Bug 41402 – enhance LDAP ACL

Bug 41402 - enhance LDAP ACL


Summary:	enhance LDAP ACL

Status:	RESOLVED DUPLICATE of bug 41715

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-06-01 12:19 CEST by Florian Best
Modified:	2018-04-14 13:44 CEST (History)
CC List:	1 user (show)

See Also:	41115
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2016-06-01 12:19:07 CEST

60univention-ldap-server_acl-master defines the following LDAP ACL:

access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
    by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=school,dc=local" write
    by * read break

There is no explanation why the rule exists. The rule makes it hard for further rules to make adjustments as the rule must be reverted individually.
Would it be okay to change the rule to end with:
    by * +0 break

The read permissions will implicit be given back in the very bottom of 70univention-ldap-server_acl-master-end. We could also add another explicit rule to the bottom.

Comment 1 Florian Best

2016-06-01 12:33:49 CEST

In UCS@school we define the following rule to prevent this (Bug #41115):

# revert rule from UCS; Bug #41402
access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
    by dn.sub="cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break
    by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=school,dc=local" none break
    by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break
    by * +0 break

Comment 2 Arvid Requate

2016-06-01 15:37:35 CEST

As far as I can tell the point of the "by * read break" clause is the "break", simply. I guess historically the "read" was assumed to be the lowest access right. That was long before we disabled anonymous LDAP searches.

Comment 3 Florian Best

2016-06-01 16:32:08 CEST

(In reply to Arvid Requate from comment #2)
> As far as I can tell the point of the "by * read break" clause is the
> "break", simply. I guess historically the "read" was assumed to be the
> lowest access right. That was long before we disabled anonymous LDAP
> searches.
That is my guess, too. So it wouldn't break anything to change it into:
"by * +0 break"

Comment 4 Florian Best

2016-08-17 14:05:48 CEST


*** This bug has been marked as a duplicate of bug 41715 ***