Welcome to our third dive into the world of Univention apps! In this blog series, we regularly present exciting applications from our App Center. Today, we’re featuring the Self Service app – a tool that significantly lightens the load for UCS admins by delegating certain tasks directly to users.

Functionality of the Self Service App

Univention Corporate Server users can change their password anytime through the portal – simply navigate via the hamburger menu to User settings and select Change your password. The only requirement? You must be logged in and remember your old password. If you’ve forgotten your password (let’s hope you haven’t written it down on a post-it note or your desk pad), it’s not always necessary to reach out to support.

With the Self Service app, admins ensure that UCS users’ forgetfulness doesn’t become an extra job for the helpdesk team. Through the app, administrators can set up password resets. Users can trigger an email to their registered contact details with a simple click, enabling them to reset their password independently. But the app offers even more: system administrators also enable changes to user profiles and even authorize the creation or deletion of accounts within the UCS environment.

Backend and Frontend: Installing Self Service

Strictly speaking, Self Service is composed of two apps: the backend and the frontend. When you install the app from our App Center, the system notifies you that the Self Service backend will also be installed. Next, you’ll need to decide which UCS computers in the domain will host the apps. The installation wizard identifies suitable machines for both the frontend and backend, allowing admins to tailor their choices via a drop-down menu or proceed by clicking Continue.

Installation of Self Service app

Configuration of the service is managed through various UCR (Univention Configuration Registry) variables, accessible via the System / Univention Configuration Registry module. The upcoming sections will detail some of these settings; for a comprehensive list including examples, refer to our manual and the chapter User self services.

Self Service Modules on the Portal Page

You can access all Self Service modules at https://www.example.com/univention/selfservice/. The tiles displayed vary depending on your configuration. For instance, the tiles for self registration and account deletion only appear if administrators have explicitly enabled these features (refer to the section Self Registration of this article).

Overview of the Self Service modules

Managing Passwords with the Self Service App

To enable the password recovery process for users, simply install the app. The feature becomes available immediately because the UCR variable umc/self-service/passwordreset/backend/enabled on the backend (in our example on the primary directory node) is set to true.

Self-service function Forgot password

After clicking Forgot your password?, the system emails the user – let’s say Jonas – a link. For security reasons, this email does not include a new password. Instead, it provides a link to a so-called token and the token itself in plain text. Jonas can use this token to set his new password. By default, the token is 64 characters long, but admins can modify this length via the UCR variable umc/self-service/passwordreset/email/token_length. The token remains valid for one hour, as specified by the UCR variable umc/self-service/passwordreset/token_validity_period.

Self Service function Set new password

Sending emails to users requires that the mail system on the UCS server is properly configured. The mail server must be capable of accepting and forwarding emails without requiring a password. Alternatively, Self Service can integrate with external programs, such as an SMS gateway. Various UCR variables starting with umc/self-service/passwordreset/sms are used to configure the sending of text messages.

Profile Management Made Easy

User accounts in the LDAP directory service store much more than just names and email addresses; they also include personal data such as profile pictures, private addresses, and other contact details. The Univention Directory Manager (UDM) facilitates access to the LDAP directory service, enabling the viewing, modification, deletion, and relocation of objects like users, groups, computers, printers, and shares. Typically, only admins have the authority to alter this data. However, Self Service enhances flexibility by allowing admins to activate specific fields that users can then manage themselves.

These two UCR variables determine which attributes users can modify in their own accounts:

  • self-service/ldap_attributes: LDAP attributes that users can modify themselves; this variable needs to be configured on both the primary directory node and the backup directory nodes.
  • self-service/udm_attributes: Users are permitted to edit these UDM attributes; ensure this variable is configured on all servers where the Self Service app is installed, including the Primary Directory Node.

A comma-separated list specifies the values for each variable. By default, all fields are enabled, allowing you to tailor the list to meet your specific needs easily.

It’s also possible to establish write protection for certain UDM attributes. Administrators should list these attributes in the self-service/udm_attributes/read-only variable, which must be set on all hosts where the app is installed, including the Primary Directory Node. Additionally, it’s crucial to remove the corresponding LDAP attributes from the self-service/ldap_attributes variable to ensure they do not interfere with the write protection of the UDM attributes.

By default, users are required to authenticate with their username and password before they can edit their profile. If you wish to disable this security measure, simply set the UCR variable umc/self-service/allow-authenticated-use to false.

Self Registration: Your Gateway to a Personal User Account

With the Self Service app, system administrators can enable new users to register their own accounts within the UCS environment. Although this feature is seldom used in corporate or educational settings, it is particularly suited for community projects that need Identity and Access Management (IAM) capabilities. Initially, the feature is disabled upon installation, and administrators must actively enable it. Configuration is managed through various UCR variables on the backend, identified by prefixes starting with umc/self-service/account-registration/:

  • umc/self-service/account-registration/backend/enabled: (De)activates the self registration on the backend (default: false).
  • umc/self-service/account-registration/frontend/enabled: (De)activates the tile Create an account on the frontend.
  • umc/self-service/account-registration/udm_attributes: This includes a comma-separated list of UDM attributes displayed in the Create an account dialog; it must be configured on the backend.
  • umc/self-service/account-registration/udm_attributes/required: Specifies a list of UDM attributes that are required; this setting is configured on the backend.

Once activated, a new Create an account tile appears on the Self Service portal, opening a dialog where new users input their email address, password, name, and username. Clicking on Create an account triggers an email to be sent to the user, containing a verification token. This token, which is 64 characters long by default, allows users to complete their login process.

Self Service function Create an account

An additional security measure for SSO (Single Sign-On) is also in place: it’s possible to prevent SSO login for unverified, self-registered accounts. Admins achieve this by configuring the UCR variable saml/idp/selfservice/check_email_verification on the primary directory node and all backup directory nodes. Notably, accounts created by a UCS admin are not affected by this setting.

Deleting your own User Accounts

When administrators set the UCR variable umc/self-service/account-deregistration/enabled to true, a new Delete my account button will appear in the user’s profile settings under the My Profile dialog. Upon clicking this button and confirming the security prompt, the UCS account will be permanently removed.

Self Service function Delete account

Proceed at Your Own Risk

How much of your administrative workload are you willing to delegate to users within the UCS domain? Should they merely have the ability to reset forgotten passwords? Or perhaps you’ll permit changes to profile pictures, email addresses, and phone numbers? Could you even consider allowing new users to register themselves and delete their own accounts? With the Self Service app, you can offload all these tasks and precisely define who is allowed to do what. This not only simplifies processes but also significantly eases the burden on admins and help desk staff.

What have your experiences been with Self Service? Do you find the app to be a helpful tool, freeing up time and resources by empowering users? We’d love to hear from you! Share your stories with us and the broader community.

Comment on this post and visit the Univention Help forum


Image source: Icon created by Freepic from flaticon.com

Use UCS Core Edition for Free!

Download now
Heike Jurzik

Heike Jurzik is a copywriter and author. She has been writing about the free operating system Linux, and other Open Source topics for over 20 years. Her first articles on the Linux command line appeared in the late 1990s—when Linux itself was still relatively new. Since then, she has written many books, technical articles, blog posts and manuals in both German and English.

Yvonne Ruge

As Product Marketing Manager at Univention, Yvonne Ruge ensures the successful positioning of UCS and UCS@school in the respective target groups and sales channels.

What's your opinion? Leave a comment!

Your email address will not be published. Required fields are marked *