Bug 34092 - UCS in Active Directory domain: Show attributes as readonly
UCS in Active Directory domain: Show attributes as readonly
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on: 34093
Blocks: 34091
  Show dependency treegraph
 
Reported: 2014-02-10 09:55 CET by Stefan Gohmann
Modified: 2017-10-18 15:07 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-02-10 09:55:18 CET
+++ This bug was initially created as a clone of Bug #34091 +++
Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False.
Comment 1 Florian Best univentionstaff 2014-02-14 15:06:36 CET
r47792: Add readonly_when_synced property description
r47793: evaluate readonly_when_synce (when duniventionObjectFlag == synced)
r47806: evalute readonly_when_synced in UDM handler modules
r47821: only restrict properties synced from AD on object modification
Comment 2 Florian Best univentionstaff 2014-02-14 15:14:59 CET
TODO: The current implementation does not restrict specific options or policies. Easy would be to restrict policies and options in general.
TODO: Restrict also moving of objects (This already happens in the frontend).

TODO: Which attributes should be "readonly_when_synced"? All handlers/modules should be adapted with that property description.
Comment 3 Florian Best univentionstaff 2014-02-14 16:00:05 CET
> TODO: Restrict also moving of objects (This already happens in the frontend).
→ done
Comment 4 Florian Best univentionstaff 2014-02-14 16:01:29 CET
TODO: removal should also be restricted.
Comment 5 Florian Best univentionstaff 2014-02-24 17:22:49 CET
(In reply to Florian Best from comment #4)
> TODO: removal should also be restricted.
* r48013 restrict removal of synced objects
* r48048 prevent removal and moving of objects also in navigation flavor

(In reply to Florian Best from comment #2)
> TODO: The current implementation does not restrict specific options or
> policies. Easy would be to restrict policies and options in general.
→ Nothing done, as discussed.

> TODO: Which attributes should be "readonly_when_synced"? All
> handlers/modules should be adapted with that property description.
→ r48014 add readonly_when_synced flags to handler modules
(OX-properties haven't been touched. Properties has been taken from branches/ucs-3.2/component/ucs-in-ad-domain/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping)

other commits:
* r48032 inverse boolean logic
* r48049 workaround for users/user module: check valueMayChange also in _modify()
Comment 6 Florian Best univentionstaff 2014-02-24 17:26:30 CET
To enable the possibility to change synced objects:
univention.admin.handlers.disable_ad_restrictions(disable=False)
Comment 7 Stefan Gohmann univentionstaff 2014-06-11 07:58:42 CEST
Please merge the changes to UCS 3.2-2. It should be released as erratum.
Comment 8 Florian Best univentionstaff 2014-07-03 12:39:20 CEST
Package: univention-management-console-module-udm
Version: 4.0.97-25.449.201407031234
Scope: errata3.2-2

Package: univention-directory-manager-modules
Version: 9.0.76-9.1208.201407021701
Scope: errata3.2-2

YAML: updated
Changes merged into 4.0 branch
Comment 9 Stefan Gohmann univentionstaff 2014-07-03 14:58:22 CEST
The password attribute of the user is not readonly. It looks like r48069 has not been merged.
Comment 10 Florian Best univentionstaff 2014-07-07 13:24:05 CEST
(In reply to Stefan Gohmann from comment #9)
> The password attribute of the user is not readonly. It looks like r48069 has
> not been merged.
yes, r48069 had a typo in the bug number (34902 instead of 34092).
merged svn48069 and svn48073 into 3.2-2 and 4.0-0.

YAML adapted.
Comment 11 Florian Best univentionstaff 2014-07-23 09:29:04 CEST
QA: all restrictions must ofc. only occur when ad/member==true.
Comment 12 Florian Best univentionstaff 2014-07-29 12:38:22 CEST
univention-lib (3.0.26-49) 
* admember.py: add dns/dns to show/adnotification UCR variables (Bug #34092)
Comment 13 Dirk Wiesenthal univentionstaff 2014-07-29 20:39:14 CEST
Fields are not read-only in multi-edit. One object of them is synced => all (relevant) fields need to be read-only.

