Difference between revisions of "Cool Solution - Custom LDAP ACLs"

From Univention Wiki

Jump to: navigation, search
 
(25 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Version|UCS=4.1}} {{Cool Solutions Disclaimer|Repository=yes}}
+
{{Version|UCS=4.2}}{{Version|UCS=4.3}}  {{Cool Solutions Disclaimer|Repository=yes}}
{{Review-Status}}
+
{{#seo:
 +
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 +
<!--|description=-->
 +
}}
 +
 
 +
==Introduction==
 +
This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.
  
 
== Installation ==
 
== Installation ==
First of all install the package univention-custom-ldap-acls via the command
+
First of all, install the package univention-custom-ldap-acls from the [http://wiki.univention.de/index.php?title=Category:Cool_Solutions_Repository Cool Solutions repository] via the command
 
  univention-install univention-custom-ldap-acls
 
  univention-install univention-custom-ldap-acls
  
The package should be create some new UCR variables. Check these with the following command
+
The package should create some new UCR variables. Check these with the following command:
  
  ucr search acls
+
  ucr search --brief ldap/acls
  
 
You should see these variables:
 
You should see these variables:
  
 
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid
 
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: yes
+
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no
 
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups
 
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups
 
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup
 
  ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup
Line 22: Line 28:
 
== Create extended attributes ==
 
== Create extended attributes ==
 
After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs'''
 
After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs'''
Click on "Add" and choose Settings: Extended attribute.
+
 
Fill out the text fields as the follows:
+
You will find the two custom attributes '''groups-modify''' and '''users-create'''. Make sure that they have the following settings:
Tab General:
+
 
  Unique name: edit-user
+
First tab:  
  Short description: Editing users
+
  Unique name: <users-create or groups-modify>
Tab Module:
+
  Short description: Create user
  Modules to be extended: Container: Container, Container: Organizational Unit  
+
 
Tab LDAP mapping:
+
Second Tab:
 +
  Modules to be extended: "Container: Container"
 +
Modules to be extended: "Container: Organizational Unit"
 +
 
 +
Third tab:
 
  LDAP object class: univentionCustomACLReferences
 
  LDAP object class: univentionCustomACLReferences
 
  LDAP attribute: univentionCustomACLReferenceUserCreate
 
  LDAP attribute: univentionCustomACLReferenceUserCreate
  Tick remove object class if the attribute is removed
+
  Remove object class if the attribute is removed: (check this box)
Tab UMC:
+
 
 +
Fourth tab:
 
  Ordering number: 1
 
  Ordering number: 1
 
  Tab name: authorization
 
  Tab name: authorization
Tab Data type:
+
 
 +
Last tab:
 
  Syntax class: userDn
 
  Syntax class: userDn
  Tick multi value
+
  Multi value: (check this box)
  Tick editable after creation
+
  Editable after creation: (check this box)
  
 
== Editing container ==
 
== Editing container ==
The next step is, to modify the users container in the LDAP directory module.
+
The next step is to give the users of your choice the authorization over the '''users''' container in the LDAP directory module. Go to the '''LDAP directory''' and edit the container via right click -> '''Edit''' and move to the tab '''authorization'''.
Edit the container via right click -> Edit and move to the tab authorization.
+
Now you can add one or more users with their DNs. To find out the DN of a specific user execute the following command in the command line while replacing <username> with the username of the user:
Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
 
 
  univention-ldapsearch uid=<username> | grep ^dn  
 
  univention-ldapsearch uid=<username> | grep ^dn  
  
Line 50: Line 61:
 
  dn: uid=<username>,cn=users,dc=example,dc=com
 
  dn: uid=<username>,cn=users,dc=example,dc=com
  
Copy the output, except the dn:, into the text field and click on save.
+
Now you can copy the output, except for the "'''dn: '''", into the text field in the Authorization tab and click on '''Save'''.
  
 
== Create policies for users ==
 
== Create policies for users ==
The next step is, to give the user the permission to use the users module after the log in.
+
The next step is to give the users of your choice the permission to access the '''Users''' and the '''Groups''' module after logging in.
Go to the users module and open the user, that you placed in the authorization field. Move to the tab '''Policies''' and open '''Policy: UMC'''.
+
Go to the '''Users''' module and open the user, that you placed in the authorization field. Move to the tab '''Policies''' and open '''Policy: UMC'''.
Create a new policy and name it "edit-user". Choose "'''UDM - Users (udm-users)'''" as an allowed UMC operation and save the settings after that.
+
Create a new policy and name it "edit-user". Choose "'''UDM - Users (udm-users)'''" as an allowed UMC operation and create another new entry in the same policy, where you choose "'''UDM - Groups (udm-groups)'''" as an allowed UMC operation. Save the settings.
 +
 
 +
Now the user should be able to access the '''Users''' and '''Groups''' module via the UMC.
  
