Univention Bugzilla – Bug 49387
allow adding "by" clause to monitor ACL
Last modified: 2019-07-03 14:13:58 CEST
we need something like conffiles/etc/ldap/slapd.conf.d/39monitor @@ -11,5 +11,8 @@ print 'access to dn.subtree="cn=monitor"' print ' by dn.base="cn=admin,%s" read' % ldap_base print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" read' % (groups_default_domainadmins, ldap_base) + print ' by ..." read' + print ' by group/univentionGroup/uniqueMember="..." read' + print ' by set="user & [...]/uniqueMember*" read' print ' by * +0 break'
We should introcude a UCR variable which allows access for further groups via the set syntax.
Patch available in branch fbest/ldap-patches-49386-49391. Please test and reopen for merging. ucr set ldap/monitor/acl/read/groups/foo="cn=Domain Users,cn=groups,$(ucr get ldap/base)".
OK, works fine -> ucr set ldap/monitor/acl/read/groups/domusers="cn=Domain Users,cn=groups,dc=four,dc=four" -> univention-ldapsearch -x -D uid=test1,cn=users,dc=four,dc=four -w univention -b cn=Monitor ...
univention-ldap (15.0.0-21) 861ecba43398 | Bug #49387: allow further groups via UCR to acceess the cn=monitor backend univention-ldap.yaml 861ecba43398 | Bug #49387: allow further groups via UCR to acceess the cn=monitor backend
OK - univention-ldap.yaml OK - ldap/create-ldap-server-policy UCRV description OK - univention-ldap -> univention-ldapsearch -LLL -b 'cn=Monitor' -s sub '*' '+' No such object (32) -> ucr set ldap/monitor/acl/read/groups/backup_hosts='cn=DC Backup Hosts,cn=groups,dc=w2k12,dc=test' -> service slapd restart -> univention-ldapsearch -LLL -b 'cn=Monitor' -s sub '*' '+' dn: cn=Monitor objectClass: monitorServer structuralObjectClass: monitorServer cn: Monitor creatorsName: modifiersName: createTimestamp: 20190628231239Z modifyTimestamp: 20190628231239Z description: This subtree contains monitoring/managing objects. description: This object contains information about this server. description: Most of the information is held in operational attributes, which must be explicitly requested. monitoredInfo: OpenLDAP: slapd (Aug 6 2018 15:28:57) entryDN: cn=Monitor subschemaSubentry: cn=Subschema hasSubordinates: TRUE ...
<http://errata.software-univention.de/ucs/4.4/172.html>