The locking of attributes (e.g. to check the uniqueness of uid/uidNumber/gidNumber/etc.) is currently done with the permissions of the user doing the operation. If there are ACL's which prevent reading any user/group/etc object the ldap search checking for uniqueness will fail and therefore UDM allows to use a unique attribute twice. In general modifications are done with Domain Admin account, which see everything. In UCS@school each school user and each machine-account is limited to its own school, other objects are therefore hidden. We should: 1. additionally to UDM try to use the unique constraint in the slapd.conf 2. do the lock() searches with cn=admin (not cn=machine$!) 3. probably we should also do the lock() modifications with cn=admin, so that we don't always need to specify extra LDAP ACL's for this use case (e.g. in UCS@school or multi-tenant scenarios) !?!
With ABAC activated in UDM this is done with admin privileges.