Univention Bugzilla – Bug 48068
Replicate staff users to educational school DCs
Last modified: 2018-12-12 17:24:06 CET
It should be possible to also replicate staff users to educational DCs (optionally). A lot of customers only operate educational DCs (no adminitrative DCs), but need users with the staff role also at the school server (RADIUS, Proxy, or staff where a strict separation between educational network and administration network is not necessary). FYI: I tried to add an educational school DC to the groups "DC-Verwaltungsnetz" and "OUschule01-DC-Verwaltungsnetz", but the LDAP-ACLs don't work that way. Being a member of "DC-Verwaltungsnetz" does not grant the right to read/replicate staff users, but it forbids to read students and teachers: https://git.knut.univention.de/univention/ucsschool/blob/4.3/ucs-school-ldap-acls-master/65ucsschool#L185 Because of this, adding an educational DC to "DC-Verwaltungsnetz" will not only not replicate staff, it will will also stop the replication for students and teachers.
I tested this together with Michael. This seems to work if the following ACLs are simply commented out. Staff users are then automatically replicated to all eduslaves and don't cause any *obvious* problems (you can add them to the workgroups, but otherwise they won't show up). The implementation could be done via an additional UCR variable that has to be set on the master, which deactivates the affected ACLs. # domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none by * +0 break access to filter="(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolAdministrator)))" by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none by * +0 break
Change description: Up to UCS@school 4.3v6, school servers (DC slaves) could only read student, teacher and admin objects from the OU structures with their machine account. With the introduction of the boolean UCR variable "ucsschool/ldap/replicate_staff_to_edu", it is also possible to replicate staff objects to the educational slaves/memberservers. Depending on the status of the UCR variable, read access to the staff objects is possible or not. The config of the slapd is adjusted automatically and the slapd is restarted. In addition, cross-school user accounts are checked. While student1 is directly located below the OU of Slave1, student2 is located below another OU, where student2 is a member of both schools (1+2). It is therefore actively checked whether these user objects can also be read by the slave of school 1. This also applies to the other user roles. Technical changes: As mentioned in comment 1, it was sufficient to remove 2 ACLs to enable edu slaves to replicate staff users. By default, there should be no change in slapd.conf by this change, unless the UCR variable is unset. Warning: If the UCR variable is changed, the slapd.conf has to be committed by UCR manually! Afterwards the slapd has to be restarted manually. After switching this feature on or off, additional steps like a rejoin of the affected slaves or a manual change of all affected staff objects is required, to get the LDAP on the slave up-to-date immediately. b77f1e38c Bug #48068: add advisory entry 2cbd2cc1d Bug #48068: add 81_ldap_acl_staff2edu e0053073c Bug #48068: add changelog entry 692fb2404 Bug #48068: fixed logic bug in create_school_admin() 39ea2d320 Bug #48068: added changelog entry 9c93f7bb5 Bug #48068: if requested, disable 2 ACLs to replicate staff users to edu slaves Package: ucs-school-ldap-acls-master Version: 16.0.3-1A~4.3.0.201811222349 Branch: ucs_4.3-0 Scope: ucs-school-4.3
Manual tests and jenkins tests show, that the ACLs are ok → RESOLVED
OK: code changes OK: advisory OK: automated test OK: manual test: root@m61:~# ldapsearch -Z -H ldap://m61.uni.dtr:7389 -D cn=s62,cn=dc,cn=server,cn=computers,ou=SchuleM62,dc=uni,dc=dtr -W -x -LLL '(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher)))' dn | grep dn: | wc -l Enter LDAP Password: 0 root@m61:~# ucr set ucsschool/ldap/replicate_staff_to_edu=yes Create ucsschool/ldap/replicate_staff_to_edu root@m61:~# ucr commit /etc/ldap/slapd.conf Multifile: /etc/ldap/slapd.conf root@m61:~# service slapd restart root@m61:~# univention-ldapsearch -LLL '(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher)))' dn | grep dn: | wc -l 100 root@m61:~# ucr unset ucsschool/ldap/replicate_staff_to_edu Unsetting ucsschool/ldap/replicate_staff_to_edu root@m61:~# ucr commit /etc/ldap/slapd.conf Multifile: /etc/ldap/slapd.conf root@m61:~# service slapd restart root@m61:~# ldapsearch -Z -H ldap://m61.uni.dtr:7389 -D cn=s62,cn=dc,cn=server,cn=computers,ou=SchuleM62,dc=uni,dc=dtr -W -x -LLL '(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher)))' dn | grep dn: | wc -l Enter LDAP Password: 0
UCS@school 4.3 v6 has been released. http://docs.software-univention.de/changelog-ucsschool-4.3v6-de.html#changelog:ucsschool:2018-12-12 If this error occurs again, please clone this bug.