6.1.3. End User Self Service#
For general information about the End User Self Service, see End User Self Service in Nubus Manual 1.x [4]. This section describes the End User Self Service configuration specific to Nubus for UCS.
On this page, you find the following sections:
6.1.3.1. Installation and activation#
To enable users to manage their passwords on their own through the End User Self Service, you need to install the following UCS components through the App Center to your UCS domain:
Self Service Backend
Self Service
- Endpoint:
https://{fqdn-to-ucs-appliance}/univention/selfservice/
You can use the following Univention Configuration Registry (UCR) variables to activate or deactivate individual features of the End User Self Service password management. They also activate or deactivate the corresponding entries in the portal. Additionally, you can adjust the portal entries manually, because they’re just normal portal entries.
- self-service/backend-server#
Defines the UCS system that has the Self Service Backend app installed.
- Default value:
not defined
- Type:
string
- umc/self-service/passwordreset/backend/enabled#
Activates the Password forgotten functionality in the End User Self Service.
You need to provide this setting on the Nubus for UCS node that you defined as Self Service Backend through the UCR variable
self-service/backend-server, because the End User Self Service forwards requests for password reset to the configured backend.- Default value:
true- Type:
boolean
- umc/self-service/protect-account/backend/enabled#
Activates the Protect account functionality in the End User Self Service.
You need to provide this setting on the Nubus for UCS node that you defined as Self Service Backend through the UCR variable
self-service/backend-server, because the End User Self Service forwards requests for account protection to the configured backend.- Default value:
true- Type:
boolean
- umc/self-service/service-specific-passwords/backend/enabled#
Activates the service-specific passwords in the End User Self Service.
Nubus supports only the RADIUS service. For more information, see Service specific password.
- Default value:
true- Type:
boolean
See also
- Manage portals
in Nubus Manual 1.x [4] for information about how to edit portal entries.
6.1.3.2. Contact information#
Users can view and update their own contact information through the End User Self Service. Administrators control which attributes users can modify and which ones are read-only.
To configure the contact information in the End User Self Service, use the following UCR variables:
- self-service/ldap_attributes#
This variable configures the LDAP attributes that users can modify on their own user account. You need to set the variable on the UCS Primary Directory Node and the UCS Backup Directory Node in your Nubus for UCS domain. On the Primary Directory Node, the UCR module generates and activates the ACL definition list in the directory service.
- Default value:
jpegPhoto,mail,telephoneNumber,roomNumber,departmentNumber,st,c,homePhone,mobile,homePostalAddress- Type:
List of strings, separated by commas
- self-service/udm_attributes#
Defines a comma-separated list of UDM attributes that the Self Service shows on the Contact information page where users can modify their user account.
You need to set this UCR variable on all Nubus for UCS systems where you have installed the Self Service app, and on the UCS Primary Directory Node.
- Default value:
not defined
- Type:
List of strings, separated by commas
- self-service/udm_attributes/read-only#
Defines the UDM attributes as a comma-separated list of strings that the Self Service marks as read-only on the Contact information. The UCR variable
self-service/udm_attributesmust include the UDM attributes.You need to set this UCR variable on all Nubus for UCS systems where you have installed the Self Service app and on the UCS Primary Directory Node.
To ensure this variable works as intended, remove the LDAP attributes specified in the UCR variable
self-service/ldap_attributesthat you want to be read-only. Otherwise, these LDAP attributes keep the corresponding UDM attributes writable.- Default value:
not defined
- Type:
List of strings, separated by commas
- umc/self-service/profiledata/enabled#
Set the value of this variable to
trueon all involved Nubus for UCS systems to enable the profile data mechanism.- Default value:
true- Type:
boolean
- umc/self-service/allow-authenticated-use#
This variable defines whether the End User Self Service requires username and password when users open and modify their own user profile if they have already signed in to the Portal.
