In a regular UCS setup all authenticated users can read most of the AD/LDAP, including other users data.
This article describes various settings that can be made to prevent students from reading data from the OpenLDAP or Samba4/AD server.
The permission of student must be changed for both OpenLDAP and Samba4 / AD.
Save the following LDAP ACLs to a file
/usr/local/share/64ucsschool_student_no_access.acl on the DC master.
When installed, the ACLs prevent students from reading the user account data of school_administrators, staff, teachers and other students.
The user accounts are hidden completely including the DN (not only the LDAP objects attributes), to prevent harvesting of given names and last names, in case they are part of the username (which is part of the DN).
# Students are not allowed to see user accounts access to filter="univentionObjectType=users/user" by self break by set="user/objectClass & [ucsschoolStudent]" none stop by * break # Students are not allowed to read members of groups access to filter="objectClass=posixGroup" attrs=memberUid,uniqueMember by set="user/objectClass & [ucsschoolStudent]" none stop by * break # Students are not allowed to see printers access to filter="objectClass=univentionPrinter" by set="user/objectClass & [ucsschoolStudent]" none stop by * break # Students are not allowed to see computers access to filter="objectClass=univentionHost" by set="user/objectClass & [ucsschoolStudent]" none stop by * break
Install the ACLs by running as root on the DC master:
$ . /usr/share/univention-lib/ldap.sh $ ucs_registerLDAPExtension \ --packagename ucsschool_student_no_access \ --packageversion 1.0 \ --acl /usr/local/share/64ucsschool_student_no_access.acl
To test the effects of the ACLs, search the LDAP using the credentials of a user and of a regular user:
$ ldapsearch -LLL -x -D "uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,$(ucr get ldap/base)" -w p4ssw0rd uid=demo_teacher # prints no result $ ldapsearch -LLL -x -D "uid=demo_teacher,cn=lehrer,cn=users,ou=DEMOSCHOOL,$(ucr get ldap/base)" -w p4ssw0rd uid=demo_teacher # prints user data
Samba 4 / AD
Before you begin, please note that it is currently not possible to revert the following changes with the
samba-tool utility. You will need a Windows system with RSAT tools.
Start by enabling samba search acl and restart samba:
ucr set samba/acl_search=yes; /etc/init.d/samba restart
Second get the samba objectSID of the group which should have restricted read access. For example:
univention-s4search cn=schueler-DEMOSCHOOL objectSid
Now use that object SID to disallow read access to any object directly under the given container:
samba-tool dsacl set --sddl="(D;;LC;;;$objectSID)" --objectdn="CN=lehrer,CN=users,OU=DEMOSCHOOL,$(ucr get samba4/ldap/base)"
In this example students from the DEMOSCHOOL ou can’t read teacher objects of the DEMOSCHOOL ou.
In most cases you also want to set this on the
cn=lehrer und mitarbeiter and
cn=admin conatiners in your school.
Note: If you disallow read access to the student container
cn=schueler for the students group, students can’t read their own object in the samba directory anymore. This didn’t have an impact in our test enviroment, but it might differ for you.
To revert to the default ACLs, the above setting must be undone.
If you wish to deactivate the ACLs, run on the DC master:
$ . /usr/share/univention-lib/ldap.sh $ ucs_unregisterLDAPExtension --acl 64ucsschool_student_no_access $ ucr commit /etc/ldap/slapd.conf $ service slapd restart
Samba 4 / AD
Use the “Users and Computers” module from the RSAT tools. Make sure the “Extended Features” under “View” are enabled and navigate to the container which should be readable again. Right click on it and choose “Properties”, next click on the “Security” tab and delete the rule for the group that is read restricted.