Univention Bugzilla – Bug 50052
[UDM HTTP API] support read-only cn=admin connection
Last modified: 2019-09-22 15:51:13 CEST
+++ This bug was initially created as a clone of Bug #50051 +++ UCS@school installs very complex LDAP ACLs. Traversing them takes time → costs performance. In some situations the identity of the client has already been verified and thus the backend code uses a cn=admin connection for performance reasons. In dry-runs or when only retrieving information from LDAP, a connection that does not allow (accidentally) writing to LDAP is used. Support using a read-only cn=admin connection with the UDM HTTP API.
There is no such thing as a read only cn=admin connection. cn=admin has all permissions and there is no way to restrict this. If you want a read only connection, create any user which has read permissions to everything and write permissions to nothing. Then use that user. I think this can be done in a UCS@school joinscript and ACL's. What does the UDM REST API need to do here?
(In reply to Florian Best from comment #1) > There is no such thing as a read only cn=admin connection. cn=admin has all > permissions and there is no way to restrict this. > > If you want a read only connection, create any user which has read > permissions to everything and write permissions to nothing. Then use that > user. The cn=admin user get's special treatment in the LDAP ACLs. That speeds up things a lot. Using that user is a requirement for a fast import. If I connect with a user... let's say "admin-ro"... that should represent that cn=admin r/o connection, then I want the UDM REST API to use a cn=admin connection, but have all write operations disabled in the uldap Python code. In UCS@school we have an implementation here: https://git.knut.univention.de/univention/ucsschool/blob/4.4/ucs-school-import/modules/ucsschool/importer/utils/ldap_connection.py#L129