Univention Bugzilla – Bug 50688
UMC module for Portal settings cannot be selected in a UMC policy
Last modified: 2020-05-27 12:12:46 CEST
UCS version: 4.4-3, latest errata Scenario: I want to show only certain UMC modules to a specific user/group. Or the other way round: I want to hide certain UMC modules from specific users/groups. Expected behaviour: I create a new UMC policy, add the UMC module for Portal settings (among others) and assign this UMC policy to users/groups. Observed behaviour: I create a new UMC policy, but can't find the UMC module for Portal settings. It's missing from the dropdown. Additional information: Most UMC modules do have a "UMC operation set", e.g. the yellow "Users" module is called "udm-users". The module "Portal settings" is missing such a UMC operation set. It can not be selected in a UMC policy. Side effect: The visual mode to modify the active portal "live" gets also lost if I don't add "udm-all"
Created attachment 10277 [details] Screenshot of dropdown
fix on branch ccastens/50688-portal-settings-via-policy The Portal settings module is now available for UMC policies.
Package: univention-management-console-module-udm Version: 9.0.15-6A~4.4.0.202005131133 Branch: ucs_4.4-0 Scope: errata4.4-4 commit 4ec9cd51006fc9a33aebcd95b9d6b67550c8e4bf commit 4a8e21f3052c67cf07fdd005c474eb5ca8b4e89a commit ea521336f3e7bde136a131582d236dc4733697b2 It is now possible to assign the Portal Settings module to users and groups via UMC policies. In order to do that, you must assign the following four umc operation sets to a UMC policy: udm-portal, udm-license, udm-validate and udm-syntax Then you can assign that UMC policy to groups and users in order to make the Portal Settings module available for them.
i have the following user -> univention-policy-result -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret uid=test1,dc=w2k12,dc=test Policy: cn=umc-portal,cn=policies,dc=w2k12,dc=test Attribute: umcPolicyGrantedOperationSet Value: cn=udm-license,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test Value: cn=udm-syntax,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test Value: cn=udm-validate,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test Value: cn=udm-portal,cn=operations,cn=UMC,cn=univention,dc=w2k12,dc=test (a) if i create a new portal entry and click on "ADD" for "Restrict visibility to groups", i get An error occurred You are not authorized to perform this action. Server error message: Verboten this comes only once per new entry and i can close this message and proceed with the creation of the new entry. (b) After click "FINISH" in the "Create Entry" dialog, i get Notification The portal entry object could not be saved: Permission denied. umc-udm.log 18.05.20 11:54:51.942 ADMIN ( ERROR ) : Creating u'cn=sfsdfds,cn=portal,cn=univention,dc=w2k12,dc=test' failed: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add raise univention.admin.uexceptions.permissionDenied permissionDenied 18.05.20 11:54:51.942 MODULE ( WARN ) : Failed to create LDAP object: permissionDenied: (c) The version of the join script has been increased. I was under the impression that we should not do that in errata updates? (d) We need documentation for this new feature. So please add some hints in the portal docu or create a new bug for that,
b) is becasue of missing LDAP ACL's. That's something a customer must implement for himself.
(In reply to Florian Best from comment #5) > b) is becasue of missing LDAP ACL's. That's something a customer must > implement for himself. We decided to just document this. Something like this worked for me: On the Domaincontroller Master system create a file like (with the appropriate group name) /opt/62my-portal-acl.acl: access to dn="cn=portal,cn=univention,@%@ldap/base@%@" attrs=children by group/univentionGroup/uniqueMember="cn=Domain Users,cn=groups,@%@ldap/base@%@" write by * +0 break access to dn.children="cn=portal,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal by group/univentionGroup/uniqueMember="cn=Domain Users,cn=groups,@%@ldap/base@%@" write by * +0 break Than run the following command: -> udm settings/ldapacl create --position "cn=ldapacl,cn=univention,$(ucr get ldap/base)" --set name=62my-portal-acl --set filename=62my-portal-acl --set data="$(bzip2 -c /opt/62my-portal-acl.acl | base64)" --set package="62my-portal-acl" --set packageversion=1 To remove the ACL run the following command: -> udm settings/ldapacl remove --dn "cn=62my-portal-acl,cn=ldapacl,cn=univention,dc=four,dc=four" @florian, is this acl OK? (just copied from the original portal ACL)
(In reply to Felix Botner from comment #6) > @florian, is this acl OK? (just copied from the original portal ACL) Basically yes, but don't document this with "Domain Users"… Create a different group like "Portal Admins".
ah sorry, still some todo's (a) i cant add or create a new category (The creation failed: Permission denied) Creating u'cn=fdsfdsf,cn=categories,cn=portal,cn=univention,dc=w2k12,dc=test' failed: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add raise univention.admin.uexceptions.permissionDenied permissionDenied so the acl seems to be incomplete (b) Fix the documentation (de), there are some warnings in the jenkins job: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-4/view/Documentation/job/HandbookUCS/411/warnings5Result/ (c) add documentation (en) (d) discuss if it is OK to increase the join script version
Successful build Package: univention-portal Version: 3.0.2-6A~4.4.0.202005261326 Branch: ucs_4.4-0 Scope: errata4.4-4 User: jbremer 3304869de1 Bug #50688: doku: ldap server must be restarted 0e83be74f8 Bug #50688: yaml 1c359c75c9 Bug #50688: Enable user not in domain admins to see categories without entries, to enable creation of new entries. dd772d46e5 Bug #50688: Add english manual entry, extend ACL I extended the ACL. I noticed one Problem for every user which is not in the "Domain Admins" group. Categories with no entries where not shown, which meant that Users could not add entries to their created category. I changed this, so that empty categories are also shown for non-admins. Entries can still be filtered for non-admins.
da379d6116 Bug #50688: doku indentation 0961cbde35 Bug #50688: typo doku Also fixed to minor issues in the documentation
ef39c471f8 Bug #50688: doku ldap server does not need to be restarted the ldap server is automatically restarted after a setting/ldapacl is added. I removed this part from the docu again.
OK - yaml OK - LDAP ACL OK - create/change/delete entries/categories with non-Admin user OK - doku
<http://errata.software-univention.de/ucs/4.4/616.html> <http://errata.software-univention.de/ucs/4.4/617.html>