Groups Admin delegation

Hi, is there any way to delegate control of groups? I wish non-system groups could be controlled by a third party group. example: the helpdesk must be able to assign groups to users (not domain admins or any other builtin group)

thank you.

I tried to create a group with the following policies:

image

now those who are part of the “Groups Admin” see the groups correctly but cannot save the changes.

Hi, to allow writing I added the following in the /etc/ldap/slapd.conf file:

access to dn.sub="dc=dom,dc=lan" filter="(&(objectClass=posixGroup)(objectClass=univentionGroup)(!(|(cn=Domain Admins)(cn=Groups Admin)(cn=Administrators))))" attrs="uniqueMember,memberUid"
    by set="user & [cn=Groups Admin,cn=groups,dc=dom,dc=lan]/uniqueMember*" write
    by * break

now I have to make sure that the changes are not lost when the file is updated from the templates.

1 Like

I’d say you’ll have to adjust the templates as mentioned in the documentation: https://docs.software-univention.de/manual-4.4.html#domain-ldap:acls

Hi, thanks, I had already tried to create the file:

/etc/univention/templates/files/etc/ldap/slapd.conf.d/65groupsadmin.acl

but doing a test commit it is not included. The content of 65groupsadmin.acl is:

# helpdesk access: grant modify members
access to dn.sub="dc=dom,dc=lan" filter="(&(objectClass=posixGroup)(objectClass=univentionGroup)(!(|(cn=Domain Admins)(cn=Administrators)(cn=Groups Admin))))" attrs="uniqueMember,memberUid"
        by set="user & [cn=Groups Admin,cn=groups,dc=dom,dc=lan]/uniqueMember*" write
        by * break

so a little bit is still missing :slight_smile:

Hi, here is the missing piece:

as root run the following command:

. /usr/share/univention-lib/ldap.sh
ucs_registerLDAPExtension --packagename groups_admin --packageversion 1.0 --acl /etc/univention/templates/files/etc/ldap/slapd.conf.d/67groupsadmin.acl

Object exists: cn=ldapacl,cn=univention,dc=dom,dc=lan
Object created: cn=67groupsadmin,cn=ldapacl,cn=univention,dc=dom,dc=lan

Waiting for activation of the extension object 67groupsadmin: ...........OK

1 Like
Mastodon