Difference between revisions of "Cool Solution - Custom LDAP ACLs"
From Univention Wiki
| Line 1: | Line 1: | ||
| − | {{Version|UCS=4. | + | {{Version|UCS=4.2}} {{Cool Solutions Disclaimer|Repository=yes}} |
{{#seo: | {{#seo: | ||
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}} | |title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}} | ||
| Line 29: | Line 29: | ||
After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs''' | After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs''' | ||
| − | + | You will find the two custom attributes '''groups-modify''' and '''users-create'''. Make sure that they have the following settings: | |
First tab: | First tab: | ||
| Line 54: | Line 54: | ||
== Editing container == | == Editing container == | ||
| − | The next step is to | + | The next step is to give the users of your choice the authorization over the '''users''' container in the LDAP directory module. Go to the '''LDAP directory''' and edit the container via right click -> '''Edit''' and move to the tab '''authorization'''. |
| − | + | Now you can add one or more users with their DNs. To find out the DN of a specific user execute the following command in the command line while replacing <username> with the username of the user: | |
| − | Now you can add one or more | ||
univention-ldapsearch uid=<username> | grep ^dn | univention-ldapsearch uid=<username> | grep ^dn | ||
| Line 62: | Line 61: | ||
dn: uid=<username>,cn=users,dc=example,dc=com | dn: uid=<username>,cn=users,dc=example,dc=com | ||
| − | + | Now you can copy the output, except for the "'''dn: '''", into the text field in the Authorization tab and click on '''Save'''. | |
== Create policies for users == | == Create policies for users == | ||
| − | The next step is to give the | + | The next step is to give the users of your choice the permission to access the '''Users''' and the '''Groups''' module after logging in. |
Go to the '''Users''' module and open the user, that you placed in the authorization field. Move to the tab '''Policies''' and open '''Policy: UMC'''. | Go to the '''Users''' module and open the user, that you placed in the authorization field. Move to the tab '''Policies''' and open '''Policy: UMC'''. | ||
| − | Create a new | + | Create a new policy and name it "edit-user". Choose "'''UDM - Users (udm-users)'''" as an allowed UMC operation and create another new entry in the same policy, where you choose "'''UDM - Groups (udm-groups)'''" as an allowed UMC operation. Save the settings. |
| − | |||
| − | Now the user | + | Now the user should be able to access the '''Users''' and '''Groups''' module via the UMC. |
== Assigning permissions for user creation == | == Assigning permissions for user creation == | ||
| − | + | To grant the user of your choice the permission to create a user, set the following UCR variables: | |
ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" | ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" | ||
| − | ldap/acls/temporary_objects/groups=<DN of the group of your user> | + | ucr set ldap/acls/temporary_objects/groups="<DN of the group of your user>" |
| − | + | You can find out about the group DN of your user by running | |
| + | |||
| + | udm users/user list --filter uid=<username> | grep primaryGroup | ||
| + | |||
| + | Finally edit the container '''groups''' and '''temporary''' (you can find it below the container "univention")of the LDAP directory. You can simply follow the instruction of the section "Editing container" again. Make sure the DN of your users is in the text field "editing user" and "editing groups". | ||
After that, execute the following command to restart your LDAP server: | After that, execute the following command to restart your LDAP server: | ||
| − | + | systemctl restart slapd | |
| − | + | Now the users of your choice will be able to create users or manage groups. | |
== Further information == | == Further information == | ||
[http://docs.software-univention.de/developer-reference-4.1.html Further information about using UCR ] | [http://docs.software-univention.de/developer-reference-4.1.html Further information about using UCR ] | ||
[[Category:EN]] | [[Category:EN]] | ||
| + | |||
| + | == Archive == | ||
| + | |||
| + | * There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Custom_LDAP_ACLs&oldid=13203 UCS 4.1]. | ||
Revision as of 13:20, 5 April 2018
Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained.
Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
Contents
Introduction
This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.
Installation
First of all, install the package univention-custom-ldap-acls from the Cool Solutions repository via the command
univention-install univention-custom-ldap-acls
The package should create some new UCR variables. Check these with the following command:
ucr search --brief ldap/acls
You should see these variables:
ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount
Create extended attributes
After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs
You will find the two custom attributes groups-modify and users-create. Make sure that they have the following settings:
First tab:
Unique name: <users-create or groups-modify> Short description: Create user
Second Tab:
Modules to be extended: "Container: Container" Modules to be extended: "Container: Organizational Unit"
Third tab:
LDAP object class: univentionCustomACLReferences LDAP attribute: univentionCustomACLReferenceUserCreate Remove object class if the attribute is removed: (check this box)
Fourth tab:
Ordering number: 1 Tab name: authorization
Last tab:
Syntax class: userDn Multi value: (check this box) Editable after creation: (check this box)
Editing container
The next step is to give the users of your choice the authorization over the users container in the LDAP directory module. Go to the LDAP directory and edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more users with their DNs. To find out the DN of a specific user execute the following command in the command line while replacing <username> with the username of the user:
univention-ldapsearch uid=<username> | grep ^dn
The output should be something as the follows:
dn: uid=<username>,cn=users,dc=example,dc=com
Now you can copy the output, except for the "dn: ", into the text field in the Authorization tab and click on Save.
Create policies for users
The next step is to give the users of your choice the permission to access the Users and the Groups module after logging in. Go to the Users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation and create another new entry in the same policy, where you choose "UDM - Groups (udm-groups)" as an allowed UMC operation. Save the settings.
Now the user should be able to access the Users and Groups module via the UMC.
Assigning permissions for user creation
To grant the user of your choice the permission to create a user, set the following UCR variables:
ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" ucr set ldap/acls/temporary_objects/groups="<DN of the group of your user>"
You can find out about the group DN of your user by running
udm users/user list --filter uid=<username> | grep primaryGroup
Finally edit the container groups and temporary (you can find it below the container "univention")of the LDAP directory. You can simply follow the instruction of the section "Editing container" again. Make sure the DN of your users is in the text field "editing user" and "editing groups".
After that, execute the following command to restart your LDAP server:
systemctl restart slapd
Now the users of your choice will be able to create users or manage groups.
Further information
Further information about using UCR
Archive
- There is a version of this article for UCS 4.1.
