client >10.7.3 gives OpenLDAP users access to every Workgroup

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

client >10.7.3 gives OpenLDAP users access to every Workgroup

Peter Hartmann
Hi,
I'm managing a network of iMacs using OpenLDAP for authentication as
well as storing MCX for groups.  It's been working beautifully with
Portable Home Directories once I added the machine related MCX for
mobile user creation.   It rocks completely.  But....when I apply a
combo update for 10.7.4 or 10.7.5 my network users have access to
Workgroups they don't belong to.   If I use "Combine Available
Workgroups" set to false, a user in the 'student' group will get the
Workgroup picker at login that allows them access to select the
'teacher' Workgroup.  Indeed, they can select any Workgroup at this
point and get the associated managed prefs for that group.   In a
similar scenario but with "Combine Available Workgroups" set to true,
the user in the student group member gets a composite of all
Workgroups regardless of actual membership.  In System Information,
Managed Client shows this to be the case.  It's sourcing all
Workgroups for MCX settings instead of just the ones the user belongs
to.   Snipet from System Information:

com.apple.finder:

ProhibitGoToFolder:

  Value:    0
  State:    always
  Source:    Office (Group), osx-testgroup (Group),
osx-testgroup-teacher (Group), students (Group), teachers (Group),
youngens (Group)



id in Terminal shows the correct group membership as far as I can see.

Here's an example

admin-user$ id test-student
uid=1002(test-student) gid=525(students)
groups=525(students),405(com.apple.sharepoint.group.4),408(com.apple.sharepoint.group.7),412(com.apple.sharepoint.group.11),206(com.apple.access_loginwindow),406(com.apple.sharepoint.group.5),410(com.apple.sharepoint.group.9),403(com.apple.sharepoint.group.2),414(com.apple.sharepoint.group.13),404(com.apple.sharepoint.group.3),12(everyone),62(netaccounts),98(_lpadmin),100(_lpoperator),402(com.apple.sharepoint.group.1),407(com.apple.sharepoint.group.6),413(com.apple.sharepoint.group.12),409(com.apple.sharepoint.group.8),416(com.apple.sharepoint.group.15),411(com.apple.sharepoint.group.10),415(com.apple.sharepoint.group.14),417(com.apple.sharepoint.group.16)


My search mappings haven't changed since the update.  Something that
might give a hint: I noticed that even some ComputerGroups that have
MCX were showing up in the Workgroup picker.   I made my search path a
bit more specific ie.  ou=Groups,dc=mydomain,dc=com and that went
away.  But it's interesting that it's grabbing any available MCX
settings indiscriminate of group membership.     I tried adding even
more apple-specific attributes like to a group like
apple-generatedguid, apple-group-memberguid and memberUid.  And I also
tried rolling back the ManagedClient.framework to 10.7.3.



Can anyone think of a good reason for this kind of thing to happen?

Many thanks in advance,


Peter Hartmann
Hartmann Computer Consulting
http://blog.hartmanncomputer.com


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: client >10.7.3 gives OpenLDAP users access to every Workgroup

Peter Hartmann
I figured it out in case it helps someone else.   ManagedClient.app
>=10.7.4 has new requirements for parsing Workgroups.  GID won't cut
it anymore.  While I had the newly required Workgroup attributes added
to users and groups in OpenLDAP, I hadn't added the new
RecordTypes/attributes mappings for users and groups:

Users just get:
GeneratedUID/apple-generateduid

Groups get:
GeneratedUID/apple-generateduid
GroupMembers/apple-group-memberuid
GroupMembership/memberUid




Peter Hartmann
Hartmann Computer Consulting
http://blog.hartmanncomputer.com


On Fri, Oct 18, 2013 at 1:45 AM, Peter Hartmann
<[hidden email]> wrote:

> Hi,
> I'm managing a network of iMacs using OpenLDAP for authentication as
> well as storing MCX for groups.  It's been working beautifully with
> Portable Home Directories once I added the machine related MCX for
> mobile user creation.   It rocks completely.  But....when I apply a
> combo update for 10.7.4 or 10.7.5 my network users have access to
> Workgroups they don't belong to.   If I use "Combine Available
> Workgroups" set to false, a user in the 'student' group will get the
> Workgroup picker at login that allows them access to select the
> 'teacher' Workgroup.  Indeed, they can select any Workgroup at this
> point and get the associated managed prefs for that group.   In a
> similar scenario but with "Combine Available Workgroups" set to true,
> the user in the student group member gets a composite of all
> Workgroups regardless of actual membership.  In System Information,
> Managed Client shows this to be the case.  It's sourcing all
> Workgroups for MCX settings instead of just the ones the user belongs
> to.   Snipet from System Information:
>
> com.apple.finder:
>
> ProhibitGoToFolder:
>
>   Value:    0
>   State:    always
>   Source:    Office (Group), osx-testgroup (Group),
> osx-testgroup-teacher (Group), students (Group), teachers (Group),
> youngens (Group)
>
>
>
> id in Terminal shows the correct group membership as far as I can see.
>
> Here's an example
>
> admin-user$ id test-student
> uid=1002(test-student) gid=525(students)
> groups=525(students),405(com.apple.sharepoint.group.4),408(com.apple.sharepoint.group.7),412(com.apple.sharepoint.group.11),206(com.apple.access_loginwindow),406(com.apple.sharepoint.group.5),410(com.apple.sharepoint.group.9),403(com.apple.sharepoint.group.2),414(com.apple.sharepoint.group.13),404(com.apple.sharepoint.group.3),12(everyone),62(netaccounts),98(_lpadmin),100(_lpoperator),402(com.apple.sharepoint.group.1),407(com.apple.sharepoint.group.6),413(com.apple.sharepoint.group.12),409(com.apple.sharepoint.group.8),416(com.apple.sharepoint.group.15),411(com.apple.sharepoint.group.10),415(com.apple.sharepoint.group.14),417(com.apple.sharepoint.group.16)
>
>
> My search mappings haven't changed since the update.  Something that
> might give a hint: I noticed that even some ComputerGroups that have
> MCX were showing up in the Workgroup picker.   I made my search path a
> bit more specific ie.  ou=Groups,dc=mydomain,dc=com and that went
> away.  But it's interesting that it's grabbing any available MCX
> settings indiscriminate of group membership.     I tried adding even
> more apple-specific attributes like to a group like
> apple-generatedguid, apple-group-memberguid and memberUid.  And I also
> tried rolling back the ManagedClient.framework to 10.7.3.
>
>
>
> Can anyone think of a good reason for this kind of thing to happen?
>
> Many thanks in advance,
>
>
> Peter Hartmann
> Hartmann Computer Consulting
> http://blog.hartmanncomputer.com


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Loading...