Difference between revisions of "Cool Solution - Custom LDAP ACLs"
From Univention Wiki
(Created page with "{{Version|UCS=4.1}} {{Cool Solutions Disclaimer}} {{Cool Solutions Disclaimer|Repository=yes}} {{Review-Status}} First of all install the package univention-custom-ldap-acls via...") |
|||
Line 1: | Line 1: | ||
− | {{Version|UCS=4.1}} | + | {{Version|UCS=4.1}} {{Cool Solutions Disclaimer|Repository=yes}} |
− | {{Cool Solutions Disclaimer|Repository=yes}} | ||
{{Review-Status}} | {{Review-Status}} | ||
Line 40: | Line 39: | ||
Tick editable after creation | Tick editable after creation | ||
+ | The next step is, to modify the users container in the LDAP directory module. | ||
+ | Edit the container via right click -> Edit and move to the tab authorization. | ||
+ | Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>): | ||
+ | univention-ldapsearch uid=<username> | grep ^dn | ||
+ | |||
+ | You get: | ||
+ | dn: uid=<username>,cn=users,dc=example,dc=com | ||
+ | |||
+ | Copy the output, except the dn:, into the text field and click on save. | ||
+ | |||
+ | The next step is, to give the user the permission to use the users module after the log in. | ||
+ | Go to the users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. | ||
+ | Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation and save the settings. | ||
+ | |||
+ | Now the user is qualified to edit users via the UMC. | ||
[[Category:EN]] | [[Category:EN]] |
Revision as of 08:39, 24 May 2016
Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained.
Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
First of all install the package univention-custom-ldap-acls via the command
univention-install univention-custom-ldap-acls
The package should be create some new UCR variables. Check these with the following command
ucr search acls
You should see these variables:
ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: yes ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Bearbeiten von Gruppen ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Anlegen von Benutzern ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount
After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs Click on "Add" and choose Settings: Extended attribute. Fill out the text fields as the follows: Tab General:
Unique name: edit-user Short description: Editing users
Tab Module:
Modules to be extended: Container: Container, Container: Organizational Unit
Tab LDAP mapping:
LDAP object class: univentionCustomACLReferences LDAP attribute: univentionCustomACLReferenceUserCreate Tick remove object class if the attribute is removed
Tab UMC:
Ordering number: 1 Tab name: authorization
Tab Data type:
Syntax class: uerDn Tick multi value Tick editable after creation
The next step is, to modify the users container in the LDAP directory module. Edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
univention-ldapsearch uid=<username> | grep ^dn
You get:
dn: uid=<username>,cn=users,dc=example,dc=com
Copy the output, except the dn:, into the text field and click on save.
The next step is, to give the user the permission to use the users module after the log in. Go to the users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation and save the settings.
Now the user is qualified to edit users via the UMC.