Univention Bugzilla – Bug 49827
Insufficient rights for student accounts in subcontainers of cn=schueler,cn=users,ou=$SchoolOU
Last modified: 2019-07-10 11:11:44 CEST
The content of subcontainers of cn=users,ou=$SchoolOU is not replicated to schools. That unnecessarily restricts the options of UCS@school administrators to sub-structure their users (and groups), e.g. to implement access control on class granularity in Samba/AD with standard AD administration tools.
(In reply to Arvid Requate from comment #0) > The content of subcontainers of cn=users,ou=$SchoolOU is not replicated to > schools. That unnecessarily restricts the options of UCS@school > administrators to sub-structure their users (and groups), e.g. to implement > access control on class granularity in Samba/AD with standard AD > administration tools. I'm not 100% sure if the replication is the main problem here. I think, that all objects (even subcontainers/OUs) are replicated, but several LDAP-ACLs for giving write permission rely on the exact position of certain LDAP objects.
Ok, right, i can create cn=class2,cn=schueler,cn=users,ou=sun,dc=schein,dc=me e.g. as Administrator from Windows with ADSIedit and then use the Active Directory Users and Computers tool to move a student into that subcontainer. That works. I have adjusted the subject of the bug accordingly.