Univention Bugzilla – Bug 49764
Students can browse the AD directory
Last modified: 2019-11-12 08:19:52 CET
A customer complained, that the students have the possibility to browse the AD directory and can see users, groups, classes and the members of them, and printers. This violates the privacy laws (DSGVO) Maybe this issue is related to Bug 42182
That's normally a task of the AD administration to adjust this to the requirements of the customer. Maybe the UCS@school team has plans and ideas how to structure AD directory service access by defining directory service ACLs (DSACL), making use of the UCS@school group model. In that sense this bug is related to Bug 42182, but technically that requires different tools of implementation.
Created attachment 10099 [details] shows the access
The customers idea, what should not be shown: In particular, pupils but also members of the other two main user groups (teachers and employees) should be prevented from listing or searching the AD for users, groups, computers, and possibly also printers, or from displaying their content. In the meantime, I have suggested whether to hide the "Security Tab" via GPO
I raised the "How will those affected feel about the bug?" to "User would return the product" because they will. They have to use Windows to be DSGVO conform. The customer tried everything he could to make sure students cannot browse the Samba4 directory, but the students have always found a way to bypass that. The AD browsing have to be blocked by ACLs on the server side. Possibilities hiding the AD from the user found in the web cannot really be used, because nearly everything is adjusted to OUs.
The customer needs a patch until the end of the summer holiday which prevents students from browsing
> The customer needs a patch until the end of the summer holiday which prevents students from browsing My impression is that this case should be handled in a project, because the customer demands can be quite different. A quick search on the topic of DSGVO and "IAM", "IDM", "Active Directory" and the like didn't come up with best practice recommendations. Additionally, if the customer has a deadline, this should be handled in product development. Please discuss with PO to define a reliable aproach.
Please also note that this is an AD administration problem. I agree though that we may want to support the admins by providing customizable defaults that are useful for common scenarios - but these need to be identified first. Some links for technical approaches: * https://www.experts-exchange.com/questions/28785041/Active-Directory-prevent-users-from-enumerating-other-AD-users-and-groups.html * https://www.adaxes.com/tutorials_WebInterfaceCustomization_PreventUsersFromViewingTheADStructure.htm
The AD administration "best practices" are blocked by Bug 49827.
Based on a review with an external data protection officer, there is no general need to restrict the read access in more detail than it is done by default (restrict to the current school / entries replicated to the school slave host). There might be needs in case schools are big or the directory is used for more detailed information about pupils. To address these, we should support and document configuration options - I don't know if ACLs or GPOs are more appropriate.
An SDB article, explaining how to setup OpenLDAP and Samba4 ACLs, has been published at https://help.univention.com/t/restrict-read-access-for-student/13465
Article reviewed.
Article was made public in 5.11.