Now the user is qualified to edit users via the UMC.  
+
== Assigning permissions for user creation ==
 +
 
 +
To grant the user of your choice the permission to create a user, set the following UCR variables:
 +
 
 +
ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes"
 +
ucr set ldap/acls/temporary_objects/groups="<DN of the group of your user>"
 +
 
 +
You can find out about the group DN of your user by running
 +
 +
udm users/user list --filter uid=<username> | grep primaryGroup
 +
 
 +
Finally edit the container '''groups''' and '''temporary''' (you can find it below the container "univention")of the LDAP directory. You can simply follow the instruction of the section "Editing container" again. Make sure the DN of your users is in the text field "editing user" and "editing groups".
 +
 
 +
After that, execute the following command to restart your LDAP server:
 +
 
 +
systemctl restart slapd
 +
 
 +
Now the users of your choice will be able to create users or manage groups.
  
 
== Further information ==
 
== Further information ==
 
[http://docs.software-univention.de/developer-reference-4.1.html Further information about using UCR ]
 
[http://docs.software-univention.de/developer-reference-4.1.html Further information about using UCR ]
 
[[Category:EN]]
 
[[Category:EN]]
 +
 +
== Archive ==
 +
 +
* There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Custom_LDAP_ACLs&oldid=13203 UCS 4.1].

Latest revision as of 08:11, 6 April 2018

Produktlogo UCS Version 4.2
Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Introduction

This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.

Installation

First of all, install the package univention-custom-ldap-acls from the Cool Solutions repository via the command

univention-install univention-custom-ldap-acls

The package should create some new UCR variables. Check these with the following command:

ucr search --brief ldap/acls

You should see these variables:

ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid
ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no
ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups
ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup
ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes
ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user
ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount

Create extended attributes

After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs

You will find the two custom attributes groups-modify and users-create. Make sure that they have the following settings:

First tab:

Unique name: <users-create or groups-modify>
Short description: Create user

Second Tab:

Modules to be extended: "Container: Container"
Modules to be extended: "Container: Organizational Unit"

Third tab:

LDAP object class: univentionCustomACLReferences
LDAP attribute: univentionCustomACLReferenceUserCreate
Remove object class if the attribute is removed: (check this box)

Fourth tab:

Ordering number: 1
Tab name: authorization

Last tab:

Syntax class: userDn
Multi value: (check this box)
Editable after creation: (check this box)

Editing container

The next step is to give the users of your choice the authorization over the users container in the LDAP directory module. Go to the LDAP directory and edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more users with their DNs. To find out the DN of a specific user execute the following command in the command line while replacing <username> with the username of the user:

univention-ldapsearch uid=<username> | grep ^dn 

The output should be something as the follows:

dn: uid=<username>,cn=users,dc=example,dc=com

Now you can copy the output, except for the "dn: ", into the text field in the Authorization tab and click on Save.

Create policies for users

The next step is to give the users of your choice the permission to access the Users and the Groups module after logging in. Go to the Users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation and create another new entry in the same policy, where you choose "UDM - Groups (udm-groups)" as an allowed UMC operation. Save the settings.

Now the user should be able to access the Users and Groups module via the UMC.

Assigning permissions for user creation

To grant the user of your choice the permission to create a user, set the following UCR variables:

ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" 
ucr set ldap/acls/temporary_objects/groups="<DN of the group of your user>"

You can find out about the group DN of your user by running

udm users/user list --filter uid=<username> | grep primaryGroup

Finally edit the container groups and temporary (you can find it below the container "univention")of the LDAP directory. You can simply follow the instruction of the section "Editing container" again. Make sure the DN of your users is in the text field "editing user" and "editing groups".

After that, execute the following command to restart your LDAP server:

systemctl restart slapd

Now the users of your choice will be able to create users or manage groups.

Further information

Further information about using UCR

Archive

  • There is a version of this article for UCS 4.1.
Personal tools