Univention Bugzilla – Bug 43312
Add security related LDAP attribute constraints
Last modified: 2021-06-23 07:29:14 CEST
Ti simplify the ACL's (for UCS@school) we should add some constraints, e.g. uidNumber must not be 0. https://linux.die.net/man/5/slapo-constraint
r75826 | Changelog Bug #43312 ucs-test (7.0.7-1): r75825 | Bug #43312: add test case 10_ldap/91_ldap_constraints univention-ldap (13.0.3-1): r75824 | Bug #43312: add constraint for value=0 on attribute uidNumber / gidNumber Please reopen if you have ideas for more restrictions. I guess, if possible, we should add something for shares, too.
This breaks the setup process: ------------------------------------------------------------------------------ Configure /usr/lib/univention-install/10univention-ldap-server.inst 2017-01-16 18:02:01.612728362-05:00 (in joinscript_init) /etc/machine.secret: No such file or directory Adding SRV record "ldap tcp 0 100 7389 master090.autotest090.local." to zone autotest090.local... done Adding ZONE record "root@autotest090.local. 1 28800 10800 604800 108001 master090.autotest090.local." to zone 10.210... LDAP Error: Constraint violation: add breaks constraint on uidNumber ------------------------------------------------------------------------------ http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-0/job/AutotestJoin/SambaVersion=s3,Systemrolle=master/
I don't see how the command sets any uidNumber?! /usr/share/univention-admin-tools/univention-dnsedit --ignore-exists --reverse 192.168.0 add zone root@school.local. 1 28800 10800 604800 108001 xen3.school.local. # /usr/share/univention-admin-tools/univention-dnsedit --ignore-exists --reverse "$reverse" add zone "root@$domainname." 1 28800 10800 604800 108001 "$hostname.$domainname." Adding ZONE record "root@school.local. 1 28800 10800 604800 108001 xen3.school.local." to zone 192.168.0... done
The LDAP-Server doesn't know "\d" → replaced with "[0-9]". univention-ldap (13.0.3-2): r75861 | Bug #43312: fix regex in constraint
Please fix this whitespace: -print 'moduleload constraint.so' +print 'moduleload\tconstraint.so'
(In reply to Arvid Requate from comment #5) > Please fix this whitespace: > > -print 'moduleload constraint.so' > +print 'moduleload\tconstraint.so' Hm? using a space is valid. All other rules above this should be fixed. But I did what you said: univention-ldap (13.0.4-1): r77259 | Bug #43312: use \t instead of space The package will be re-build by Dirk later on this evening.
From current slapd.conf: ---[cut]--- ## to prevent uidNumber=0 modifications access to attrs=uidNumber value=0 by dn.children="cn=dc,cn=computers,dc=nstx,dc=local" read by * +0 break ---[cut]--- Do we still need this?
(In reply to Sönke Schwardt-Krummrich from comment #7) > From current slapd.conf: > > ---[cut]--- > ## to prevent uidNumber=0 modifications > access to attrs=uidNumber value=0 > by dn.children="cn=dc,cn=computers,dc=nstx,dc=local" read > by * +0 break > ---[cut]--- > > Do we still need this? No, should I remove it?
(In reply to Florian Best from comment #8) > No, should I remove it? The tests are still successful if this rule is removed from slapd.conf → I would say "yes" → REOPEN Beyond that: OK: code change OK: functional test UPDATED: changelog.xml FIXED: added dependency to python-pytest in ucs-test-ldap
We should also think about restricting: sambaSID: *-500 sambaPrimaryGroupSID: *-??? sambaAcctFlags: ???
(In reply to Florian Best from comment #10) > We should also think about restricting: > > sambaSID: *-500 > sambaPrimaryGroupSID: *-??? > sambaAcctFlags: ??? I would suggest to seperate this into a new bug.
univention-ldap (13.0.5-1): r77341 | Bug #43312: remove uidNumber=0 ACL's as they are covered by the constraint
OK: code change OK: functional test
*** Bug 41799 has been marked as a duplicate of this bug. ***
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".