I followed the instructions at Wiki: Cool Solutions – Custom LDAP ACLs but my user account cannot create or edit a user account.
I want my HR department to be able to create new user accounts and disable accounts of employees who left.
I diverged from the instructions where it told me to add my user account in the authorization tab fields but I added the AD builtin group “Konten-Operatoren” (“Account operators” in English, I guess) (the whole DN of cours). I added my account to this group.
I created the policy as described and attached it to “Konten-Operatoren”. My user account now has access to these UMC modules. But when I try to save on editing or creating a user account I get the message “Das LDAP-Objekt konnte nicht gespeichert werden: Zugriff verweigert.” (basically “access denied”).
Of course, as I was interrupted during the setup I might have forgotten something, but I double checked and noticed nothing missing.
The last section irritates me a little bit:
To grant the user of your choice the permission to create a user, set the following UCR variables:
ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" ucr set ldap/acls/temporary_objects/groups="<DN of the group of your user>"
You can find out about the group DN of your user by running
udm users/user list --filter uid=<username> | grep primaryGroup
I used the DN of “Konten-Operatoren” in the ucr statement where the instructions tell me to use my user account’s group DN. Or does this solution require to explicitly use my user account wherever it is asked for?