Cool Solution - User Self-Service with extended Attributes

From Univention Wiki

Revision as of 12:28, 30 May 2018 by Apeichert (talk | contribs) (Added UCS 4.3)
Jump to: navigation, search
Produktlogo UCS Version 4.2
Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This article will show how to give users the option to edit details on their own user account under user settings in the UMC. This is done by appending extended attributes to the UMC module users/self and thereinafter granting users access to edit them by modifying LDAP ACLs.

Enabling the module users/self

The first step is to enable the module users/self. This is the module a user will see as user settings in the UMC after signing on.

ucr unset umc/module/udm/users/self/disabled

After the module has been enabled it is possible to append existing attributes to it. In UCS extended attributes like mobile phone numbers, driver licence or room numbers can be created by administrators. For further details on how this is done please check the manual for users and administrators. Here we will continue by creating a room number as an extended attribute. Please run

 eval "$(ucr shell)"

so that your ldap base will be automatically inserted into $ldap_base in our example. Then create the extended attribute "RoomNumber".

univention-directory-manager settings/extended_attribute create \
    --position "cn=custom attributes,cn=univention,$ldap_base" \
    --set name="RoomNumber" \
    --set module="users/user" \
    --set ldapMapping="univentionFreeAttribute1" \
    --set objectClass="univentionFreeAttributes" \
    --set longDescription="Room Number of employee" \
    --set tabName="Building" \
    --set multivalue=0 \
    --set syntax="string" \
    --set shortDescription="Room Number" \
    --set mayChange=1

The room number can then be appended to the module users/self by running

udm settings/extended_attribute modify \
     --dn "cn=RoomNumber,cn=custom attributes,cn=univention,$ldap_base" \
     --append module=users/self

Please replace the DN of RoomNumber by the attribute you are appending to the module.

Finally modify a corresponding udm policy so that the module will be shown in the UMC to a user after signing on.

udm policies/umc modify \
      --dn cn=default-umc-users,cn=UMC,cn=policies,$ldap_base \
      --append allow="cn=udm-self,cn=operations,cn=UMC,cn=univention,$ldap_base"

Now the module is reachable under users -> user settings. Under the tab Building an empty space for the insertion of a room number is visible.

Setting the right ACLs

So far a user will be able to see the tab for the room number but he or she will not be granted the access to edit it. The access control lists (ACLs) of the LDAP directory still have to be modified. Since configuration files in UCS are derived from templates, this can be done by creating a new template under /etc/univention/templates/files . It is convenient to sort templates by numbers. Here the template is given the name 66univention-ldap-acl-users-self. Open

vim /etc/univention/templates/files/etc/ldap/slapd.conf.d/66univention-ldap-acl-users-self 

Copy the following python code into the template. In this case the objectClass of the ldap attribute of the room number is UniventionFreeAttributes. This will give the user the access to edit those attributes. Save the file and exit.

# Give the user access to the users own UDM module users/self
print 'access to attrs=@UniventionFreeAttributes'
print '  by self write'
print '  by * +0 break'

Your newly created template still has to be registered under the path /etc/univention/templates/info in an info file. Create by opening it

vim /etc/univention/templates/info/

and copy the following text into it, save and exit.

Type: multifile
Multifile: etc/ldap/slapd.conf

Type: subfile
Multifile: etc/ldap/slapd.conf
Subfile: etc/ldap/slapd.conf.d/66univention-ldap-acl-users-self

In a final step run

ucr update
ucr commit /etc/ldap/slapd.conf
service slapd restart

The users module user settings in the UMC

This will register the info file, generate a configuration file from the newly created template and restart the service.

That's it. Now users can access user settings and edit their room number or whichever attribute you appended to the module and granted the user access to.

Personal tools