Cool Solution - Custom LDAP ACLs
From Univention Wiki
This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.
First of all, install the package univention-custom-ldap-acls from the Cool Solutions repository via the command
The package should create some new UCR variables. Check these with the following command:
ucr search --brief ldap/acls
You should see these variables:
ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount
Create extended attributes
After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs
Create the two custom attributes, with the type Settings: Extended attribute e.g groups-modify and users-create, and fill in the text fields like the following template.
Unique name: <users-create or groups-modify> Short description: Create user
Modules to be extended: "Container: Container" Modules to be extended: "Container: Organizational Unit"
LDAP object class: univentionCustomACLReferences LDAP attribute: univentionCustomACLReferenceUserCreate Remove object class if the attribute is removed: (check this box)
Ordering number: 1 Tab name: authorization
Syntax class: userDn Multi value: (check this box) Editable after creation: (check this box)
The next step is to modify the users container in the LDAP directory module. Edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
univention-ldapsearch uid=<username> | grep ^dn
The output should be something as the follows:
Copy the output, except the "dn: ", into the text field and click on Save.
Create policies for users
The next step is to give the user the permission to use the Users module after the log in. Go to the Users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new entry and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation. Create another new entry in the same policy and name it "edit-groups". Choose "UDM - Groups (udm-groups)" as an allowed UMC operation and save the settings after that.
Now the user is qualified to access the Users and Groups module via the UMC.
Assigning permissions for user creation
If you want to assign a user the permission to create a user, create and change the following UCR variables:
ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" ldap/acls/temporary_objects/groups=<DN of the group of your user>
Now edit the container groups and temporary (below the container "univention") as described in section "Editing container". Make sure the DN of your user is in the text field "editing user" and editing groups.
After that, execute the following command to restart your LDAP server:
invoke-rc.d slapd restart
At this point, it should be possible to create another user with your domain user.