Hello,
I am trying to create a group for system users that are not Domain Admins that can perform specific tasks inside LDAP.
The first user is a Simple Authentication User that I created for querying ldap. This user is working fine but in the process of testing I saw that I could theoretically query from any ldap user as long as I can reach my server and have valid credentials. Is there any way to restrict this to only dedicated users?
The second user should be used for editing custom ldap objects that I created from external. As far as I tested, this is only possible with users that are member of the group “Domain Admins”. I tried it with a user that is member of a different group with the same policies and it’s not working (Insufficient Permissions). I also seached univention config files for mention of “Domain Admin” and added my new group to every line mentioning “Domain Admins” (or added a new one).
All users that I created show up in the list at the “Users”-Icon except the simple authentication user. I saw that there are some preconfigured systemusers who are not part of the list but the one that I created is. I want to exclude my system user from the list but I am not sure how
TLDR:
- Restrict access to query via “ldapsearch” for users
- Enable access to edit ldap objects for groups other than “Domain Admins”
- Exclude new user from list at “Users”.
I am pretty new to univention and would appreciate any help I can get with this! 
BR,
VG