Make primary group configurable on all container objects so that we can have multiple defaults for different positions in the LDAP tree.
In a standard UCS we have an "default object" which defines the default primary group for user objects: ``` cn=default,cn=univention,dc=ucs,dc=test objectClass: top objectClass: univentionDefault objectClass: univentionObject univentionObjectType: settings/default cn: default univentionDefaultGroup: cn=Domain Users,cn=groups,dc=ucs,dc=test univentionDefaultComputerGroup: cn=Windows Hosts,cn=groups,dc=ucs,dc=test univentionDefaultDomainControllerGroup: cn=DC Slave Hosts,cn=groups,dc=ucs,dc=test univentionDefaultDomainControllerMasterGroup: cn=DC Backup Hosts,cn=groups,dc=ucs,dc=test univentionDefaultClientGroup: cn=Computers,cn=groups,dc=ucs,dc=test univentionDefaultMemberserverGroup: cn=Computers,cn=groups,dc=ucs,dc=test ``` For delegated administration we need to define these default per OU. So that we don't need to read the global groups and the default primary group for user objects in an OU is a group from his OU, or at least that we can configure the default per OU. One way would be: - allow objectclass `univentionDefault` on any container/ou (and cn, dc?) - set `objectClass: univentionDefault` on the users container in a OU -> `cn=users,ou=bremen,...` - so in the end all container objects (cn, ou, dc?) can handle ``` defaultClientGroup defaultComputerGroup defaultDomainControllerGroup defaultDomainControllerMBGroup defaultGroup defaultMemberServerGroup ``` - in UDM check for `univentionDefaultGroup` on position of new user, so `cn=users,ou=bremen,...` if exists, use this value, or else go with the global default
"univentionDefault" was a structural object class and could therefore not be combined with the existing container object classes. A new object class, "univentionContainerDefault" was introduced, supporting the same attributes. In UDM container/cn, container/ou, container/dc this is exposed via the option "group-settings", with the same properties as settings/default: 'defaultGroup' 'defaultComputerGroup' 'defaultDomainControllerGroup' 'defaultDomainControllerMBGroup' 'defaultMemberServerGroup' 'defaultClientGroup' As the LDAP base is extended, one day we should remove settings/default and move the settings to the LDAP base. univention-management-console-module-udm.yaml 0fd773741a4d | chore(univention-directory-manager-modules): update advisory univention-management-console-module-udm (12.2.1) 818baace9be9 | feat(udm-umc): reload object properties on creation univention-ldap.yaml 0fd773741a4d | chore(univention-directory-manager-modules): update advisory univention-ldap (18.2.4) b720316fbf00 | feat(udm): implement container-specific default groups with hierarchical lookup univention-directory-manager-modules.yaml 0fd773741a4d | chore(univention-directory-manager-modules): update advisory univention-directory-manager-modules (17.2.7) 880a734508f2 | perf(udm): enhance getting syntax-choices 4123c23ad8b0 | feat(udm): add default primary group settings to container objects b720316fbf00 | feat(udm): implement container-specific default groups with hierarchical lookup ucs-test (12.2.10) fbb1f1fe90f0 | test(udm): add tests for OU-specific default groups
OK - Tests (jenkins, manual) OK - yaml OK - update
<https://errata.software-univention.de/#/?erratum=5.2x128> <https://errata.software-univention.de/#/?erratum=5.2x129> <https://errata.software-univention.de/#/?erratum=5.2x130>