Univention Bugzilla – Full Text Bug Listing |
Summary: | UMC module for Portal settings cannot be selected in a UMC policy | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | UMC (Generic) | Assignee: | Julia Bremer <bremer> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | best, botner, bremer, gulden, heidelberger, steuwer |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-4-errata | ||
Hardware: | Other | ||
OS: | Windows NT | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 3: Simply Wrong: The implementation doesn't match the docu |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.051 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | Yes | |
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | Screenshot of dropdown |
Description
Michael Grandjean
2020-01-06 21:56:08 CET
Created attachment 10277 [details]
Screenshot of dropdown
fix on branch ccastens/50688-portal-settings-via-policy The Portal settings module is now available for UMC policies. Package: univention-management-console-module-udm Version: 9.0.15-6A~4.4.0.202005131133 Branch: ucs_4.4-0 Scope: errata4.4-4 commit 4ec9cd51006fc9a33aebcd95b9d6b67550c8e4bf commit 4a8e21f3052c67cf07fdd005c474eb5ca8b4e89a commit ea521336f3e7bde136a131582d236dc4733697b2 It is now possible to assign the Portal Settings module to users and groups via UMC policies. In order to do that, you must assign the following four umc operation sets to a UMC policy: udm-portal, udm-license, udm-validate and udm-syntax Then you can assign that UMC policy to groups and users in order to make the Portal Settings module available for them. i have the following user -> univention-policy-result -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret uid=test1,dc=w2k12,dc=test Policy: cn=umc-portal,cn=policies,dc=w2k12,dc=test Attribute: umcPolicyGrantedOperationSet Value: cn=udm-license,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test Value: cn=udm-syntax,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test Value: cn=udm-validate,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test Value: cn=udm-portal,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test (a) if i create a new portal entry and click on "ADD" for "Restrict visibility to groups", i get An error occurred You are not authorized to perform this action. Server error message: Verboten this comes only once per new entry and i can close this message and proceed with the creation of the new entry. (b) After click "FINISH" in the "Create Entry" dialog, i get Notification The portal entry object could not be saved: Permission denied. umc-udm.log 18.05.20 11:54:51.942 ADMIN ( ERROR ) : Creating u'cn=sfsdfds,cn=portal,cn=univention,dc=w2k12,dc=test' failed: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add raise univention.admin.uexceptions.permissionDenied permissionDenied 18.05.20 11:54:51.942 MODULE ( WARN ) : Failed to create LDAP object: permissionDenied: (c) The version of the join script has been increased. I was under the impression that we should not do that in errata updates? (d) We need documentation for this new feature. So please add some hints in the portal docu or create a new bug for that, b) is becasue of missing LDAP ACL's. That's something a customer must implement for himself. (In reply to Florian Best from comment #5) > b) is becasue of missing LDAP ACL's. That's something a customer must > implement for himself. We decided to just document this. Something like this worked for me: On the Domaincontroller Master system create a file like (with the appropriate group name) /opt/62my-portal-acl.acl: access to dn="cn=portal,cn=univention,@%@ldap/base@%@" attrs=children by group/univentionGroup/uniqueMember="cn=Domain Users,cn=groups,@%@ldap/base@%@" write by * +0 break access to dn.children="cn=portal,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal by group/univentionGroup/uniqueMember="cn=Domain Users,cn=groups,@%@ldap/base@%@" write by * +0 break Than run the following command: -> udm settings/ldapacl create --position "cn=ldapacl,cn=univention,$(ucr get ldap/base)" --set name=62my-portal-acl --set filename=62my-portal-acl --set data="$(bzip2 -c /opt/62my-portal-acl.acl | base64)" --set package="62my-portal-acl" --set packageversion=1 To remove the ACL run the following command: -> udm settings/ldapacl remove --dn "cn=62my-portal-acl,cn=ldapacl,cn=univention,dc=four,dc=four" @florian, is this acl OK? (just copied from the original portal ACL) (In reply to Felix Botner from comment #6) > @florian, is this acl OK? (just copied from the original portal ACL) Basically yes, but don't document this with "Domain Users"… Create a different group like "Portal Admins". ah sorry, still some todo's (a) i cant add or create a new category (The creation failed: Permission denied) Creating u'cn=fdsfdsf,cn=categories,cn=portal,cn=univention,dc=w2k12,dc=test' failed: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add raise univention.admin.uexceptions.permissionDenied permissionDenied so the acl seems to be incomplete (b) Fix the documentation (de), there are some warnings in the jenkins job: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-4/view/Documentation/job/HandbookUCS/411/warnings5Result/ (c) add documentation (en) (d) discuss if it is OK to increase the join script version Successful build Package: univention-portal Version: 3.0.2-6A~4.4.0.202005261326 Branch: ucs_4.4-0 Scope: errata4.4-4 User: jbremer 3304869de1 Bug #50688: doku: ldap server must be restarted 0e83be74f8 Bug #50688: yaml 1c359c75c9 Bug #50688: Enable user not in domain admins to see categories without entries, to enable creation of new entries. dd772d46e5 Bug #50688: Add english manual entry, extend ACL I extended the ACL. I noticed one Problem for every user which is not in the "Domain Admins" group. Categories with no entries where not shown, which meant that Users could not add entries to their created category. I changed this, so that empty categories are also shown for non-admins. Entries can still be filtered for non-admins. da379d6116 Bug #50688: doku indentation 0961cbde35 Bug #50688: typo doku Also fixed to minor issues in the documentation ef39c471f8 Bug #50688: doku ldap server does not need to be restarted the ldap server is automatically restarted after a setting/ldapacl is added. I removed this part from the docu again. OK - yaml OK - LDAP ACL OK - create/change/delete entries/categories with non-Admin user OK - doku |