First Last Prev Next    This bug is not in your last search results.
Bug 49827 - Insufficient rights for student accounts in subcontainers of cn=schueler,cn=users,ou=$SchoolOU
Insufficient rights for student accounts in subcontainers of cn=schueler,cn=u...
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: LDAP
UCS@school 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS@school maintainers
:
Depends on: 41115
Blocks: 49764
  Show dependency treegraph
 
Reported: 2019-07-09 16:53 CEST by Arvid Requate
Modified: 2019-07-10 11:11 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-07-09 16:53:41 CEST 
The content of subcontainers of cn=users,ou=$SchoolOU  is not replicated to schools. That unnecessarily restricts the options of UCS@school administrators to sub-structure their users (and groups), e.g. to implement access control on class granularity in Samba/AD with standard AD administration tools.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2019-07-10 10:08:34 CEST 
(In reply to Arvid Requate from comment #0)
> The content of subcontainers of cn=users,ou=$SchoolOU  is not replicated to
> schools. That unnecessarily restricts the options of UCS@school
> administrators to sub-structure their users (and groups), e.g. to implement
> access control on class granularity in Samba/AD with standard AD
> administration tools.

I'm not 100% sure if the replication is the main problem here. I think, that all objects (even subcontainers/OUs) are replicated, but several LDAP-ACLs for giving write permission rely on the exact position of certain LDAP objects.
Comment 2 Arvid Requate univentionstaff 2019-07-10 11:11:44 CEST 
Ok, right, i can create cn=class2,cn=schueler,cn=users,ou=sun,dc=schein,dc=me e.g. as Administrator from Windows with ADSIedit and then use the Active Directory Users and Computers tool to move a student into that subcontainer. That works. I have adjusted the subject of the bug accordingly.
First Last Prev Next    This bug is not in your last search results.