Univention Bugzilla – Bug 49734
Split LDAP ACL file 60univention-ldap-server_acl-slave
Last modified: 2021-06-23 07:29:05 CEST
We had two security relates cases where we needed to move the LDAP ACL's from 6*univention to 58univention prefix, because otherwise on a DC Slave they weren't evaluated and granted read-access to critical attributes. A better solution is just to split the 60univention-ldap-server_acl-slave file into: 60univention-ldap-server_acl-slave and 70univention-ldap-server_acl-slave-end
Apps that may be affected by changes in the ACLs: ez-core=6.5.0 ez-project=6.5.0 ez-sales=6.5.0 maildisclaimer=2.2.5 openvpn4ucs=1.1.16 ox-app-suite=7.10.1-ucs2 oxseforucs=7.10.2-ucs1 ucsschool=4.4 v3 4.3/ez-core=6.5.0 4.3/ez-project=6.5.0 4.3/ez-sales=6.5.0 4.3/horde=5.2.17-3 4.3/maildisclaimer=2.2.3 4.3/openvpn4ucs=1.1.16 4.3/oxseforucs=7.10.1-ucs3 4.3/ucsschool=4.3 v9 Reason: ATTENTION: Only mentioning the 4.4 Apps if 4.4 and 4.3 apparently use the same (or similar) packages. Suspicious files: 4.3/horde=5.2.17-3 univention-repository/4.3/maintained/component/horde_20190403131236/all/php-horde_5.2.13+debian0-1_all.deb -rw-r--r-- root/root 227 2016-12-18 22:01 ./usr/share/php/data/horde/scripts/ldap/horde.prefs.acl (probably not?) ez-core=6.5.0 univention-repository/4.4/maintained/component/ez-core_20180219093956/all/univention-ez-core-ldap_1.1-11_all.deb -rw-r--r-- root/root 708 2018-02-08 17:13 ./usr/share/univention-ez-core/ez-core.acl ez-project=6.5.0 univention-repository/4.4/maintained/component/ez-project_20180219094152/all/univention-ez-core-ldap_1.1-11_all.deb -rw-r--r-- root/root 708 2018-02-08 17:13 ./usr/share/univention-ez-core/ez-core.acl ez-sales=6.5.0 univention-repository/4.4/maintained/component/ez-sales_20180219094311/all/univention-ez-core-ldap_1.1-11_all.deb -rw-r--r-- root/root 708 2018-02-08 17:13 ./usr/share/univention-ez-core/ez-core.acl maildisclaimer=2.2.5 univention-repository/4.4/maintained/component/maildisclaimer_20190603120828/all/univention-maildisclaimer_1.1.0-2_all.deb -rw-r--r-- root/root 1416 2019-05-27 09:30 ./usr/share/maildisclaimer/schema/66maildisclaimer-ldap.acl openvpn4ucs=1.1.16 univention-repository/4.4/maintained/component/openvpn4ucs_20190115132644/all/univention-openvpn-master_1.1.16_all.deb -rw-r--r-- root/root 119 2019-01-14 13:00 ./usr/lib/openvpn-int/misc/63openvpn-sitetosite.acl oxseforucs=7.10.2-ucs1 univention-repository/4.4/maintained/component/oxseforucs_20190516143905/all/univention-ox_11.0.0-20A~4.4.0.201906171640_all.deb -rw-r--r-- root/root 1327 2019-06-17 16:14 ./usr/share/univention-ox/ldap/66oxforucs.acl Joinscripts in App Center: ox-app-suite=7.10.1-ucs2 univention-repository/4.4/maintained/component/ox-app-suite_20190416163019/inst »······»·······*.acl) args+=(--acl "$1") ;; ox-app-suite=7.10.1-ucs2 univention-repository/4.4/maintained/component/ox-app-suite_20190416163019/inst »······register_ldap_extension "$@" -- "$APP_SHARE_PATH"/ldap/*.acl "$APP_SHARE_PATH"/ldap/oxforucs.schema "$APP_SHARE_PATH"/udm/syntax/*.py "$APP_SHARE_PATH"/udm/hooks/*.py Joinscripts in packages: maildisclaimer=2.2.5 /home/dwiesent/4.4/maildisclaimer_20190603120828/all/univention-maildisclaimer/1.1.0-2/usr/lib/univention-install/35univention-maildisclaimer.inst --acl "/usr/share/$APP/schema/66maildisclaimer-ldap.acl" \ ucsschool=4.4 v3 /home/dwiesent/4.4/ucsschool_20190723074557/all/ucs-school-ldap-acls-master/17.0.2-1A~4.4.0.201907042205/usr/lib/univention-install/70ucsschool-ldap-acls-master.inst ucs_registerLDAPExtension "$@" --acl /usr/share/ucs-school-ldap-acls-master/65ucsschool || die ucsschool=4.4 v3 /home/dwiesent/4.4/ucsschool_20190723074557/all/ucs-school-ldap-acls-master/17.0.2-1A~4.4.0.201907042205/usr/lib/univention-install/70ucsschool-ldap-acls-master.inst ucs_registerLDAPExtension "$@" --acl /usr/share/ucs-school-ldap-acls-master/61ucsschool_presettings || die oxseforucs=7.10.2-ucs1 /home/dwiesent/4.4/oxseforucs_20190516143905/all/univention-ox/11.0.0-20A~4.4.0.201906171640/usr/lib/univention-install/65univention-ox.inst »···»·······*.acl) args+=(--acl "$1") ;; openvpn4ucs=1.1.16 /home/dwiesent/4.4/openvpn4ucs_20190115132644/all/univention-openvpn-master/1.1.16/usr/lib/univention-install/94univention-openvpn-master.inst --acl /usr/lib/openvpn-int/misc/63openvpn-sitetosite.acl ez-sales=6.5.0 /home/dwiesent/4.4/ez-sales_20180219094311/all/univention-ez-core-ldap/1.1-11/usr/lib/univention-install/67ez-core-ldap.inst --acl /usr/share/univention-ez-core/ez-core.acl ez-project=6.5.0 /home/dwiesent/4.4/ez-project_20180219094152/all/univention-ez-core-ldap/1.1-11/usr/lib/univention-install/67ez-core-ldap.inst --acl /usr/share/univention-ez-core/ez-core.acl ez-core=6.5.0 /home/dwiesent/4.4/ez-core_20180219093956/all/univention-ez-core-ldap/1.1-11/usr/lib/univention-install/67ez-core-ldap.inst --acl /usr/share/univention-ez-core/ez-core.acl
Splitted the ACL's. univention-ldap.yaml 4170d22b0506 | YAML Bug #49734 univention-ldap (15.0.0-23) bac80c73dd05 | Bug #49734: split ACL's of DC Slave into 60- and 70- UCR template
OK: Change OK: Apps OK: UCS@school OK: Packages OK: YAML
<http://errata.software-univention.de/ucs/4.4/277.html>