HI,
currently i am testing to create users via REST-API, which is working great as Administrator, because i dont want such a powerfull user in that case i was thinking about an extra user for this case
This user should only be able to manage all objects withing a specific dn
access to dn.subtree=“cn=b4a,ou=customer,dc=bbc,dc=local”
by dn.base=“uid=udm_camunda_rest,cn=technische-user,cn=intern,cn=best-blu,dc=bbc,dc=local” manage
I can now add users there with
root@master:/opt# ldapadd -x -W -D “uid=udm_camunda_rest,cn=technische-user,cn=intern,cn=best-blu,dc=bbc,dc=local” -f adam.ldif
Enter LDAP Password:
adding new entry “uid=adam,cn=b4a,ou=customer,dc=bbc,dc=local”
When using the REST-API i also have to grant access to
access to dn.subtree=“cn=temporary,cn=univention,dc=bbc,dc=local”
by dn.base=“uid=udm_camunda_rest,cn=technische-user,cn=intern,cn=best-blu,dc=bbc,dc=local” manage
But now i am facinf issues with all others users (Administrator cant edit users anymore, because he is not allowed to edit entryis within cn=temporary,cn=univention,dc=bbc,dc=local
For me it is hard to decide where to put htese LDAP ACLs
I found artciles here about putting them in slapd.conf (via UCR Template), there was a cool solution article as well https://wiki.univention.de/index.php/Cool_Solution_-_Custom_LDAP_ACLs but its not availavle in 4.4.7 and i found some objetc types called LDAP ACL in UDM. I am not sure what is the correct way to applie additional ldap acls.
Is there something else (and easier) for the rest-api to create users and not using the domain admin-account on that?
Would be interesting to see how others are working with the REST-API