The Self Service automatically sets the value to
trueduring installation.truemeans that the End User Self Service uses an existing Portal session and doesn’t ask for username and password if the user has already signed in.- Default value:
true- Type:
boolean
Important
The self-service/ldap_attributes and self-service/udm_attributes
variables must match each other.
You can fetch the attribute names and their mapping through the command in
Listing 6.2.
$ python3 -c 'from univention.admin.handlers.users.user import mapping; \
print("\n".join( \
map("{0[0]:>30s} {0[1][0]:<30s}".format, sorted(mapping._map.items()))) \
)'
See also
- Contact information
in Nubus Manual 1.x [4] for information about modifying user contact information.
6.1.3.3. User registration#
The End User Self Service allows users to register themselves. The registration creates a user account that the user must verify through email.
See also
- Self registration
in Nubus Manual 1.x [4] for information about using the self-registration.
6.1.3.3.1. Registration form#
You can configure properties of the Create an account page and the account creation itself with the following Univention Configuration Registry (UCR) variables.
Important
You need to set these UCR variables
on the Nubus for UCS system that provides Self Service Backend
as defined in the UCR variable self-service/backend-server,
because the self-service registration forwards requests to the Self Service backend.
- umc/self-service/account-registration/backend/enabled#
Activates the backend functionality for account creation.
- Default value:
false- Type:
boolean
- umc/self-service/account-registration/usertemplate#
Defines the DN of the user template that the Self Service uses to create an account through the Create an account page.
If the variable has no value, the Self Service doesn’t use a user template.
For information about user account templates, see User account templates in Nubus Manual 1.x [4].
- Default value:
not defined
- Type:
string
- umc/self-service/account-registration/usercontainer#
Defines the DN of the container in the directory service where the Self Service stores the user account objects created through the Create an account page.
If the variable has no value, the Self Service uses the default container
cn=self registered users,$ldap_basefor user account objects.- Default value:
not defined
- Type:
string
- umc/self-service/account-registration/udm_attributes#
Defines a comma-separated list of UDM attributes that the Self Service shows on the Create an account page.
- Default value:
not defined
- Type:
List of strings, separated by commas
- umc/self-service/account-registration/udm_attributes/required#
Defines the UDM attributes as a comma-separated list of strings that the Self Service marks as required on the Create an account page. The UCR variable
umc/self-service/account-registration/udm_attributesmust include the UDM attributes.- Default value:
not defined
- Type:
List of strings, separated by commas
6.1.3.3.2. Email verification#
When users register through the Self Service, they receive a verification email with a token to confirm their email address. This section describes how to configure the verification email and token properties.
You can configure properties of the verification email and of the verification token through the following Univention Configuration Registry variables. For information about the verification process, see Verification email in Nubus Manual 1.x [4].
Important
You need to set these UCR variables
on the Nubus for UCS system that provides Self Service Backend
as defined in the UCR variable self-service/backend-server,
because the self-service registration forwards requests to the Self Service backend.
- umc/self-service/account-verification/email/webserver_address#
Defines the
hostpart to use in the verification URL. The default value uses the fully qualified domain name of the Self Service Backend as defined through the UCR variableself-service/backend-server.- Default value:
fully qualified domain name of the Self Service Backend
- Type:
string
- umc/self-service/account-verification/email/sender_address#
Defines the sender address of the verification email.
- Default value:
Account Verification Service <noreply@FQDN>- Type:
string
- umc/self-service/account-verification/email/server#
Defines the server name or IP address of the mail server to use.
- Default value:
localhost- Type:
string
- umc/self-service/account-verification/email/text_file#
Defines the path to a text file that the Self Service uses for the text body of the verification email. The text can contain the following strings. The Self Service substitutes them accordingly.
{link}URL to the Self Service page.
{token}The token string that the user can enter on the Self Service page to verify their email address.
{tokenlink}URL to the Self Service page that already includes the
{token}.{username}The username of the user’s account.
