Cool Solution - User Self-Service with extended Attributes
From Univention Wiki
This article will show how to give users the option to edit details on their own user account under user settings in the UMC. This is done by appending extended attributes to the UMC module users/self and thereinafter granting users access to edit them by modifying LDAP ACLs.
Enabling the module users/self
The first step is to enable the module users/self. This is the module a user will see as user settings in the UMC after signing on.
ucr unset umc/module/udm/users/self/disabled
After the module has been enabled it is possible to append existing attributes to it. In UCS extended attributes like mobile phone numbers, driver licence or room numbers can be created by administrators. For further details on how this is done please check the manual for users and administrators. Here we will continue by creating a room number as an extended attribute. Please run
eval "$(ucr shell)"
so that your ldap base will be automatically inserted into $ldap_base in our example. Then create the extended attribute "RoomNumber".
univention-directory-manager settings/extended_attribute create \ --position "cn=custom attributes,cn=univention,$ldap_base" \ --set name="RoomNumber" \ --set module="users/user" \ --set ldapMapping="univentionFreeAttribute1" \ --set objectClass="univentionFreeAttributes" \ --set longDescription="Room Number of employee" \ --set tabName="Building" \ --set multivalue=0 \ --set syntax="string" \ --set shortDescription="Room Number" \ --set mayChange=1
The room number can then be appended to the module users/self by running
udm settings/extended_attribute modify \ --dn "cn=RoomNumber,cn=custom attributes,cn=univention,$ldap_base" \ --append module=users/self
Please replace the DN of RoomNumber by the attribute you are appending to the module.
Finally modify a corresponding udm policy so that the module will be shown in the UMC to a user after signing on.
udm policies/umc modify \ --dn cn=default-umc-users,cn=UMC,cn=policies,$ldap_base \ --append allow="cn=udm-self,cn=operations,cn=UMC,cn=univention,$ldap_base"
Now the module is reachable under users -> user settings. Under the tab Building an empty space for the insertion of a room number is visible.
Setting the right ACLs
So far a user will be able to see the tab for the room number but he or she will not be granted the access to edit it. The access control lists (ACLs) of the LDAP directory still have to be modified. Since configuration files in UCS are derived from templates, this can be done by creating a new template under /etc/univention/templates/files . It is convenient to sort templates by numbers. Here the template is given the name 66univention-ldap-acl-users-self. Open
Copy the following python code into the template. In this case the objectClass of the ldap attribute of the room number is UniventionFreeAttributes. This will give the user the access to edit those attributes. Save the file and exit.
@!@ # Give the user access to the users own UDM module users/self print 'access to attrs=@UniventionFreeAttributes' print ' by self write' print ' by * +0 break' @!@
Your newly created template still has to be registered under the path /etc/univention/templates/info in an info file. Create ldapacl_66univention-user-self.acl.info by opening it
and copy the following text into it, save and exit.
Type: multifile Multifile: etc/ldap/slapd.conf Type: subfile Multifile: etc/ldap/slapd.conf Subfile: etc/ldap/slapd.conf.d/66univention-ldap-acl-users-self
In a final step run
ucr update ucr commit /etc/ldap/slapd.conf service slapd restart
This will register the info file, generate a configuration file from the newly created template and restart the service.
That's it. Now users can access user settings and edit their room number or whichever attribute you appended to the module and granted the user access to.