Difference between revisions of "Cool Solution - Custom LDAP ACLs"

From Univention Wiki

Jump to: navigation, search
(Created page with "{{Version|UCS=4.1}} {{Cool Solutions Disclaimer}} {{Cool Solutions Disclaimer|Repository=yes}} {{Review-Status}} First of all install the package univention-custom-ldap-acls via...")
 
Line 1: Line 1:
{{Version|UCS=4.1}} {{Cool Solutions Disclaimer}}
+
{{Version|UCS=4.1}} {{Cool Solutions Disclaimer|Repository=yes}}
{{Cool Solutions Disclaimer|Repository=yes}}
 
 
{{Review-Status}}
 
{{Review-Status}}
  
Line 40: Line 39:
 
  Tick editable after creation
 
  Tick editable after creation
  
 +
The next step is, to modify the users container in the LDAP directory module.
 +
Edit the container via right click -> Edit and move to the tab authorization.
 +
Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
 +
univention-ldapsearch uid=<username> | grep ^dn
 +
 +
You get:
 +
dn: uid=<username>,cn=users,dc=example,dc=com
 +
 +
Copy the output, except the dn:, into the text field and click on save.
 +
 +
The next step is, to give the user the permission to use the users module after the log in.
 +
Go to the users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC.
 +
Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation and save the settings.
 +
 +
Now the user is qualified to edit users via the UMC.
 
[[Category:EN]]
 
[[Category:EN]]

Revision as of 08:39, 24 May 2016

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


First of all install the package univention-custom-ldap-acls via the command

univention-install univention-custom-ldap-acls

The package should be create some new UCR variables. Check these with the following command

ucr search acls

You should see these variables:

ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid
ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: yes
ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Bearbeiten von Gruppen
ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup
ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes
ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Anlegen von Benutzern
ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount

After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs Click on "Add" and choose Settings: Extended attribute. Fill out the text fields as the follows: Tab General:

Unique name: edit-user
Short description: Editing users

Tab Module:

Modules to be extended: Container: Container, Container: Organizational Unit 

Tab LDAP mapping:

LDAP object class: univentionCustomACLReferences
LDAP attribute: univentionCustomACLReferenceUserCreate
Tick remove object class if the attribute is removed

Tab UMC:

Ordering number: 1
Tab name: authorization

Tab Data type:

Syntax class: uerDn
Tick multi value
Tick editable after creation

The next step is, to modify the users container in the LDAP directory module. Edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):

univention-ldapsearch uid=<username> | grep ^dn 

You get:

dn: uid=<username>,cn=users,dc=example,dc=com

Copy the output, except the dn:, into the text field and click on save.

The next step is, to give the user the permission to use the users module after the log in. Go to the users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation and save the settings.

Now the user is qualified to edit users via the UMC.

Personal tools