Univention Bugzilla – Bug 42526
Prevent to move or remove the own object via UDM
Last modified: 2017-07-05 13:06:32 CEST
Today I wanted to move some of our user objects from their usual place in "cn=users,$base_dn" to a sub-container "cn=MitarbeiterInnen,cn=users,$base_dn". I logged in as user "mbunkus", navigated to the LDAP module, created the sub-container (including adding it to the default user container). Then I selected a couple of user objects in "cn=users" including the object "uid=mbunkus,cn=users,$base_dn" — the one I had used to log in to the UMC. The move process started, but right in the middle of moving "uid=mbunkus" it aborted with something like "access to UMC denied". I then logged back in to UMC, again as "uid=mbunkus". The result was a partial move of that user object "uid=mbunkus". It was indeed moved to the new sub-container, however, the group membership hadn't been updated completely. In a couple of groups the old entry was still present as "uniqueMember: uid=mbunkus,cn=users,$base_dn". In other groups both the old entry and the new one were present: ------------------------------------------------------------ [0 root@trinculo ~] univention-ldapsearch cn=kace-admins dn uniqueMember|ldapsearch-wrapper # extended LDIF # # LDAPv3 # base <dc=bs,dc=linet-services,dc=de> (default) with scope subtree # filter: cn=kace-admins # requesting: dn uniqueMember # # kace-admins, groups, bs.linet-services.de dn: cn=kace-admins,cn=groups,dc=bs,dc=linet-services,dc=de uniqueMember: uid=mbunkus,cn=users,dc=bs,dc=linet-services,dc=de uniqueMember: uid=mbunkus,cn=mitarbeiterinnen,cn=users,dc=bs,dc=linet-services,dc=de ------------------------------------------------------------ Fixing it wasn't that hard, but tedious: edit each group, remove all occurrences of the affected user, re-add the user, save.
Created attachment 8043 [details] patch Maybe we should restrict moving "myself" in a first step. I guess fixing this is a little bit complicated and this corner case must be kept in mind in further development.
From a user POV I'd be perfectly fine with not being able to move myself as this is done very infrequently. Preventing having to clean up the mess afterwards is what would be important to me.
*** Bug 43350 has been marked as a duplicate of this bug. ***
The patch has been applied. Additionally removing is now also prevented (Bug #43350). This currently doesn't work when logged in via SAML because the DN comparison is case sensitive. This will be fixed generically in another bug. univention-directory-manager-modules (12.0.17-22): r80592 | Bug #42526: prevent to move and remove the own object univention-directory-manager-modules.yaml: r80592 | Bug #42526: prevent to move and remove the own object
Tested with UMC and command line: OK Moving and removing own object is not allowed YAML: OK -> verified
<http://errata.software-univention.de/ucs/4.2/79.html>