5.2. Univention Directory Manager (UDM)#

This section describes the technical details for UDM. For a general overview about the UCS management system and the role of UDM, see UCS management system.

You find the source code for UDM at UCS source: management/univention-directory-manager-modules/.

Other packages in UCS can also define UDM modules. The respective packages include the sources for their UDM modules. For example, the following packages also provide UDM modules:

5.2.1. UDM architecture#

Fig. 5.5 shows the architecture for UDM. A description of the elements follows.


Fig. 5.5 Architecture of UDM#

LDAP directory

The data persistence layer consists of the LDAP directory, that provides the domain database, the persistence layer and data source for UDM. For communication with the LDAP directory, UDM uses the Lightweight Directory Access Protocol (LDAP).

UDM uses a two layer architecture for abstraction as shown in Fig. 5.5. Except for the LDAP directory, all shown elements belong to UDM. The first abstraction layer at the bottom is the UDM Python library with the following elements:

UDM Python library

Provides the library for abstraction and the environment for UDM syntax, UDM modules, and UDM hooks. UDM Python library uses the LDAP directory. You can imagine something similar to an object relational mapper for SQL. UDM Python library provides Python modules and classes below univention.admin.*:

UDM Syntax

UDM syntax provides the following capability:

  • Perform syntax validation on user input data.

  • Present static values from a predefined list of possible values.

  • Calculate possible values dynamically upon use.

  • Specify the layout and widget type for presentation in UMC.

UDM modules

UDM modules translate LDAP objects to UDM objects and back. They ensure data consistency, validate user input, implement process logic and improve the usability of UCS.

  • For more information about UDM modules, refer to UDM modules.

  • For more information about UDM data, refer to UDM data.

UDM hooks

UDM hooks are Python classes with methods that can integrate into existing UDM modules together with extended attributes. They offer an alternative to customize UDM.

The second abstraction layer in Fig. 5.5 uses the UDM Python library and offers UDM in UMC, UDM HTTP REST API, the UDM CLI daemon, the UCS@school library, and the UDM Simple API.


Runs the UDM modules inside UMC and presents them to the user over HTTP through the web browser. It creates one process per user session for all UDM modules. UDM in UMC uses the UDM Python library.


Provides the UDM HTTP REST API interface to UDM as a separate service. UDM offers HTTP access through the UDM HTTP REST API to use UDM through a remote interface.

UDM CLI Daemon

Provides the command-line interface to UDM through one system wide process for each user. The process terminates itself after a default idle time of 10 minutes. The command-line interface uses the UDM Python library.

UCS@school library

Provides an abstraction in Python for UCS@school. The UCS@school library uses the UDM Python library.

UDM Simple API

Allows to use UDM capability and objects directly in Python programs. For example, UCS portal service uses the API. UDM Simple API provides Python modules and classes below univention.udm.*.

As mentioned before, UDM is highly customizable to the needs of environments, custom services and apps. Custom UDM modules, extended attributes and UDM hooks offer different possibilities for the customization of UDM.

See also

Administrators, refer to Univention Corporate Server - Manual for users and administrators [1]:

See also

Software developers and system engineers, refer to Univention Developer Reference [3]:

From Univention Corporate Server Python API 5.0 documentation [4]:

5.2.2. Dependencies for UDM#

UDM depends on LDAP. You can resolve the other detailed dependencies with the package manager.

The following services in UCS need UDM:

Following the chain, UDM in UMC and UDM HTTP REST API wouldn’t work without UDM either. From the items mentioned in UDM architecture and Fig. 5.5, UDM needs the following to work properly:

  • UDM Python library

  • UDM syntax

  • UDM modules

  • UDM hooks

And UDM offers its capability to the following items:

  • Python UDM API

  • UDM CLI daemon

  • UCS@school library

5.2.3. UDM modules#

UDM modules represent a set of LDAP object classes and their corresponding attributes in UDM objects. They ensure data consistency, validate user input, implement process logic and improve the usability of UCS.

UDM modules exist for almost every LDAP object class. For example, UDM objects users/user represent different LDAP object classes like person, organizationalPerson, inetOrgPerson, posixAccount, or shadowAccount. Another example is the password field at a UDM object users/user, that creates several password hash types in the different LDAP object classes for users. UDM presents one password to the user. In the background it ensures password consistency for different services, that need different password hash types.

Python is the programming language for UDM modules. During installation UDM modules register themselves in the LDAP directory. The UCS domain replicates the UDM modules to UCS systems across the domain. On the UCS systems, the Univention Directory Listener writes the UDM modules to the systems’ file system. The replication ensures the availability of all UDM modules in the UCS domain alike.

Domain administrators can grant permission to use particular UDM modules in UMC to other users. UDM modules access the LDAP directory with the permissions of the user so that LDAP access control lists for read and write actions apply to the user.

See also

UDM modules

For information about UDM modules for software developers in Univention Developer Reference [3].

5.2.4. UDM data#

Talking about UDM modules requires a distinction between data describing a UDM object and an LDAP object:

  • The term properties refers to data fields in UDM objects.

  • The term attributes refers to data fields in LDAP objects.

UDM modules map between LDAP objects and UDM objects. They format data upon read and write operations to and from the LDAP directory for representation to the user as shown in Fig. 5.6. UDM modules are in the center of the data mapping and emphasize their translation role. For example, widgets in UMC show a human readable representation of the data. Fields that represent a date value offer a calendar widget to the user.


Fig. 5.6 UDM modules map data between LDAP objects and UDM objects#

Extended attributes provide the capability to add and customize properties in UDM. They define a mapping between UDM properties and LDAP attributes.

See also

Expansion of UMC modules with extended attributes

How to use extended attributes, Univention Corporate Server - Manual for users and administrators [1]