6.5. User self services#
6.5.1. Password change by user via UCS portal page#
Every logged in user can change their own password by opening the menu via the hamburger icon in the top right corner and selecting . The change is performed directly via the PAM stack (see Authentication / PAM) and is then available centrally for all services.
6.5.2. Password management via Self Service app#
By installing the UCS components Self Service Backend and Self Service in the domain via the App Center, users are enabled to take care of their password management without administrator interaction.
The Self Service app creates its own portal, accessible at the web
URI /univention/selfservice/, which bundles all its functionality. The
original portal has the same entries registered at its user menu. They allow
users to update their password given their old password as well as to reset
their lost password by requesting a token to be sent to a previously registered
contact email address. The token has to be entered on the dedicated password
reset web page.
The following Univention Configuration Registry Variables can be used to activate or deactivate individual features of the password management.
- umc/self-service/passwordreset/backend/enabled#
Activates or deactivates the backend of the Password forgotten page. This Univention Configuration Registry Variable has to be set on the systems that is defined as Self Service backend via the Univention Configuration Registry Variable
self-service/backend-server, since requests regarding these variables are forwarded to the Self Service backend.
- umc/self-service/protect-account/backend/enabled#
Activates or deactivates the backend of the Protect account page. This Univention Configuration Registry Variable has to be set on the systems that is defined as Self Service backend via the Univention Configuration Registry Variable
self-service/backend-server, since requests regarding these variables are forwarded to the Self Service backend.
- umc/self-service/service-specific-passwords/backend/enabled#
Activates or deactivates the backend for service specific passwords. Currently, only the service RADIUS is supported. Find more information in Service specific password.
Those variables also activate or deactivate the corresponding entries in the portal. However, you can also adjust them manually, they are in fact just normal portal entries.
6.5.3. Contact information#
Additional personal data can be stored in LDAP with the users account. This may include a picture, the users private address and other contact information. By default only administrators can modify them. As an alternative selected attributes may be unlocked for the user to change himself. The user then can do this using the Self Service app.
Fig. 6.7 User profile self-service#
For this the following Univention Configuration Registry Variables must be configured:
- self-service/ldap_attributes#
This variable configures the LDAP attributes a user can modify at its own user account. The names of the attributes must be separated by comma. This variable must be set on Primary Directory Node (and Backup Directory Nodes).
- self-service/udm_attributes#
This variable configures the UDM attributes a user can modify. The names of the attributes must be separated by comma. This variable must be set on all hosts, where the Self Service app is installed (incl. Primary Directory Node).
- self-service/udm_attributes/read-only#
This variable sets UDM attributes specified in Univention Configuration Registry Variable
self-service/udm_attributesto read-only. Use a comma-separated list for multiple values. Set this variable on all hosts, where the Self Service app is installed, including Primary Directory Node.To prevent this variable’s intended behavior from being prohibited, remove the LDAP attributes specified in Univention Configuration Registry Variable
self-service/ldap_attributesthat should be read-only. Otherwise, these LDAP attributes will keep the corresponding UDM attributes writable.
- umc/self-service/profiledata/enabled#
This variable must be set to
trueon all involved server systems to enable the mechanism.
- umc/self-service/allow-authenticated-use#
This variable defines whether the specification of user name and password is necessary when opening and modifying your own user profile if you are already logged in to Univention Portal.
As of UCS 4.4-7, this Univention Configuration Registry Variable is automatically set to
truewhen the Self Service is installed for the first time. Thetruevalue activates the use of an existing Univention Portal session. The fields Username and Password are then automatically filled in or no longer displayed.Systems upgraded to UCS 4.4-7 will retain the old behavior by automatically setting the value to
false. Note that this variable must be set to the same value on all participating systems where the Self Service app is installed (incl. Primary Directory Node).
Both *attributes variables must match each other. The names of the
attributes and their mapping can be fetched from the following command:
$ python3 -c 'from univention.admin.handlers.users.user import mapping;\
print("\n".join( \
map("{0[0]:>30s} {0[1][0]:<30s}".format, sorted(mapping._map.items()))) \
)'
6.5.4. Self registration#
The Self Service allows for users to register themselves, which will create a user account that has to be verified via email.
User accounts that are created via the Self Service will have the
RegisteredThroughSelfService attribute of the user set to TRUE and the
PasswordRecoveryEmailVerified attribute set to FALSE. After the user has
verified their account via the verification email the
PasswordRecoveryEmailVerified attribute will be set to TRUE.
6.5.4.1. Account creation#
Fig. 6.8 Account registration#
Aspects about the Create an account page and the account creation
itself can be configured with the following Univention Configuration Registry Variables. These Univention Configuration Registry Variables
have to be set on the systems that is defined as Self Service Backend
via the Univention Configuration Registry Variable self-service/backend-server, since
requests regarding these variables are forwarded to the Self Service
backend.
- umc/self-service/account-registration/backend/enabled#
With this variable the account registration can be disabled/enabled.
- umc/self-service/account-registration/usertemplate#
With this variable a user template can be specified that will be used for the creation of self registered accounts.
- umc/self-service/account-registration/usercontainer#
With this variable a container can be specified under which the self registered users are created.
