Hi, is there any way to delegate control of groups? I wish non-system groups could be controlled by a third party group. example: the helpdesk must be able to assign groups to users (not domain admins or any other builtin group)
thank you.
Hi, is there any way to delegate control of groups? I wish non-system groups could be controlled by a third party group. example: the helpdesk must be able to assign groups to users (not domain admins or any other builtin group)
thank you.
I tried to create a group with the following policies:
now those who are part of the “Groups Admin” see the groups correctly but cannot save the changes.
Hi, to allow writing I added the following in the /etc/ldap/slapd.conf file:
access to dn.sub="dc=dom,dc=lan" filter="(&(objectClass=posixGroup)(objectClass=univentionGroup)(!(|(cn=Domain Admins)(cn=Groups Admin)(cn=Administrators))))" attrs="uniqueMember,memberUid"
by set="user & [cn=Groups Admin,cn=groups,dc=dom,dc=lan]/uniqueMember*" write
by * break
now I have to make sure that the changes are not lost when the file is updated from the templates.
I’d say you’ll have to adjust the templates as mentioned in the documentation: https://docs.software-univention.de/manual-4.4.html#domain-ldap:acls
Hi, thanks, I had already tried to create the file:
/etc/univention/templates/files/etc/ldap/slapd.conf.d/65groupsadmin.acl
but doing a test commit it is not included. The content of 65groupsadmin.acl is:
# helpdesk access: grant modify members
access to dn.sub="dc=dom,dc=lan" filter="(&(objectClass=posixGroup)(objectClass=univentionGroup)(!(|(cn=Domain Admins)(cn=Administrators)(cn=Groups Admin))))" attrs="uniqueMember,memberUid"
by set="user & [cn=Groups Admin,cn=groups,dc=dom,dc=lan]/uniqueMember*" write
by * break
so a little bit is still missing
Hi, here is the missing piece:
as root run the following command:
. /usr/share/univention-lib/ldap.sh
ucs_registerLDAPExtension --packagename groups_admin --packageversion 1.0 --acl /etc/univention/templates/files/etc/ldap/slapd.conf.d/67groupsadmin.acl
Object exists: cn=ldapacl,cn=univention,dc=dom,dc=lan
Object created: cn=67groupsadmin,cn=ldapacl,cn=univention,dc=dom,dc=lan
Waiting for activation of the extension object 67groupsadmin: ...........OK