Difference between revisions of "Cool Solution - Custom LDAP ACLs"

From Univention Wiki

Jump to: navigation, search
Line 26: Line 26:
 
After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs'''
 
After that, switch to the Univention Management Console and open the '''LDAP directory module'''. Expand the tab '''univention''' and search for '''custom attributes -> LDAP ACLs'''
  
Create the two custom attributes, e.g groups modify and users-create, and fill out the textfields like the following template.  
+
Create the two custom attributes, with the type '''Settings: Extended attribute''' e.g groups-modify and users-create, and fill in the text fields like the following template.  
  
 
First tab:  
 
First tab:  
  name: <users-create or group-modify>
+
  Unique name: <users-create or groups-modify>
  shortDescription: Create user
+
  Short description: Create user
  
 
Second Tab:
 
Second Tab:
  module: container/cn
+
  Modules to be extended: container/cn
  module: container/ou
+
  Modules to be extended: container/ou
  
 
Third tab:
 
Third tab:
  objectClass: univentionCustomACLReferences
+
  LDAP object class: univentionCustomACLReferences
  ldapMapping: univentionCustomACLReferenceUserCreate
+
  LDAP attribute: univentionCustomACLReferenceUserCreate
  deleteObjectClass: 1 (it's a checkbox)
+
  Remove object class if the attribute is removed: (check this box)
  
 
Fourth tab:
 
Fourth tab:
  tabPosition: 1
+
  Ordering number: 1
  tabName: authorization
+
  Tab name: authorization
  
 
Last tab:
 
Last tab:
  syntax: userDn
+
  Syntax class: userDn
  multivalue: 1 (it's a checkbox)
+
  Multi value: (check this box)
  ValueMayChange: 1 (it's a checkbox)
+
  Editable after creation: (check this box)
  
 
== Editing container ==
 
== Editing container ==
The next step is, to modify the users container in the LDAP directory module.
+
The next step is to modify the '''users''' container in the LDAP directory module.
Edit the container via right click -> Edit and move to the tab authorization.
+
Edit the container via right click -> '''Edit''' and move to the tab authorization.
 
Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
 
Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
 
  univention-ldapsearch uid=<username> | grep ^dn  
 
  univention-ldapsearch uid=<username> | grep ^dn  
Line 59: Line 59:
 
  dn: uid=<username>,cn=users,dc=example,dc=com
 
  dn: uid=<username>,cn=users,dc=example,dc=com
  
Copy the output, except the dn:, into the text field and click on save.
+
Copy the output, except the "'''dn: '''", into the text field and click on '''Save'''.
  
 
== Create policies for users ==
 
== Create policies for users ==
The next step is, to give the user the permission to use the users module after the log in.
+
The next step is to give the user the permission to use the '''Users''' module after the log in.
Go to the users module and open the user, that you placed in the authorization field. Move to the tab '''Policies''' and open '''Policy: UMC'''.
+
Go to the '''Users''' module and open the user, that you placed in the authorization field. Move to the tab '''Policies''' and open '''Policy: UMC'''.
 
Create a new entry and name it "edit-user". Choose "'''UDM - Users (udm-users)'''" as an allowed UMC operation.
 
Create a new entry and name it "edit-user". Choose "'''UDM - Users (udm-users)'''" as an allowed UMC operation.
 
Create another new entry in the same policy and name it "edit-groups". Choose "'''UDM - Groups (udm-groups)'''" as an allowed UMC operation and save the settings after that.
 
Create another new entry in the same policy and name it "edit-groups". Choose "'''UDM - Groups (udm-groups)'''" as an allowed UMC operation and save the settings after that.
  
Now the user is qualified to access the users and groups module via the UMC.
+
Now the user is qualified to access the '''Users''' and '''Groups''' module via the UMC.
  
 
== Assigning permissions for user creation ==
 
== Assigning permissions for user creation ==
Line 76: Line 76:
 
  ldap/acls/temporary_objects/groups=<DN of the group of your user>
 
  ldap/acls/temporary_objects/groups=<DN of the group of your user>
  
Now edit the container groups and temporary (below the container univention) as described in section "Editing container". Make sure the DN of your user is in the textfield "editing user" and editing groups.
+
Now edit the container groups and temporary (below the container "univention") as described in section "Editing container". Make sure the DN of your user is in the text field "editing user" and editing groups.
  
 
After that, execute the following command to restart your LDAP server:
 
After that, execute the following command to restart your LDAP server:

Revision as of 09:49, 27 September 2016

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


Introduction

This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.

Installation

First of all install the package univention-custom-ldap-acls via the command

univention-install univention-custom-ldap-acls

The package should be create some new UCR variables. Check these with the following command

ucr search acls

You should see these variables:

ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid
ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no
ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups
ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup
ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes
ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user
ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount

Create extended attributes

After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs

Create the two custom attributes, with the type Settings: Extended attribute e.g groups-modify and users-create, and fill in the text fields like the following template.

First tab:

Unique name: <users-create or groups-modify>
Short description: Create user

Second Tab:

Modules to be extended: container/cn
Modules to be extended: container/ou

Third tab:

LDAP object class: univentionCustomACLReferences
LDAP attribute: univentionCustomACLReferenceUserCreate
Remove object class if the attribute is removed: (check this box)

Fourth tab:

Ordering number: 1
Tab name: authorization

Last tab:

Syntax class: userDn
Multi value: (check this box)
Editable after creation: (check this box)

Editing container

The next step is to modify the users container in the LDAP directory module. Edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):

univention-ldapsearch uid=<username> | grep ^dn 

The output should be something as the follows:

dn: uid=<username>,cn=users,dc=example,dc=com

Copy the output, except the "dn: ", into the text field and click on Save.

Create policies for users

The next step is to give the user the permission to use the Users module after the log in. Go to the Users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new entry and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation. Create another new entry in the same policy and name it "edit-groups". Choose "UDM - Groups (udm-groups)" as an allowed UMC operation and save the settings after that.

Now the user is qualified to access the Users and Groups module via the UMC.

Assigning permissions for user creation

If you want to assign a user the permission to create a user, create and change the following UCR variables:

ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" 
ldap/acls/temporary_objects/groups=<DN of the group of your user>

Now edit the container groups and temporary (below the container "univention") as described in section "Editing container". Make sure the DN of your user is in the text field "editing user" and editing groups.

After that, execute the following command to restart your LDAP server:

invoke-rc.d slapd restart

At this point, it should be possible to create another user with your domain user.

Further information

Further information about using UCR

Personal tools