Cool Solution - Custom LDAP ACLs
From Univention Wiki
First of all install the package univention-custom-ldap-acls via the command
The package should be create some new UCR variables. Check these with the following command
ucr search acls
You should see these variables:
ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: yes ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount
Create extended attributes
After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs
Edit groups-modify and users-create. Go to the following Tab and tick the checkboxes:
Tab Data type:
Syntax class: userDn Tick multi value Tick editable after creation
The next step is, to modify the users container in the LDAP directory module. Edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
univention-ldapsearch uid=<username> | grep ^dn
The output should be something as the follows:
Copy the output, except the dn:, into the text field and click on save.
Create policies for users
The next step is, to give the user the permission to use the users module after the log in. Go to the users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation. Create another new policy and name it "edit-groups". Choose "UDM - Groups (udm-groups)" as an allowed UMC operation and save the settings after that.
Now the user is qualified to access the users and groups module via the UMC.