3. Univention Portal#

Deployment — Kubernetes & UCS appliance

The Univention Portal is part of both deployments.

The Univention Portal is the entry point to Nubus for various users in various roles. It offers a central view of all available services in Nubus. Requirements strongly differ from small to large environments in organizations, public authorities, or even schools. Therefore, Nubus implements a flexible and individually customizable concept for the Univention Portal.

This page is for functional administrators who want to customize the elements on the Univention Portal.

The Univention Portal is a dynamic web page with the following capabilities:

  • Provide a sign-in to Nubus.

  • Display links to applications, services, or anything that you can resolve through a link.

  • Control the displayed content depending on the user’s membership in user groups.

  • Announcements to users as a banner on a portal site.

  • Customize the design.

3.1. Concept#

The Univention Portal has the following items:

Portal site

A portal site renders all the portal categories with their portal entries that it has assigned. The portal is the start site for users in Nubus. The UDM object type for a portal site is portals/portal.

In the UCS appliance, functional administrators can assign a portal site to one or more UCS system. A UCS system can only render one portal.

In Nubus for Kubernetes, only one portal exists.

Portal category

A portal category consists of portal entries. Functional administrators can assign a portal category to none, one, or multiple portal sites. The UDM object type for a portal category is portals/category.

Portal entry

A portal entry is a link in the form of a URL to applications, apps, or services. Functional administrators can assign a portal entry to none, one, or multiple portal categories. The UDM object type for a portal entry is portals/entry.

Fig. 3.1 illustrates the concept. At the top, it illustrates three portal entries. In the middle, it illustrates two portal categories, each of them having a different combination of portal entries assigned. At the bottom, the UCS systems have different portal sites assigned.

Schema of the portal concept in Nubus

Fig. 3.1 Schema of the portal concept in Nubus#

To enlarge the figure, click the image.

3.2. Announcements#

Functional administrators can inform through announcements, such as maintenance windows, service outages, or anything else they want to communicate to users of Nubus, through Portal Announcements. The portal shows announcements at the top of every portal site. The UDM object type for a portal announcement is portals/announcement.

Fig. 3.2 shows the part in the Portal management module to edit a portal announcement. Announcements have the following properties:

Internal name:

For identification of the announcement.

Title:

The title of the announcement together with optional translations.

Message:

The message of the announcement together with optional translations.

Severity:

Defines the severity level of the announcement. It can have the following values:

  • Info

  • Warning

  • Success

  • Danger

Start date:

The date when the portal starts showing the announcement.

End date:

The date when the portal stops showing the announcement at midnight.

Visibility:

Limits the visibility of the announcement to user groups.

Management module to create a portal announcement

Fig. 3.2 Portal management module to create a portal announcement#

To enlarge the figure, click the image.

3.3. Default portal#

The default installations of Nubus for the UCS appliance and for Kubernetes ship the portal domain.

In the UCS appliance, every UCS system has the domain portal assigned by default. The domain portal shows all installed applications in the domain, the links to modules in the Management UI (UMC), and the server overview.

To change the default portal on a UCS system, adjust the UCR variable portal/default-dn to the name of the portal site, and run the command univention-portal update.

In Nubus for Kubernetes, the default portal shows the links to modules in the Management UI. Nubus for Kubernetes doesn’t support to switch the default portal to another portal. However, you can customize its portal categories, portal entries, and the design.

3.4. Manage portals#

You can manage portal sites, portal categories, and portal entries either through the Portal management module in the Management UI or directly on the Portal Site. Users with user accounts that are member in the Domain Admins user group can manage portals.

  1. You first need to sign in to the portal.

    On UCS, you need to sign in to the portal on the Primary Directory Node or a Backup Directory Node.

    On Nubus for Kubernetes, you need to sign in to the portal at https://portal.global.domain/univention/portal. If you don’t know the URL to the portal, ask your operator. The value for global.domain locates in the global.domain of the Helm Chart.

  2. To edit the portal, click Edit portal at the bottom of the user menu. You can create entries for the portal, modify existing entries, modify the order, or the design.

Alternatively, you can use the Portal management module in the Management UI for advanced settings such as adding portals and announcements.

The portal shows all portal entries to every user by default. Besides that it offers various use cases. The following steps describe how you achieve the use cases.

Require sign-in to see portal entries

To redirect anonymous users to the sign-in page, you need to activate Redirect anonymous visitors to the login in the portal page setting in the Portal management module.

Limit portal entries to user groups

To limit portal entries for certain groups, you need to edit the portal entry and add the respective group to the following list:

  • If you edit the portal entry directly in the Portal Site, you assign the groups at Can only be seen by these groups.

  • If you edit the portal entry in the Portal management module, you assign the groups at Restrict visibility to groups.

Adjust design of the portal

You can make design adjustments to the Portal.

For the UCS appliance, adjust the file /usr/share/univention-portal/css/custom.css. UCS updates don’t change this file.

For Nubus for Kubernetes, see Customization of portal theme in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [4].

3.4.1. Permissions for portal settings#

This section describes how to make the Portal management module accessible to a selected user group. The example focuses on the UCS appliance. It assumes that you created the user group Portal Admins. The goal is to give members of this user group the permission to access the portal settings.

The following steps describe, how to grant permission for editing the portal settings to users in the user group Portal Admins.

To create LDAP ACLs in the UCS appliance, use the following steps:

  1. On the Primary Directory Node, create an LDAP ACL file, for example /opt/62my-portal-acl.acl. Listing 3.1 shows the ACL definition of the file.

    Listing 3.1 LDAP ACLs in /opt/62my-portal-acl.acl#
    access to dn="cn=portals,cn=univention,@%@ldap/base@%@" attrs=children
      by group/univentionGroup/uniqueMember="cn=Portal Admins,cn=groups,@%@ldap/base@%@" write
      by * +0 break
    
    access to dn.children="cn=portals,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@univentionNewPortalEntry,
    @univentionNewPortal,@univentionNewPortalCategory,children
      by group/univentionGroup/uniqueMember="cn=Portal Admins,cn=groups,@%@ldap/base@%@" write
      by * +0 break
    
  2. To create the LDAP object for the LDAP ACLs, run the command in Listing 3.2.

    Listing 3.2 Create the LDAP object for the LDAP ACLs#
    $ udm settings/ldapacl create \
      --position "cn=ldapacl,cn=univention,$(ucr get ldap/base)" \
      --set name=62my-portal-acl \
      --set filename=62my-portal-acl \
      --set data="$(bzip2 -c /opt/62my-portal-acl.acl | base64)" \
      --set package="62my-portal-acl" \
      --set ucsversionstart=5.1-0 \
      --set ucsversionend=5.99-0 \
      --set packageversion=1
    

    To delete the ACLs, run the command in Listing 3.3.

    Listing 3.3 Delete LDAP ACLs#
    $ udm settings/ldapacl remove \
        --dn "cn=62my-portal-acl,cn=ldapacl,cn=univention,$(ucr get ldap/base)"
    

To create LDAP ACLs in Nubus for Kubernetes, the operator must create a packaged integration and use the plugin type LDAP ACLs to add the appropriate LDAP ACLs. For more information, see LDAP ACLs in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [4].

  1. Create an appropriate UMC policy through the Policy management module in the Management UI. Allow the following UMC operations in the policy:

    • udm-new-portal

    • udm-syntax

    • udm-validate

    • udm-license

    For information about how to create a policy, see Creating a policy.

  2. Assign the created policy to the user group Portal Admins. For this example, navigate to the Groups management module and edit the group there. In the group settings, select the existing policies for the group at the Policies tab. For more information about policy assignment, see Applying policies.