the initial auth works if I use the Administrator account but I would like to use a separate/dfiferent UCS account which has readonly access to the user’s userPassword ldap attrib.
Is there a way to create such a UCS account via udm/UCM? I would like to avoid creating custom ACL in UCS if possible …
unfortunately not, I have verified via ldapsearch that such account (which I already created before for other resons) can’t read the ldap attrib userPassword … is there a way to (minimally) modify that account to allow that?
# there should already be something like this in the file:
access to attribute=userPassword
by dn="<dovecot's dn>" read # just add this line
by anonymous auth
by self write
by * none
But be aware such local LDAP-ACLs can be overwritten is written in the default configuration files. Usually, UCS has some sort of *local* files where you can configure such customized options. Just check, I haven’t done currently.
well, yes, I have seen that but I had hoped to have a different way (maybe via some UCS / UMC frontend tool) which does not involve editing ACL manually directly …
Anyway, here is what I did
# cat /etc/univention/templates/files/etc/ldap/slapd.conf.d/69univention-custom-ldap-acls
# . /usr/share/univention-lib/ldap.sh
# ucs_registerLDAPExtension --packagename=myacl --packageversion=1 --acl 69univention-custom-ldap-acls
..
Waiting for activation of the extension object 69univention-custom-ldap-acls: .........OK
where the custom ACL file looks like this (ignore first ACL used for other stuff here …):
access to attrs=gecos,secretary
by self write
by * none
access to attrs=userPassword
by dn="uid=queryimap,cn=users,dc=my,dc=company,dc=com" read
by anonymous auth
by self write
by * none break
would you say that it is correct? I am in referring in particular to the fact that in slapd.conf there are already ACLs concerning that attribute (userPassword) and my worry is that my ACL would interfere/break the default / already existing one as distributed in UCS.