Difference between revisions of "Cool Solution - Custom LDAP ACLs"

From Univention Wiki

Jump to: navigation, search
Line 22: Line 22:
 
== Create extended attributes ==
 
== Create extended attributes ==
 
After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs'''
 
After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs'''
Click on "Add" and choose Settings: Extended attribute.
+
 
Fill out the text fields as the follows:
+
Go to the following Tab and tick the checkboxes:
Tab General:
+
 
Unique name: edit-user
 
Short description: Editing users
 
Tab Module:
 
Modules to be extended: Container: Container, Container: Organizational Unit
 
Tab LDAP mapping:
 
LDAP object class: univentionCustomACLReferences
 
LDAP attribute: univentionCustomACLReferenceUserCreate
 
Tick remove object class if the attribute is removed
 
Tab UMC:
 
Ordering number: 1
 
Tab name: authorization
 
 
Tab Data type:
 
Tab Data type:
 
  Syntax class: userDn
 
  Syntax class: userDn

Revision as of 07:56, 25 July 2016

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


Installation

First of all install the package univention-custom-ldap-acls via the command

univention-install univention-custom-ldap-acls

The package should be create some new UCR variables. Check these with the following command

ucr search acls

You should see these variables:

ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid
ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: yes
ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups
ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup
ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes
ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user
ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount

Create extended attributes

After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs

Go to the following Tab and tick the checkboxes:

Tab Data type:

Syntax class: userDn
Tick multi value
Tick editable after creation

Editing container

The next step is, to modify the users container in the LDAP directory module. Edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):

univention-ldapsearch uid=<username> | grep ^dn 

The output should be something as the follows:

dn: uid=<username>,cn=users,dc=example,dc=com

Copy the output, except the dn:, into the text field and click on save.

Create policies for users

The next step is, to give the user the permission to use the users module after the log in. Go to the users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation and save the settings after that.

Now the user is qualified to edit users via the UMC.

Further information

Further information about using UCR

Personal tools