Comment 1 Florian Best 2016-07-01 13:16:42 CEST

All our current ACL rules aren't validating object creation and restrict the set of valid attributes/object classes.

Affected are at least:
AppCenter ACL's
UVMM ACL's
UCS@school AppCenter ACL's
UCS@school UVMM ACL's

Comment 2 Florian Best 2016-07-01 14:03:49 CEST

Also as UCS@school teacher/staff/admin via temporary lock objects.

Comment 3 Florian Best 2016-07-01 14:17:14 CEST

*** Bug 31304 has been marked as a duplicate of this bug. ***

Comment 4 Florian Best 2016-07-01 15:08:41 CEST

Because of Bug #41180 every regular user can do this.

Comment 5 Florian Best 2016-07-01 15:32:40 CEST

(In reply to Florian Best from comment #4)
> Because of Bug #41180 every regular user can do this.
Well, regular users can add this entry but it's not evaluated (login via ssh doesn't work) either because the DC master cannot read the entry or because a user with the same name already exists.

Comment 6 Florian Best 2016-07-02 08:55:39 CEST

The correct way to define LDAP ACL's is:

Create a DIT content rule for each of our object classes which prevents a mix of certain object classes.
→ http://www.openldap.org/faq/data/cache/1473.html

After this the ACL definition should look like the following:

access to dn=… filter="(objectClass=$OCS)" attrs=entry,@$OCS by …

Comment 7 Florian Best 2016-07-15 09:57:53 CEST

Restrictions to attribute values have been added to the LDAP-ACL's.
This bug will be continued in Bug #41797 to evaluate the content of an entry via LDAP ACL's.

ucs-test (6.0.35-4):
r70877 | Bug #41180: also catch OBJECT_CLASS_VIOLATION as now a content rule for 'univentionAdminUserSettings' exists
r70779 | Bug #41180: add 61_udm-users/30_user_admin_setting_acl
r70778 | Bug #41180: fix ucs-test build
r70777 | Bug #41180: add missing executable flag
r70764 | Bug #41180: restrict also creation of cn=admin-settings entries

univention-ldap (12.1.6-29):
r71020 | Bug #41715: Bug #41180: revert adding add_content_acl to slapd.conf
r70863 | Bug #41180: remove write access to pseudo-attribute 'entry' of cn=admin-settings,cn=univention
r70849 | Bug #41180: Add content rule to 'univentionAdminUserSettings' and 'univentionAdminGlobalSettings'
r70764 | Bug #41180: restrict also creation of cn=admin-settings entries
r70608 | Bug #41180: restrict access to uid=*,cn=admin-settings to objects with univentionAdminUserSettings object class

univention-ldap.yaml:
r70609 | YAML Bug #41179, Bug #41180

Comment 8 Florian Best 2016-07-15 10:51:13 CEST

univention-ldap (12.1.6-30):
r71023 | Bug #41715: reallow posixAccount for univentionWindows objects

Comment 9 Florian Best 2016-07-18 15:30:49 CEST

A small textual overview of all changes:

DC Slaves/Memberserver only have access to
* attributes of the object classes univentionObject and lock in cn=*,cn=*,cn=temporary,cn=univention.
* attributes of sambaDomain for existing objectClass==sambaDomain objects → these objects are created by some samba tools which doesn't add univentionObject attributes; IMHO we should restrict this further to objects in cn=samba but I don't know what objects customers currently might have
* attributes of the object classes organizationalRole, sambaIdmapEntry, sambaSidEntry in cn=idmap,cn=univention
* attributes of the object classes univentionObject, sambaUnixIdPool, sambaIdmapEntry, sambaSidEntry, organizationalRole underneath of cn=idmap,cn=univention

→ Not possible to modify objects into shares/posixUsers anymore there.

Any windows client/dc (objectClass==univentionWindows) can't be transformed into a univentionShare anymore.
The group "Windows Hosts" can't be tranformed into a univentionShare or posixAccount anymore.
→ further adjustments will be done via Bug #41800

Modification of attribute uidNumber to 0 for any univentionWindows computer is still possible
→ Bug #41799

There are various positions where DC Slaves/Memberserver can create arbitrary objects. E.g. 
cn=*,cn=idmap,cn=univention,dc=AutoTest091,dc=local
cn=*,cn=apps,cn=univention,dc=AutoTest091,dc=local
→ Bug #41797

The test case 10_ldap/90_acl_access_to_uidNumber0 (renamed from 90_LDAPacl_DC_access_to_uidNumber0) has been adjusted to test way more combinations than prior. This still has room for further enhancements / more combinations especially for the UCS@school LDAP ACL's [WIP].

Comment 10 Florian Best 2016-07-19 16:31:02 CEST

Should DC Slaves/Memberserver be possible to add univentionPolicyReference to
* ^cn=idmap,cn=univention
* ^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention
* ^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention
* ^cn=([^,]+),cn=apps,cn=univention
* ^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager
* ^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager
* cn=policies,cn=system
* cn=WMIPolicy,cn=system
?

Comment 11 Arvid Requate 2016-08-03 14:52:31 CEST

Ok, first thanks for the textual description of Comment 9, that helped a bit.

I don't quite like commit r70851, which changes read permissions on several rules. This bug here is about closing an issue with write permissions, so generally speaking, no read permission must be changed here. Colleteral effects of adjustments like these can bee seen in Bug 41180 Comment 3 and 4. Anyway, I think they are ok in this case.

Generally, from the QA point of view I don't like mixing "this should not change anything" type of changes with "this changes the behaviour to fix the bug" changes. As a developer I know how hard it is to avoid this :-)

Otherwise the changes and the Jenkins tests look good. Good job in identifying the issues and applying in depth knowledge of LDAP ACLs.

Advisory: Ok

Comment 12 Janek Walkenhorst 2016-08-03 15:56:53 CEST

<http://errata.software-univention.de/ucs/4.1/222.html>

Comment 13 Florian Best 2016-08-17 14:05:48 CEST

*** Bug 41402 has been marked as a duplicate of this bug. ***