6. User management

UCS integrates central identity management. All user information are managed centrally in UCS via the Univention Management Console module Users and stored in the LDAP directory service.

All the services integrated in the domain access the central account information, i.e., the same username and password are used for the user login to a Windows client as for the login on the IMAP server.

The domain-wide management of user data reduces the administrative efforts as changes do not need to be subsequently configured on different individual systems. Moreover, this also avoids subsequent errors arising from inconsistencies between the individual datasets.

User account types

There are three different types of user accounts in UCS:

1. Normal user accounts have all available properties. These users can log in to UCS or Windows systems and, depending on the configuration, also to the installed Apps. The users can be administered via the UMC module Users (see User management via Univention Management Console module).

2. Address book entries can be used to maintain internal or external contact information. These contacts can’t sign in to UCS or Windows systems. Address book entries can be managed via the UMC module Contacts.

3. Simple authentication account: With a simple authentication account, a user object is created, which has only a username and a password. With this account, only authentication against the LDAP directory service is possible, but no login to UCS or Windows systems. Simple authentication accounts can be accessed via the UMC module LDAP directory (see LDAP directory browser).

Recommendation for username definition

One very important and required attribute for user accounts is the username. To avoid conflicts with the different tools handling user accounts in UCS, adhere to the following recommendations for the definition of usernames:

• Only use lower case letters (a-z), digits (0-9) and the hyphen (-) from the ASCII character set for usernames.

• The username starts with a lower case letter from the ASCII character set. The hyphen is not allowed as last character.

• In UCS the username has at least a length of 4 characters and at most 20 characters.

The recommendation results in the following regular expression: ^[a-z][a-z0-9-]{2,18}[a-z0-9]$.

Besides the recommendation, usernames also contain underscores (_) and upper case ASCII letters in practice. Consider the recommendation as a guideline and not a rule and keep potential side-effects in mind when defining usernames outside the recommendation.

Chapter contents:

• 6.1. User management via Univention Management Console module
  • 6.1.1. User management module - General tab
  • 6.1.2. User management module - Groups tab
  • 6.1.3. User management module - Account tab
  • 6.1.4. User management module - Contact tab
  • 6.1.5. User management module - Mail tab
  • 6.1.6. User management module - Options tab
• 6.2. User activation for apps
• 6.3. User password management
• 6.4. Password settings for Windows clients when using Samba
• 6.5. User self services
  • 6.5.1. Password change by user via UCS portal page
  • 6.5.2. Password management via Self Service app
  • 6.5.3. Contact information
  • 6.5.4. Self registration
    • 6.5.4.1. Account creation
    • 6.5.4.2. Verification email
    • 6.5.4.3. Account verification
  • 6.5.5. Self deregistration
• 6.6. Automatic lockout of users after failed login attempts
  • 6.6.1. Samba Active Directory Service
  • 6.6.2. PAM-Stack
  • 6.6.3. OpenLDAP
• 6.7. User templates
• 6.8. Overlay module for recording an account’s last successful LDAP bind
• 6.9. Prevent reuse of user property values
  • 6.9.1. Activate block lists
  • 6.9.2. Configure block lists
  • 6.9.3. Manage block list entries
  • 6.9.4. Expired block list entries
  • 6.9.5. LDAP ACLs for block lists