Moving a container in navigation gives a rather good error message. Deleting a container though gives an untranslated cryptic message.
Comment 14 Dirk Wiesenthal univentionstaff 2014-07-29 20:58:58 CEST
The MultiObjectWidgets are not read-only (the backend prevents saving, though): Have a look at a group's users or nested groups.
Comment 15 Dirk Wiesenthal univentionstaff 2014-07-29 21:11:37 CEST
(In reply to Dirk Wiesenthal from comment #14)
> The MultiObjectWidgets are not read-only (the backend prevents saving,
> though): Have a look at a group's users or nested groups.

Also the user's "Samba logon hours" widget
Comment 16 Dirk Wiesenthal univentionstaff 2014-07-29 21:14:28 CEST
Can you recheck: 3/5 of a user's account deactivation attributes are editable. Multiple samba options, too (like samba privileges).
Comment 17 Dirk Wiesenthal univentionstaff 2014-07-29 21:15:07 CEST
I have:

dn: cn=WIN7PRO,cn=computers,dc=deadlock16,dc=local
...
univentionObjectFlag: synced

But I do not see any attributes marked read-only? I can even change the name.
Comment 18 Stefan Gohmann univentionstaff 2014-07-29 21:21:54 CEST
(In reply to Dirk Wiesenthal from comment #17)
> I have:
> 
> dn: cn=WIN7PRO,cn=computers,dc=deadlock16,dc=local
> ...
> univentionObjectFlag: synced
> 
> But I do not see any attributes marked read-only? I can even change the name.

These attributes are synced by the connector:

                    'cn': univention.connector.attribute (
                            ucs_attribute='name',
                            ldap_attribute='cn',
                            con_attribute='cn',

                    'samAccountName': univention.connector.attribute (
                            ldap_attribute='uid',
                            con_attribute='sAMAccountName',

                    'description': univention.connector.attribute (
                            ucs_attribute='description',
                            ldap_attribute='description',
                            con_attribute='description'

                    'operatingSystem': univention.connector.attribute (
                            ucs_attribute='operatingSystem',
                            ldap_attribute='univentionOperatingSystem',
                            con_attribute='operatingSystem'

                    'operatingSystemVersion': univention.connector.attribute (
                            ucs_attribute='operatingSystemVersion',
                            ldap_attribute='univentionOperatingSystemVersion',
                            con_attribute='operatingSystemVersion'
Comment 19 Dirk Wiesenthal univentionstaff 2014-07-29 21:24:19 CEST
(In reply to Florian Best from comment #12)
> univention-lib (3.0.26-49) 
> * admember.py: add dns/dns to show/adnotification UCR variables (Bug #34092)

Is there anything synced from AD? Or is this just for a warning message? The default DNS objects are kept and can be edited/deleted etc.
Comment 20 Stefan Gohmann univentionstaff 2014-07-29 21:28:29 CEST
(In reply to Dirk Wiesenthal from comment #19)
> (In reply to Florian Best from comment #12)
> > univention-lib (3.0.26-49) 
> > * admember.py: add dns/dns to show/adnotification UCR variables (Bug #34092)
> 
> Is there anything synced from AD? Or is this just for a warning message? The
> default DNS objects are kept and can be edited/deleted etc.

Currently we don't sync the DNS settings between UCS and AD. By default all UCS systems use the AD DNS.
Comment 21 Stefan Gohmann univentionstaff 2014-07-29 21:30:14 CEST
(In reply to Dirk Wiesenthal from comment #16)
> Can you recheck: 3/5 of a user's account deactivation attributes are
> editable. Multiple samba options, too (like samba privileges).

