6. Identity and Access Management

This chapter covers Identity and Access Management (IAM) configuration tasks for technical administrators in Nubus for UCS. It addresses how users authenticate, how administrators govern passwords, how they structure and synchronize groups, and how they create user accounts.

Password management

Configure password policies that control password length, complexity, history, and age. Nubus for UCS supports two policy systems—UDM and Samba domain— which Univention recommends keeping aligned in Samba-enabled domains. This section covers the End User Self Service, which lets users manage their own contact information, register, and reset their passwords. See Password management.

Group management

Create and manage groups in your Nubus for UCS domain, including nested groups, group caching, and Active Directory group synchronization. See Group management.

User creation wizard

Configure the user creation wizard for functional administrators, including requiring a primary email address, controlling which account properties appear, and deactivating the wizard when you don’t need it. See User creation wizard.

User activation for apps

Activate and deactivate users or groups for App Center apps directly from the user account in the Management UI, including app-specific settings per user. See User activation for apps.

User lockout after failed sign-in attempts

Automatically lock user accounts after too many failed sign-in attempts to prevent brute force attacks on passwords. Nubus for UCS supports three independent lockout mechanisms— Samba and Active Directory, PAM stack, and OpenLDAP— each with its own configuration and scope. See User account lockout after failed sign-in attempts.

Track last sign-in time to detect inactive accounts

Identify inactive user accounts by recording when each account last signed in. Activate the OpenLDAP lastbind overlay module, collect sign-in timestamps from all LDAP servers in the domain, and schedule automatic updates to keep the timestamps current. See Track last sign-in time to detect inactive accounts.

Contents

• 6.1. Password management
  • 6.1.1. Password policies
    • 6.1.1.1. Password policy types
    • 6.1.1.2. Change the user password
    • 6.1.1.3. Password policy settings
  • 6.1.2. Samba domain password policy
  • 6.1.3. Password hashes
    • 6.1.3.1. Default hashing method
    • 6.1.3.2. bcrypt hashing method
    • 6.1.3.3. bcrypt settings
  • 6.1.4. End User Self Service
    • 6.1.4.1. Installation and activation
    • 6.1.4.2. Contact information
    • 6.1.4.3. User registration
      • 6.1.4.3.1. Registration form
      • 6.1.4.3.2. Email verification
      • 6.1.4.3.3. Account activation
    • 6.1.4.4. User deregistration
      • 6.1.4.4.1. Deregistration request
      • 6.1.4.4.2. Account cleanup
• 6.2. Group management
  • 6.2.1. Group creation and assignment
  • 6.2.2. Nested groups
  • 6.2.3. Group caching
  • 6.2.4. Active Directory group synchronization
  • 6.2.5. Group overlay module
• 6.3. User creation wizard
  • 6.3.1. Require primary email address in user creation wizard
  • 6.3.2. Deactivate user creation wizard
  • 6.3.3. Control account properties for user setup
  • 6.3.4. Restart the UMC server
• 6.4. HTTP API for domain management
• 6.5. User activation for apps
  • 6.5.1. Activate a user or a group for an app
  • 6.5.2. Deactivate a user or a group for an app
  • 6.5.3. Effect of app deinstallation
• 6.6. User account lockout after failed sign-in attempts
  • 6.6.1. Configure lockout for Samba and Active Directory
  • 6.6.2. Configure lockout for the PAM stack
  • 6.6.3. Configure lockout for OpenLDAP
  • 6.6.4. Unlock a locked user account
• 6.7. Track last sign-in time to detect inactive accounts
  • 6.7.1. Activate the overlay module
  • 6.7.2. Collect and store the timestamp
  • 6.7.3. Schedule automatic updates