Cool Solution - Custom LDAP ACLs
From Univention Wiki
This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.
First of all install the package univention-custom-ldap-acls via the command
The package should be create some new UCR variables. Check these with the following command
ucr search acls
You should see these variables:
ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount
Create extended attributes
After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes -> LDAP ACLs
Create the two custom attributes, e.g groups modify and users-create, and fill out the textfields like the following template.
name: <users-create or group-modify> shortDescription: Create user
module: container/cn module: container/ou
objectClass: univentionCustomACLReferences ldapMapping: univentionCustomACLReferenceUserCreate deleteObjectClass: 1 (it's a checkbox)
tabPosition: 1 tabName: authorization
syntax: userDn multivalue: 1 (it's a checkbox) ValueMayChange: 1 (it's a checkbox)
The next step is, to modify the users container in the LDAP directory module. Edit the container via right click -> Edit and move to the tab authorization. Now you can add one or more userDNs to assigning authorizations to that users, e.g execute the following command in the command line (replace <username>):
univention-ldapsearch uid=<username> | grep ^dn
The output should be something as the follows:
Copy the output, except the dn:, into the text field and click on save.
Create policies for users
The next step is, to give the user the permission to use the users module after the log in. Go to the users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new entry and name it "edit-user". Choose "UDM - Users (udm-users)" as an allowed UMC operation. Create another new entry in the same policy and name it "edit-groups". Choose "UDM - Groups (udm-groups)" as an allowed UMC operation and save the settings after that.
Now the user is qualified to access the users and groups module via the UMC.
Assigning permissions for user creation
If you want to assign a user the permission to create a user, create and change the following UCR variables:
ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" ldap/acls/temporary_objects/groups=<DN of the group of your user>
Now edit the container groups and temporary (below the container univention) as described in section "Editing container". Make sure the DN of your user is in the textfield "editing user" and editing groups.
After that, execute the following command to restart your LDAP server:
invoke-rc.d slapd restart
At this point, it should be possible to create another user with your domain user.