Description Florian Best 2021-07-02 12:04:20 CEST

The locking of attributes (e.g. to check the uniqueness of uid/uidNumber/gidNumber/etc.) is currently done with the permissions of the user doing the operation.

If there are ACL's which prevent reading any user/group/etc object the ldap search checking for uniqueness will fail and therefore UDM allows to use a unique attribute twice.

In general modifications are done with Domain Admin account, which see everything.

In UCS@school each school user and each machine-account is limited to its own school, other objects are therefore hidden.

We should:
1. additionally to UDM try to use the unique constraint in the slapd.conf
2. do the lock() searches with cn=admin (not cn=machine$!)
3. probably we should also do the lock() modifications with cn=admin, so that we don't always need to specify extra LDAP ACL's for this use case (e.g. in UCS@school or multi-tenant scenarios) !?!