7. Univention Directory Manager (UDM)

The Univention Directory Manager (UDM) is a wrapper for LDAP objects. Traditionally, LDAP stores objects as a collection of attributes, which are defines by so called schemata. Modifying entries is slightly complicated, as there are no high-level operations to add or remove values from multi-valued attributes, or to keep the password used by different authentication schemes such as Windows NTLM-hashes, Unix MD5 hashes, or Kerberos tickets in sync.

The command line client udm provides different modes of operation.

udm [--binddn bind-dn --bindpwd bind-password] [module] [mode] [options]

Creating object

udm module create --set property=value …

$ eval "$(ucr shell)"
$ udm container/ou create --position "$ldap_base" --set name="xxx"

Multiple --sets may be used to set the values of a multi-valued property.

The equivalent LDAP command would look like this:

$ eval "$(ucr shell)"
$ ldapadd -D "cn=admin,$ldap_base" -y /etc/ldap.secret <<__EOT__
dn: uid=xxx,$ldap_base
objectClass: organizationalRole
cn: xxx
__EOT__

List object

udm module list [--dn dn | --filter property=value]

$ udm container/ou list --filter name="xxx"

$ univention-ldapsearch cn=xxx

Modify object

udm module modify [--dn dn | --filter property=value] [--set property=value | --append property=value | --remove property=value …]

$ udm container/ou modify --dn "cn=xxx,$ldap_base" --set name="xxx"

For multi-valued attributes --append and --remove can be used to add additional values or remove existing values. --set overwrites any previous value, but can also be used multiple times to specify further values. --set and --append should not be mixed for any property in one invocation.

Delete object

udm module remove [--dn dn | --filter property=value]

$ udm container/ou delete --dn "cn=xxx,$ldap_base"

If --filter is used, it must match exactly one object. Otherwise udm refuses to delete any object.

This chapter has the following content:

• 7.1. UDM modules
  • 7.1.1. Overview
  • 7.1.2. Structure of a module
    • 7.1.2.1. Global variables
    • 7.1.2.2. Mandatory variables
      • module
      • operations
      • short_description
      • long_description
      • childs
      • options
        • options.short_description
        • options.long_description
        • options.default
        • options.editable
        • options.objectClasses
      • property_descriptions
        • property_descriptions.short_description
        • property_descriptions.long_description
        • property_descriptions.syntax
        • property_descriptions.multivalue
        • property_descriptions.required
        • property_descriptions.may_change
        • property_descriptions.editable
        • property_descriptions.identifies
        • property_descriptions.dontsearch
        • property_descriptions.default
        • property_descriptions.options
      • layout
      • mapping
    • 7.1.2.3. Optional arguments
      • virtual
      • template
    • 7.1.2.4. The Python class object
      • object
    • 7.1.2.5. The identify() and lookup() functions
  • 7.1.3. Example module
    • 7.1.3.1. Python code of the example module
    • 7.1.3.2. LDAP schema extension for the example module
    • 7.1.3.3. Installing the module
    • 7.1.3.4. Downloading the sample code
• 7.2. UDM syntax
  • 7.2.1. UDM syntax override
  • 7.2.2. UDM LDAP search
    • UDM_Attribute
      • UDM_Attribute.udm_module
      • UDM_Attribute.udm_filter
      • UDM_Attribute.attribute
      • UDM_Attribute.label_format
      • UDM_Attribute.regex
      • UDM_Attribute.static_values
      • UDM_Attribute.empty_value
      • UDM_Attribute.depends
      • UDM_Attribute.error_message
    • UDM_Objects
      • UDM_Objects.udm_modules
      • UDM_Objects.key
      • UDM_Objects.label
      • UDM_Objects.regex
      • UDM_Objects.simple
      • UDM_Objects.use_objects
    • LDAP_Search
      • LDAP_Search.UDM_API
        • LDAP_Search.UDM_API.name
        • LDAP_Search.UDM_API.description
        • LDAP_Search.UDM_API.filter
        • LDAP_Search.UDM_API.base
        • LDAP_Search.UDM_API.attribute
        • LDAP_Search.UDM_API.ldapattribute
        • LDAP_Search.UDM_API.value
        • LDAP_Search.UDM_API.ldapvalue
        • LDAP_Search.UDM_API.viewonly
        • LDAP_Search.UDM_API.addEmptyValue
    • Python_API
      • Python_API.syntax_name
      • Python_API.filter
      • Python_API.attribute
      • Python_API.value
      • Python_API.viewonly
      • Python_API.addEmptyValue
      • Python_API.appendEmptyValue
• 7.3. Package extended attributes
  • 7.3.1. Selection lists
    • 7.3.1.1. Static selections
    • 7.3.1.2. Dynamic selections
  • 7.3.2. Known issues
  • 7.3.3. Extended options
  • 7.3.4. Extended attribute hooks
    • simpleHook
      • simpleHook.hook_open()
      • simpleHook.hook_ldap_pre_create()
      • simpleHook.hook_ldap_addlist()
      • simpleHook.hook_ldap_post_create()
      • simpleHook.hook_ldap_pre_modify()
      • simpleHook.hook_ldap_modlist()
      • simpleHook.hook_ldap_pre_remove()
      • simpleHook.hook_ldap_post_remove()
• 7.4. Package UDM hooks
• 7.5. Package UDM extension modules
• 7.6. Package UDM syntax extension
• 7.7. UDM HTTP REST API
  • 7.7.1. Authentication
  • 7.7.2. API overview
  • 7.7.3. API clients
  • 7.7.4. API usage examples
    • 7.7.4.1. Create a user with a POST request
    • 7.7.4.2. Search for users with a GET request
    • 7.7.4.3. Modify a user with a PUT request
    • 7.7.4.4. Delete a user with a DELETE request
  • 7.7.5. API Error Codes
• 7.8. UCS 5.0: Python 3 migration of modules and extensions
  • 7.8.1. Compatibility with UCS 4.4
  • 7.8.2. Default option
  • 7.8.3. Mapping functions
  • 7.8.4. Mapping encoding
  • 7.8.5. object.open() / object._post_unmap()
  • 7.8.6. object.has_key()
  • 7.8.7. identify()
  • 7.8.8. _ldap_modlist()
  • 7.8.9. lookup()
  • 7.8.10. Syntax classes
  • 7.8.11. Hooks