- umc/self-service/account-registration/udm_attributes#
This variable configures which UDM attributes of a user account are shown on the Create an account page of the Self Service. The names of the UDM attributes must be provided as a comma separated list.
- umc/self-service/account-registration/udm_attributes/required#
This variable configures which of the UDM attributes set via the Univention Configuration Registry Variable
umc/self-service/account-registration/udm_attributesare required for the user to provide. The names of the UDM attributes must be provided as a comma separated list.
6.5.4.2. Verification email#
After a user has clicked on Create account, they will see a message that an email for the account verification has been sent.
Fig. 6.9 Sending the verification email#
Aspects about the verification email and the verification token can be
configured with the following Univention Configuration Registry Variables. These Univention Configuration Registry Variables have to be set on
the Self Service Backend that is defined via the Univention Configuration Registry Variable
self-service/backend-server, since requests regarding these variables
are forwarded to the Self Service Backend.
- umc/self-service/account-verification/email/webserver_address#
Defines the
hostpart to use in the verification link URL. The default is to use the FQDN of the Self Service Backend defined via the Univention Configuration Registry Variableself-service/backend-serversince this Univention Configuration Registry Variable is evaluated there.
- umc/self-service/account-verification/email/sender_address#
Defines the sender address of the verification email. Default is
Account Verification Service <noreply@FQDN>.
- umc/self-service/account-verification/email/server#
Server name or IP address of the mail server to use.
- umc/self-service/account-verification/email/text_file#
A path to a text file whose content will be used for the body of the verification email. The text can contain the following strings which will be substituted accordingly:
{link},{token},{tokenlink}and{username}. As default the file/usr/share/univention-self-service/email_bodies/verification_email_body.txtis used.
- umc/self-service/account-verification/email/token_length#
Defines the number of characters that is used for the verification token. Defaults to
64.
6.5.4.3. Account verification#
Following the verification link from the email, the user will land on the Account verification page of the Self Service.
Fig. 6.10 Account verification#
The account verification and request of new verification tokens can be
disabled/enabled with the Univention Configuration Registry Variable
umc/self-service/account-verification/backend/enabled. This Univention Configuration Registry Variable
has to be set on the systems that is defined as Self Service Backend
via the Univention Configuration Registry Variable self-service/backend-server.
Fig. 6.11 Account verification message#
The SSO login can be configured to deny login from unverified, self
registered accounts. This is configured through the Univention Configuration Registry Variable
saml/idp/selfservice/check_email_verification. This
needs to be set on the Primary Directory Node and all Backup Directory Nodes. The setting
has no effect on accounts created by an administrator.
The message on the SSO login page for unverified, self registered
accounts, can be set with the Univention Configuration Registry Variables
saml/idp/selfservice/account-verification/error-title
and
saml/idp/selfservice/account-verification/error-descr. A localized
message can be configured by adding a locale like en to the variable, for
example saml/idp/selfservice/account-verification/error-title/en.
If the Keycloak app is used as identity provider see Settings in the Univention Keycloak app documentation [4] for the corresponding settings.
6.5.5. Self deregistration#
The Self Service allows for users to request the deletion of their
own account. This feature can be activated with the Univention Configuration Registry Variable
umc/self-service/account-deregistration/enabled, which will show a
Delete my account Button on the Your profile page of the Self
Service (User templates).
If a user has requested to delete their account, it will not be deleted directly
but deactivated. In addition the DeregisteredThroughSelfService attribute of
the user will be set to TRUE and the DeregistrationTimestamp attribute
of the user will be set to the current time in the GeneralizedTime LDAP syntax. If the user has a PasswordRecoveryEmail set they
will receive a notification email which can be configured with the following
Univention Configuration Registry Variables.
- umc/self-service/account-deregistration/email/sender_address#
Defines the sender address of the email. Default is
Password Reset Service <noreply@FQDN>.
- umc/self-service/account-deregistration/email/server#
Server name or IP address of the mail server to use.
- umc/self-service/account-deregistration/email/text_file#
A path to a text file whose content will be used for the body of the email. The text can contain the following strings which will be substituted accordingly:
{username}. As default the file/usr/share/univention-self-service/email_bodies/deregistration_notification_email_body.txtis used.
The Self Service provides a script under
/usr/share/univention-self-service/delete_deregistered_accounts.py that
can be used to delete all users/user objects which have
DeregisteredThroughSelfService set to TRUE and whose
DeregistrationTimestamp is older than a specified time.
The following command would delete users whose DeregistrationTimestamp is
older than 5 days and 2 hours:
$ /usr/share/univention-self-service/delete_deregistered_accounts.py \
--timedelta-days 5 \
--timedelta-hours 2
For all possible arguments to the script see:
$ /usr/share/univention-self-service/delete_deregistered_accounts.py --help
The script can be run regularly by creating a cron job via Univention Configuration Registry.
$ ucr set cron/delete_deregistered_accounts/command=\
/usr/share/univention-self-service/delete_deregistered_accounts.py\
' --timedelta-days 30'\
cron/delete_deregistered_accounts/time='00 06 * * *' # daily at 06:00
More information on how to set cron jobs via Univention Configuration Registry can be found in Defining cron jobs in Univention Configuration Registry.