- Default value:
/usr/share/univention-self-service/email_bodies/verification_email_body.txt- Type:
string
- umc/self-service/account-verification/email/token_length#
Defines the number of characters that the Self Service uses for the verification token.
- Default value:
64- Type:
unsigned integer
6.1.3.3.3. Account activation#
When the user clicks the verification link from the email, the web browser shows the Account verification page of the Self Service. For information about how to verify the registered user account, see Account verification in Nubus Manual 1.x [4].
This section provides information about how to configure the account verification.
Important
You need to set these UCR variables
on the Nubus for UCS system that provides Self Service Backend
as defined in the UCR variable self-service/backend-server,
because the self-service registration forwards requests to the Self Service backend.
- umc/self-service/account-verification/backend/enabled#
Activates the Account verification functionality in the Self Service.
- Default value:
false- Type:
boolean
- Handle sign-in for user accounts with an unverified email address
You can configure single sign-on to require self-registered users to first verify their email address.
Use the UCR variable
ucs/self/registration/check_email_verification.- User notification for user accounts with an unverified email address
You can configure the user notification on the single sign-on page for self-registered user accounts with an unverified email address. Use the following UCR variables:
Since UCS 5.2, the Keycloak app is the default identity provider. For information about Keycloak settings, see Settings in the Univention Keycloak app documentation [6].
6.1.3.4. User deregistration#
The Self Service allows users to request the deletion of their user account.
6.1.3.4.1. Deregistration request#
If a user requests to delete their account,
Nubus doesn’t delete the user account directly,
but deactivates it.
If the user has a PasswordRecoveryEmail defined,
Nubus sends a notification email.
In addition,
Nubus sets the following attributes of the user account:
DeregisteredThroughSelfServicetoTRUEDeregistrationTimestampto the current time in the GeneralizedTime LDAP syntax.
Use the following UCR variables to configure user self-deregistration.
- umc/self-service/account-deregistration/enabled#
Activates the Delete my account button on the Your profile page of the Self Service.
- Default value:
not defined
- Type:
boolean
- umc/self-service/account-deregistration/email/sender_address#
Defines the sender address of the notification email about a user account deletion request.
- Default value:
Password Reset Service <noreply@FQDN>- Type:
string
- umc/self-service/account-deregistration/email/server#
Defines the server name as fully qualified domain name or IP address of the mail server for sending the notification email about a user account deletion request.
- Default value:
not defined
- Type:
string
- umc/self-service/account-deregistration/email/text_file#
Defines the path to a text file that the Self Service uses for the text body of the notification email. The text can contain the following strings. The Self Service substitutes them accordingly.
{username}The username of the user’s account.
- Default value:
/usr/share/univention-self-service/email_bodies/deregistration_notification_email_body.txt- Type:
string
6.1.3.4.2. Account cleanup#
The Self Service provides a script at
/usr/share/univention-self-service/delete_deregistered_accounts.py
that you can use
to delete all users/user objects
that have
the DeregisteredThroughSelfService attribute set to TRUE
and whose DeregistrationTimestamp attribute is older than a specified time.
- Manually delete de-registered user accounts
The command in Listing 6.3 deletes user accounts whose
DeregistrationTimestampis older than 5 days and 2 hours.$ /usr/share/univention-self-service/delete_deregistered_accounts.py \ --timedelta-days 5 \ --timedelta-hours 2
- Script arguments
For the possible arguments of the script, see Listing 6.4.
$ /usr/share/univention-self-service/delete_deregistered_accounts.py --help
- Scheduled deletion of de-registered user accounts
You can schedule the script to run regularly. Create a cron job through a UCR variable, as shown in Listing 6.5.
$ ucr set cron/delete_deregistered_accounts/command=\ /usr/share/univention-self-service/delete_deregistered_accounts.py\ ' --timedelta-days 30'\ cron/delete_deregistered_accounts/time='00 06 * * *' # daily at 06:00
For more information about how to set cron jobs through UCR variables, see Defining cron jobs in Univention Configuration Registry.