Hi,
howto grant in ‘the univention way’ write permissions for a specific user to only contacts,cn=kopano,dc=company ?
I would like to push contacts to this place so to make it available to all webapp users.
Have LDIF-ready but just can not load it with ‘ldapadd -f /tmp/contacts.ldiff’.
Want a specific user for this job - no admin account with all permissions.
thank you.
Hey,
the admin manual contains a section about extending the LDAP ACLs. It doesn’t include an example that matches your use case 1:1, but it should be enough to get you started.
Note that the LDAP server’s configuration file is created from template files. Therefore you cannot simply edit /etc/ldap/slapd.conf as your changed would be overwritten subsequently. You’ll have to put your changes in a new sub-template file in /etc/univention/templates/files/etc/ldap/slapd.conf.d. If you don’t know how to do that, I suggest reading this blog post I’ve written about that very topic which explains how it all works — where to put stuff, how to register your own (sub-)templates, how to regenerate the destination file from the templates. It’s only available in German for the time being, but judging from your user name that shouldn’t be a problem.
The ACL in question could look something like this (untested, suitable for the template file, not for the final LDAP server config):
access to dn="cn=contacts,cn=kopano,@%@ldap/base@%@"
by dn="uid=your-user,cn=users,@%@ldap/base@%@" write
by * +0 break
Kind regards,
mosu
Thank you very much. Works great!
Great! You’re quite welcome.
Hi siegmarb,
would you care to post the exact steps what you dit to get it working here? I would be very thankful!
Cheers
HBau