Univention Bugzilla – Bug 42437
Traceback in UMC if user is member of Domain Admins and UCS@school user
Last modified: 2016-12-12 13:10:20 CET
If a user is member of the group "Domain Admins" AND UCS@school user (Attribute ucsschoolSchools is set and uses one of the ucsschool* objectclasses), a traceback is shown after some seconds in UMC users/user module. Die Ausführung des Kommandos udm/syntax/choices users/user ist fehlgeschlagen: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 82, in _run tmp = self._function() File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__ return self._function( *tmp, **self._kwargs ) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/__init__.py", line 941, in _thread return read_syntax_choices(syntax, request.options) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 85, in _decorated return method(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 135, in _decorated result = func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 1331, in read_syntax_choices for element in map(map_choice, filter(filter_choice, module.search(filter=filter_s))): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 1316, in map_choice choices.append((value, syn.label_format % obj.info)) KeyError: 'displayName' Reason is, that the user has far less reading permissions than the members of "Domain Admins" and is therefore not able to read the displayName of other OUs from LDAP (other OUs than defined in ucsschoolSchools). I think the main cause of this bug is a wrong ACL evaluation order in conjunction with UCS@school and Domain Admins. Domain Admins should always keep their full rights.
This will block some scenarios where Domain Admins have to be part of one/many but not all schools.
(In reply to Sönke Schwardt-Krummrich from comment #0) > I think the main cause of this bug is a wrong ACL evaluation order in > conjunction with UCS@school and Domain Admins. Yes, that is the reason! > Domain Admins should always keep their full rights. So, Domain Admins should have access to all schools?!
(In reply to Florian Best from comment #2) > > Domain Admins should always keep their full rights. > So, Domain Admins should have access to all schools?! Yes, of course. They are domain administrators with nearly the highest privileges within the domain (only cn=admin has more privileges).
The request to trigger this: curl 'http://schooldomainadmin:univention@10.200.27.117/univention-management-console/command/udm/syntax/choices' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' --data-binary '{"options":{"syntax":"ucsschoolSchools"},"flavor":"users/user"}' Should we also fix something in UMC-UDM? Probably it's good when a exception is raised because it reveals such LDAP ACL errors like this.
Created attachment 8226 [details] patch 1
Created attachment 8227 [details] patch 2
(In reply to Florian Best from comment #5) > Created attachment 8226 [details] > Created attachment 8227 [details] @Sönke: Please decide: Allow *anybody* to read the direct attributes of all OU's. OR Allow users of the Domain Admin group to read those attributes.
I added patch 2 because this has to be added nevertheless. Please REOPEN if patch 1 should be applied, too. ucs-school-ldap-acls-master (14.0.2-1): r74508 | Bug #42437: fix ACL's for school users which are domain admins at the same time
OK: manual test: a Teacher that is in group "Domain Admins" can log into the UMC and use the Users (School) module. It sees all schools, but can read only users in its own school. OK: automated tests: for TEST in 7[5-8]_ldap_acls*; do ./$TEST -f || break; done 75_ldap_acls_admins 75_ldap_acls_nonedu_server 75_ldap_acls_staff 75_ldap_acls_teacher_and_staff 75_ldap_acls_teachers 76_ldap_acls 78_ldap_acls_dump PS: When the logged in Teacher that is in group "Domain Admins" enters a view for a school school that it doesn't belong to, the UMC asks to create the first user. If that is done, and I try "Save", it shows the error "Need a primary group with samba option to create a user with samba option". → Is there a way to block the UMC from listing the OUs that a Domain Admin cannot edit?
UCS@school 4.1 R2 v9 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v9-de.html