These are currently not synced but maybe it makes sense to disable these attributes as well. I would suggest these:

- Windows home drive
- Windows home path
- Samba privileges
- Permitted times for Windows logins
- All "Windows Terminal Server" attributes
Comment 22 Florian Best univentionstaff 2014-07-30 12:14:21 CEST
(In reply to Dirk Wiesenthal from comment #13)
> Fields are not read-only in multi-edit. One object of them is synced => all
> (relevant) fields need to be read-only.
> 
> Moving a container in navigation gives a rather good error message. Deleting
> a container though gives an untranslated cryptic message.
It is impossible to move and remove those objects via UMC. How did you do that?

Error messages are:
#udm container/cn move --dn cn=test,dc=system,dc=setup --position cn=users,dc=system,dc=setup                                                                                                   
Objects from Active Directory can not be moved.

# udm container/cn remove --dn cn=test,dc=system,dc=setup
This operation is not allowed on this object: Objects from Active Directory can not be removed.
Comment 23 Florian Best univentionstaff 2014-07-30 15:43:05 CEST
* fixed multi edit mode
* these error messages are OK (on CLI), univentionObjectFlag==synced was missing in e.g. cn=users and was fixed in svn52368 by Stefan
* MultiObjectSelect → Bug #35519

TODO: set readonly_when_synced to synced attributes.
Comment 24 Dirk Wiesenthal univentionstaff 2014-07-30 22:43:58 CEST
(In reply to Stefan Gohmann from comment #21)
> (In reply to Dirk Wiesenthal from comment #16)
> > Can you recheck: 3/5 of a user's account deactivation attributes are
> > editable. Multiple samba options, too (like samba privileges).
> 
> These are currently not synced but maybe it makes sense to disable these
> attributes as well. I would suggest these:
> 
> - Windows home drive
> - Windows home path
> - Samba privileges
> - Permitted times for Windows logins
> - All "Windows Terminal Server" attributes

This has not been done, or am I mistaken?
Comment 25 Stefan Gohmann univentionstaff 2014-07-31 07:51:50 CEST
(In reply to Dirk Wiesenthal from comment #24)
> (In reply to Stefan Gohmann from comment #21)
> > (In reply to Dirk Wiesenthal from comment #16)
> > > Can you recheck: 3/5 of a user's account deactivation attributes are
> > > editable. Multiple samba options, too (like samba privileges).
> > 
> > These are currently not synced but maybe it makes sense to disable these
> > attributes as well. I would suggest these:
> > 
> > - Windows home drive
> > - Windows home path
> > - Samba privileges
> > - Permitted times for Windows logins
> > - All "Windows Terminal Server" attributes

fixed with r52416

It seems to be not possible to show "Permitted times for Windows logins" as read only: Bug #35529
Comment 26 Stefan Gohmann univentionstaff 2014-07-31 08:06:49 CEST
(In reply to Stefan Gohmann from comment #25)
> > > - Windows home drive
> > > - Windows home path
> > > - Samba privileges
> > > - Permitted times for Windows logins
> > > - All "Windows Terminal Server" attributes
> 
> fixed with r52416
> 
> It seems to be not possible to show "Permitted times for Windows logins" as
> read only: Bug #35529

And the Windows Terminal Server attributes can't be set to read only due to Bug #35530: r52417
Comment 27 Stefan Gohmann univentionstaff 2014-07-31 08:49:00 CEST
Set more windows attributes read only: r52419
Comment 28 Dirk Wiesenthal univentionstaff 2014-08-04 10:38:48 CEST
Ok, works. Minor adaptions.
YAML: Ok.
Comment 29 Janek Walkenhorst univentionstaff 2014-08-07 17:47:27 CEST
http://errata.univention.de/ucs/3.2/169.html
Comment 30 Janek Walkenhorst univentionstaff 2014-08-07 17:48:28 CEST
http://errata.univention.de/ucs/3.2/170.html