8.6. Policies module

Deployment — Kubernetes & UCS appliance

The Policies management module appears in both deployments.

Nubus offers the Policies management module to manage administrative settings in Policies.

Policies define administrative settings that you can apply to multiple directory objects in the directory service. They simplify administration by allowing you to connect them to containers. Nubus then applies the policies to all directory objects within that container and its sub-containers. Values inherit down the directory container hierarchy. Nubus applies the value defined closest to the object.

For example, if you want to enforce the same password expiry interval for all users in a location, create a dedicated container for those users. After moving the user objects into this container, assign a password policy to it. This policy then applies to all user objects within the container.

However, policies define some values as fixed attributes. Subordinate policies can’t overwrite these values. Each policy applies to a specific type of UMC domain objects, such as users or DHCP subnets.

You find the Policies management module in the Domain category in the Management UI. When you open the management module, it shows several policies. The Referencing objects section in a Policy lists all containers or LDAP objects in the directory service to which a policy applies. The expanded settings contain some general policy options, which are usually only necessary in specific situations.

The following list refers to policy type descriptions:

• Password policy settings

• Configuration of clients through DHCP policies

To view the specific policies applied to any directory object, see the following ways depending on the platform.

UCS appliance

Use the command-line program univention-policy-result to view the specific policies applied to any directory object.

Nubus for Kubernetes

Nubus for Kubernetes doesn’t have an explicit command to view specific policies applied to any directory object.

8.6.1. Create a policy

You can manage policies using the Policies management module. The operation is the same as for the functions described in Univention Management Console modules. The corresponding chapters describe the attributes and properties of policies, for example, for attributes and properties regarding DHCP, see DHCP module.

Important

Policy names must not contain any umlauts.

To create a policy, open the Policies management module and click Add. Select the policy and the container for storing it. Click Next.

The General tab lists attributes that depend on the policy type. The Advanced settings tab lists the following fields:

LDAP filter

You can specify an LDAP filter expression. A directory object must match this filter for Nubus to apply the policy.

Required object classes

Specify the LDAP object classes that an object must have for the policy to apply. For example, if a user policy is only relevant for Windows environments, you can require the sambaSamAccount object class.

Excluded object classes

Similar to configuring required object classes, you can also list object classes to exclude.

Fixed attributes

Select attributes whose values subordinate policies can’t change.

Empty attributes

Select attributes to set to empty in the policy. Nubus stores the attributes without a value. This is useful for removing values an object inherited from a superordinate policy. Subordinate policies can then assign other values to these attributes.

8.6.2. Assign policies

You can assign policies in the following ways:

1. To the LDAP base, to a container, or an organizational unit (OU). To assign a policy, use the LDAP Directory Browser, open a directory object and navigate to the Policies tab in the properties of the directory object.

2. The management modules of directory objects have the Policies tab. The tab lists available policies, for example for users. You can specify a particular policy for a user here.

The Policies tab works identically in both cases. However, when assigning policies to a directory container, you can choose from all available policy types. When assigning policies to an individual directory object, you only see the policy types applicable to that object.

You assign a policy to the directory object or container within the Policies section. The resulting values from the policy show up directly. If an object inherits settings from a superordinate policy, it adopts those settings if a superordinate policy exists.

If you link a directory object to a policy, or it inherits settings that don’t apply to it, those settings have no effect. This lets you assign a policy to the base entry of the LDAP directory, making it valid for all objects in the domain that can apply the policy. Directory objects that can’t apply the policy remain unaffected.

8.6.3. Edit policies

You can edit and delete policies in the Policies management module. For details about the interface, refer to Univention Management Console modules.

Caution

When you edit a policy, you change the settings for all objects linked to it. The updated policy values apply to both existing and future objects connected to the policy.

You can also edit the currently applied policy for individual directory objects using the Edit policy button on the Policy tab.