Grant write permission for user to write to contacts,cn=kopano,dc= UCS-way?

kopano
ldap

#1

Hi,

howto grant in ‘the univention way’ write permissions for a specific user to only contacts,cn=kopano,dc=company ?

I would like to push contacts to this place so to make it available to all webapp users.

Have LDIF-ready but just can not load it with ‘ldapadd -f /tmp/contacts.ldiff’.

Want a specific user for this job - no admin account with all permissions.

thank you.


#2

Hey,

the admin manual contains a section about extending the LDAP ACLs. It doesn’t include an example that matches your use case 1:1, but it should be enough to get you started.

Note that the LDAP server’s configuration file is created from template files. Therefore you cannot simply edit /etc/ldap/slapd.conf as your changed would be overwritten subsequently. You’ll have to put your changes in a new sub-template file in /etc/univention/templates/files/etc/ldap/slapd.conf.d. If you don’t know how to do that, I suggest reading this blog post I’ve written about that very topic which explains how it all works — where to put stuff, how to register your own (sub-)templates, how to regenerate the destination file from the templates. It’s only available in German for the time being, but judging from your user name that shouldn’t be a problem.

The ACL in question could look something like this (untested, suitable for the template file, not for the final LDAP server config):

access to dn="cn=contacts,cn=kopano,@%@ldap/base@%@"
        by dn="uid=your-user,cn=users,@%@ldap/base@%@" write
        by * +0 break

Kind regards,
mosu


#3

Thank you very much. Works great!


#4

Great! You’re quite welcome.