Import permissions¶
To start an import or read data from previous imports, the user must be given permission. Imports can only be made for a single role at a single school.
Import permission groups¶
Permissions are stored in “Import Permission groups”. Those are normal groups with an additional objectClass ucsschoolImportGroup
.
For a user to be allowed to start/read an import for role student
at a school $OU
, a group must exist, that has the attributes:
ucsschoolImportSchool: $OU
ucsschoolImportRole: student
users: $DN_of_user, ...
The above users
property is how UDM shows it. An LDAP query would list the users DN in the attribute uniqueMember
(and its UID in memberUid
).
$OU-import-all
groups¶
The join script 40ucs-school-import-http-api.inst
creates an import permission group with a name $OU-import-all
for each OU.
For all OUs that are created later, the import hook /usr/share/ucs-school-import/hooks/ou_create_post.d/53importgroup_create
will create such a group automatically.
Granularity¶
Those automatically created groups list all four roles (student
, staff
, teacher_and_staff
and teacher
).
Being member of such a group allows to run/read imports of users of all those roles in the referenced school/OU.
For finer-graned access control the administrator can create groups with less roles or remove roles from existing groups.
It is also possible to add more OUs to a group, to allow the same user(s) to run imports for multiple OUs. It’s not possible do do this in UMC, but on the command line.:
$ OU=SchuleEins
$ OU2=SchuleZwei
$ OU3=SchuleDrei
$ eval "$(ucr shell ldap/base)"
$ udm groups/group modify \
--dn cn="$OU-import-all,cn=groups,ou=$OU,$ldap_base" \
--append ucsschoolImportSchool=$OU2 \
--append ucsschoolImportSchool=$OU3
Add user to security group¶
Create a school user that will be allowed to do imports (or don’t, and use the Administrator
user).
You can do this in the UMC Users-school-wizard.
Here is a code snippet how to do it on the command line (calling Python code).
In this example the OU is called SchuleEins
and the username is myteacher
:
$ python -c 'ou = "SchuleEins"; username = "myteacher" \
import univention.admin.uldap; \
from ucsschool.lib.models import Teacher; \
lo, po = univention.admin.uldap.getAdminConnection(); \
t = Teacher(name=username, school=ou, firstname="my", lastname="teacher", password="univention"); \
print("Creation success: {!r}".format(t.create(lo))); \
print("DN: {!r}".format(t.dn))'
Add the user to the group of each OU you want to start an import for:
$ udm groups/group modify \
--dn cn="$OU-import-all,cn=groups,ou=$OU,$ldap_base" \
--append users="uid=myteacher,cn=lehrer,cn=users,ou=$OU,$ldap_base"
An LDAP search should now look similar to this:
$ univention-ldapsearch -LLL "cn=$OU-import-all" \
univentionPolicyReference ucsschoolImportRole ucsschoolImportSchool uniqueMember memberUid
univentionPolicyReference: cn=schoolimport-all,cn=UMC,cn=policies,$ldap_base
ucsschoolImportRole: student
ucsschoolImportRole: staff
ucsschoolImportRole: teacher_and_staff
ucsschoolImportRole: teacher
ucsschoolImportSchool: $OU
uniqueMember: uid=myteacher,cn=lehrer,cn=users,ou=$OU,$ldap_base
memberUid: myteacher
The user myteacher
is now allowed to run imports (and read data of previous imports) on OU $OU
for users of roles student
, staff
, teacher_and_staff
and teacher
.