have and not clear that the order is on purpose. yes, the acl is now 64selfservice_userattributes.acl When I upgrade the package with slapd stopped the old file remains. Please add the renaming also into any joinscript. univention-self-service-master (4.0.3-11A~4.4.0.201910141145) wird eingerichtet ... Neue Version der Konfigurationsdatei /etc/univention/templates/modules/self-service-acl.py wird installiert ... Module: self-service-acl Registering ACL in LDAP authentication error: {'desc': "Can't contact LDAP server"} ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) no selfservice ACL found, nothing todo Not updating umc/self-service/profiledata/enabled Not updating self-service/ldap_attributes Restarting univention-directory-listener (via systemctl): univention-directory-listener.service. Grr. The ACL creation of the profile self service module calls on every "ucr set self-service/ldap_attributes" ucs_registerLDAPExtension --packageversion with the current date (datetime.now().strftime('%Y%m%d%H%M%S')) instead of e.g. $package-version-number-$current-date. This makes it impossible to detect if the ACLs where created with an old package version. I hope we don't get trouble in further upgrades due to this. added join script 35univention-self-service-master.inst for the ACL renaming, Called in debian/univention-self-service-master.postinst. Please have a look. Btw: it would have been easier to just change the "univentionLDAPACLFilename" attribute instead of removing the object and re-creating it. Then the listener would have moved the file and the register + unregister + ucr set wouldn't be necessary. If you want, you can remove the prefix from the object name, so that we can just change the filename attribute next time a change is necessary. OK: upgrade via joinscript OK: after setting "ucr set umc/self-service/passwordreset/whitelist/groups='Domain Users,Domain Users oldschool'" I could change the attributes as teacher/staff. Implemented a test case for UCS@school: ucs-test-ucsschool (6.0.65) 00c4bd65937a | Bug #50037: Add test case 115_modify_userattributes_and_ldap_acl Migrated the UCS test case from bash to python: ucs-test (9.0.3-80) f88a674a97a0 | Bug #50037: migrate test case to python OK, both test look good, ucsschool test fails with old univention-self-service, succeeds with new package, ucs test also fine |