A major benefit of UCS is that users can log in to a variety of services which are operated on UCS and which are used in their respective organisations with the same user name and password they usually use. In the past, users could change their password through the Univention Management Console (UMC). Via the entry User settings / Change password a new password could be set after entering the old one. However, if the user had forgotten their old password, they had to contact the administrator to have them reset the password.

With the current UCS version 4.4, all of this can be done with the new function of the App Self Service without needing help from the administrator. Indeed, all you need is the user’s e-mail address (or mobile phone number to receive an SMS). Moreover, the UCS Self Service enables users to edit their own contact information and, for example, upload a profile picture or enter an address and further data.

Which information a user can edit using the self-service app, is determined by the administrator. In this article, I will demonstrate how you as an administrator can configure Self Service, and how you can use the app to create new accounts without an initial password and also how to automatically send e-mail invitations to new users. The second part of this article will introduce you to the features of the app from the user’s point of view and explain how to reset passwords and edit account information.

Setting Up Self-Service Using UCR Variables

As an administrator, to set up the app, open the System category in the UMC and then the Univention Configuration Registry module. Three variables that you can quickly access through the search field are of primary interest:

  • self-service/ldap_attributes: The LDAP attributes that users can change themselves are listed here. The names are separated by commas. You configure the variable on the DC Master and, if necessary, on a DC Backup.
  • self-service/udm_attributes: A list of UDM attributes (Univention Directory Manager), separated by commas, which a user can modify.
  • umc/self-service/profiledata/enabled: This variable must be set to true so that users can change their profile data themselves.

Self Service: New Accounts Without an Initial Password

The new Self-Service App is a real relief for Helpdesk staff: If you, as administrator, set up a new user account with the Univention Management Console, you can either assign an initial password or leave the two fields empty and activate the Invite user via e-mail option, which automatically sets the check mark for User hast to change password on next login and Override password check. Enter the user’s email address in the field at the top of the dialog box. A click on Create user completes the process and sends the invitation.

The user then receives an e-mail with a URL and a token, with which they can set a password and thus activate the new account:

Dear user XYZ,
we have received a password reset request for your account. If you did not wish to change your password, you can safely ignore this message.
To change your password please follow this link:
[...]

Once the URL that was sent via e-mail has been opened, the new user will see this dialog:

Resetting your own password works similarly. In the case you have forgotten your password, just click on Forgot your password? at the login dialog, enter your username, click on Next and then you will receive a notification that the token has been sent. In the following dialog, enter the token you received with the e-mail and set your new password (twice). A click on Change password completes the process.

Self Service as a User: Editing Your Account Data

If the administrator has permitted UCS users to edit their own information (see section „Setting Up Self-Service Using UCR Variables“), the User Settings in the menu on the upper right lets you do so. Select either Forgot your password? or Protect your account to display the Self Service dialog box.

Then click on the entry Your Profile in the upper bar. First, authenticate yourself with your password. After a click on Next, the following dialog window lets you change your profile picture; here you can upload your own photo. In the boxes below, there is space for further information, such as an e-mail address, a phone number, an address, and so on. When you are finished, click on Save.


UCS 4.4 Release – Admin Diary, Self Services and Windows Domain Trusts

UCS 4.4 is here! The upgrades include new features in Self Services, Portal, Radius Integration and Services for Windows. As always, we don’t rest on our laurels on a release, but are already working on further improvements… continue reading


Use UCS Core Edition for Free!

Download now
Michael Grandjean

Michael began his training as an IT specialist for system integration at G&M IT-Systeme GmbH in 2007. There, he subsequently provided support for small and medium-sized enterprises in the Support, Administration and IT Security departments. He also completed further training as an IT security manager. In 2013, he joined Univention’s Professional Services Team as an Open Source Software Consultant.

What's your opinion? Leave a comment!

Comments

  1. Here an example to allow end users editing typical profile information. The command needs to be applied in one line on the system where the Self Service App is installed:

    ucr set self-service/udm_attributes=’jpegPhoto,e-mail,roomnumber,departmentNumber,country,homeTelephoneNumber,mobileTelephoneNumber,homePostalAddress‘ self-service/ldap_attributes=’jpegPhoto,mail,roomNumber,departmentNumber,st,homePhone,mobile,homePostalAddress‘ umc/self-service/profiledata/enabled=’true‘

    Reply
  2. Is “invite user via email” exposed in the API?

    Reply
  3. Hello Hajo Passon,

    not as a single API call, but if you installed and configured the Self Service correctly and made sure inviting users via email works manually, it should be enough to set PasswordRecoveryEmail=, pwdChangeNextLogin=1 and passwordexpiry= to trigger the invitation mail. Those attributes are available in the API.

    Reply

Leave a Reply to Ingo Steuwer Cancel reply

Your email address will not be published. Required fields are marked *