Restrict read access for students

In a regular UCS setup all authenticated users can read most of the AD/LDAP, including other users data.
This article describes various settings that can be made to prevent students from reading data from the OpenLDAP or Samba4/AD server.


The permission of student must be changed for both OpenLDAP and Samba4 / AD.


Save the following LDAP ACLs to a file /usr/local/share/64ucsschool_student_no_access.acl on the DC master.
When installed, the ACLs prevent students from reading the user account data of school_administrators, staff, teachers and other students.
The user accounts are hidden completely including the DN (not only the LDAP objects attributes), to prevent harvesting of given names and last names, in case they are part of the username (which is part of the DN).

# Students are not allowed to see user accounts
access to filter="univentionObjectType=users/user"
        by self break
        by set="user/objectClass & [ucsschoolStudent]" none stop
        by * break

# Students are not allowed to read members of groups
access to filter="objectClass=posixGroup" attrs=memberUid,uniqueMember
        by set="user/objectClass & [ucsschoolStudent]" none stop
        by * break

# Students are not allowed to see printers
access to filter="objectClass=univentionPrinter"
        by set="user/objectClass & [ucsschoolStudent]" none stop
        by * break

# Students are not allowed to see computers
access to filter="objectClass=univentionHost"
        by set="user/objectClass & [ucsschoolStudent]" none stop
        by * break

Install the ACLs by running as root on the DC master:

$ . /usr/share/univention-lib/
$ ucs_registerLDAPExtension \
    --packagename ucsschool_student_no_access \
    --packageversion 1.0 \
    --acl /usr/local/share/64ucsschool_student_no_access.acl

To test the effects of the ACLs, search the LDAP using the credentials of a user and of a regular user:

$ ldapsearch -LLL -x -D "uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,$(ucr get ldap/base)" -w p4ssw0rd uid=demo_teacher
# prints no result
$ ldapsearch -LLL -x -D "uid=demo_teacher,cn=lehrer,cn=users,ou=DEMOSCHOOL,$(ucr get ldap/base)" -w p4ssw0rd uid=demo_teacher
# prints user data

Samba 4 / AD

Before you begin, please note that it is currently not possible to revert the following changes with the samba-tool utility. You will need a Windows system with RSAT tools.
Start by enabling samba search acl and restart samba:

ucr set samba/acl_search=yes; /etc/init.d/samba restart

Second get the samba objectSID of the group which should have restricted read access. For example:

univention-s4search cn=schueler-DEMOSCHOOL objectSid

Now use that object SID to disallow read access to any object directly under the given container:

samba-tool dsacl set --sddl="(D;;LC;;;$objectSID)" --objectdn="CN=lehrer,CN=users,OU=DEMOSCHOOL,$(ucr get samba4/ldap/base)" 

In this example students from the DEMOSCHOOL ou can’t read teacher objects of the DEMOSCHOOL ou.
In most cases you also want to set this on the cn=mitarbeiter, cn=lehrer und mitarbeiter and cn=admin conatiners in your school.

Note: If you disallow read access to the student container cn=schueler for the students group, students can’t read their own object in the samba directory anymore. This didn’t have an impact in our test enviroment, but it might differ for you.


To revert to the default ACLs, the above setting must be undone.


If you wish to deactivate the ACLs, run on the DC master:

$ . /usr/share/univention-lib/
$ ucs_unregisterLDAPExtension --acl 64ucsschool_student_no_access
$ ucr commit /etc/ldap/slapd.conf
$ service slapd restart

Samba 4 / AD

Use the “Users and Computers” module from the RSAT tools. Make sure the “Extended Features” under “View” are enabled and navigate to the container which should be readable again. Right click on it and choose “Properties”, next click on the “Security” tab and delete the rule for the group that is read restricted.