Univention Bugzilla – Bug 41116
test adjusted UCS@school LDAP ACL's
Last modified: 2019-02-05 21:14:39 CET
We need ucs-test scripts which check the new behavior. They should at least test if (1) all containers for all OU's exists at every replicated DC server and (2) if the user objects only get replicated to the server where they belong to via the attribute "ucsschoolSchool". +++ This bug was initially created as a clone of Bug #41115 +++ The LDAP ACL's have to be adjusted for UCS@school to include the new attributes/options for the specific user roles. 1. All user containers should be replicated to all school DC's. cn=(admins|lehrer|schueler|lehrer und mitarbeiter|mitarbeiter),cn=users,ou=… 2. All school DC's must be able to read all user objects which have ucsschoolSchool=$OU. 3. All current rules have to be adjusted to work with the new uscschoolSchool attribute.
ucs-test-ucsschool (3.0.13-1): r70780 | Bug #41115: added 78_ldap_acls_dump Added ucs-test script 78_ldap_acls_dump that dumps LDAP access rights of several users/machine accounts to /var/log/univention/78_ldap_acls_dump* for the old LDAP ACLs from UCS@school 4.1 and for the new LDAP ACLs from UCS@school 4.1 R2. See attachment for a run on my test machine. # cd /var/log/univention/ # for i in $(seq 0 21); do \ echo "Comparing $i"; sleep 1; \ compareldif -a 78_ldap_acls_dump.*.oldconfig/dn${i}.ldif \ 78_ldap_acls_dump.*.newconfig/dn${i}.ldif | less ; done
Created attachment 7783 [details] Dump of LDAP access rights Test results for UCS@school 4.1R2 v1
FYI: subprocess.check_call() raises subprocess.CalledProcessError.
Execute: . utils.sh; run_apptests --prohibit=SKIP-UCSSCHOOL 2016-07-08 03:33:22,842 CRITICAL:test:Failed to load test "/usr/share/ucs-test/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings": Missing hash-bang 2016-07-08 03:33:22,842 CRITICAL:test:Failed to load test "/usr/share/ucs-test/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool": Missing hash-bang In http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.0%20to%204.1%20Multiserver/SambaVersion=s4/129/artifact/autotest-208-ucsschool-multiserver-s4.log
The following line seems bogus: > school.schoolserver_dn = lo.searchDn(base=school.dn, filter='univentionObjectType=computers/domaincontroller_slave')[0]
Please add a administration-server. (In reply to Florian Best from comment #5) > The following line seems bogus: > > school.schoolserver_dn = lo.searchDn(base=school.dn, filter='univentionObjectType=computers/domaincontroller_slave')[0] This will not work if two slaves (e.g. an administrational) exists in the same OU.
This issue has been filled against UCS@school 4.1 (R2). The maintenance with bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.