More than single policy type applied on one LDAP container?


Hi, I have a question about the way policies can be layered and are attached to LDAP containers in UMC.

Can only a single policy of a particular type (eg: UCR) be attached to an individual LDAP object like a container?

I’m trying to work out if I can create layered policies other than via parent child inheritance.

For example, testing out the UCC thin clients, there are default policies created by the setup wizard (cn=ucc-thinclient-settings,cn=ucc,cn=policies,dc=fakedomain,dc=com,dc=au) on the ucc-thinclients container under computers.

I now want to add UCR variables for connecting the CUPS print server as per the UCC docs 5.7 to all my thin clients, therefore the place to attach the UCR policy would be the cn=ucc-thinclients,cn=computers, container rather than each computer account object individually.

However, there is already the wizard created ucc-thinclient-settings UCR policy applied to this LDAP container object, and it doesn’t look like I can add another UCR policy on top of this, the dropdown forces me to choose only one policy. However, I’d prefer to create a separate CUPS UCR policy that could potentially be applied to the ucc-thinclients container and/or the ucc-desktops container, while not loosing the settings applied to UCR from the UCC setup wizard.

To my mind all I can see to do is either:
[li]Add the CUPS settings to the existing UCR policy applied to that container, but potentially adding similar settings to multiple policies - more places to keep track of identical settings. [/li]
[li]Or to apply these settings at a higher level in the tree - but I’d need to filter out onbects that I didn’t want to capture like UCS DCs? [/li][/ul]
It would be nice to be able to attach additional policies of the same type at the same level of the tree / to the same object to layer up policies. Something like this is done with Microsoft group policies. I can apply several policies to the same OU and the final resultant set of policy is layered up out of the collection (in a last-applied wins ordered list in case there are conflicts). I can see layering/composition of policy happens in UMC now for inheritance down the LDAP tree but it would be great if there’s a way to layer the policies on a single LDAP object/container too.

Any way to do this?

Thanks all,



yes, you can only link a single policy of a particular type to an ldap object.

You described the current workaround for yourself - apply an extending policy to a parent container. You can limit the objects a policy applies to by configuring criteria like a required objectClass. For UCC clients, edit your custom policy, and add ‘univentionCorporateClient’ to ‘Advanced settings’->Object->‘Required object class’