The Other Day at the Helpdesk:
“Hey Manfred, Ms. Hermann just called. She said her laptop hasn’t had any updates installed for weeks. Can you please take a look at it in the software deployment?”
“Sure, I can do that. Did she mention which laptop it is?”
“No, unfortunately not, and I forgot to ask.”
“No problem, I can check in the UMC now.”
This scenario is fictional, of course, but entirely plausible in practice. The topic of “1:1 equipment”, meaning the permanent assignment of devices to individuals, is currently relevant for many organizations—both school authorities and companies alike.
Anyone who has looked into Univention Corporate Server (UCS) will be familiar with its management interface, the UMC. On the system roles Primary Directory Node and Backup Directory Node, the UMC provides access to the information stored in the LDAP directory service. The modules of the Univention Directory Manager (UDM), however, offer far more capabilities than conventional LDAP tools. One of these helpful extensions, which we developed for UCS, will be illustrated in this article using the example mentioned above.
Table of Contents
Practical Use of UDM Extensions: Storing Serial Numbers in Computer Objects
Depending on the object type, Univention Directory Manager offers storage options for various properties configured in the product—for example, names and other personal information for user accounts, or hostnames and IP addresses for computer accounts. But what can you do if the predefined properties by Univention aren’t sufficient for your specific use case?
The UCS documentation provides a detailed description of how to enhance the UMC with extended attributes. In fact, the title of the linked article, “Expansion of UMC modules with extended attributes”, is somewhat understated. These “extended attributes” not only enhance the UMC but also the UDM command line and the UDM REST API. In UCS@school, the Kelvin REST API can also handle arbitrary UDM properties, including such extensions.
In our example for the practical application of UDM extensions, we first want to create the ability to additionally store the device’s serial number on computer objects. The documentation only refers to an “inventory number.” While we could enter the serial number in the “Description” field, such repurposing could cause minor issues later on.
In principle, “extended attributes” can also be administered via the LDAP module of the UMC. However, for the sake of clarity, I’ll use the UDM command line.
univention-directory-manager settings/extended_attribute create \ --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \ --set name="serialnumber" \ --append module="computers/ipmanagedclient" \ --append module="computers/windows" \ --append module="computers/linux" \ --append module="computers/ubuntu" \ --append module="computers/macos" \ --set tabName="General" \ --set translationTabName='"de_DE" "Allgemein"' \ --set groupName="Information" \ --set tabPosition=1 \ --set shortDescription="serialnumber" \ --set translationShortDescription='"de_DE" "Seriennummer"' \ --set longDescription="serial number of the device" \ --set translationLongDescription='"de_DE" "Seriennummer des Gerätes"' \ --set syntax="string" \ --set multivalue=0 \ --set mayChange=1 \ --set objectClass="univentionFreeAttributes" \ --set ldapMapping="univentionFreeAttribute1"
With this command, an extended attribute named serialnumber is created in the container cn=custom attributes,cn=univention beneath the respective LDAP base. We only want to store serial numbers for specific computer objects. However, there are several of them, which we must specify as a list. This list is defined using --append, since --set allows only a single element to be defined. In the UMC, the extension should appear in the “General” tab under a new group named “Information” as a text field.
Since the entered information should ultimately be stored in the LDAP, we need to specify an LDAP attribute along with its object class. If no suitable option is available among the standard attributes and you don’t want to create your own schema extension, you can use the object class univentionFreeAttributes.
Marking 1:1 Equipment with an Additional Attribute
With a second extended attribute, we now want to add the option to mark devices as “1:1 equipment.”
univention-directory-manager settings/extended_attribute create \ --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \ --set name="1on1" \ --append module="computers/ipmanagedclient" \ --append module="computers/windows" \ --append module="computers/linux" \ --append module="computers/ubuntu" \ --append module="computers/macos" \ --set tabName="General" \ --set translationTabName='"de_DE" "Allgemein"' \ --set groupName="Information" \ --set tabPosition=2 \ --set shortDescription="1:1 device" \ --set translationShortDescription='"de_DE" "1:1 Gerät"' \ --set longDescription="device will be assigned to a person" \ --set translationLongDescription='"de_DE" "Gerät wird einer Person zugeordnet"' \ --set syntax="boolean" \ --set multivalue=0 \ --set mayChange=1 \ --set objectClass="univentionFreeAttributes" \ --set ldapMapping="univentionFreeAttribute2"
The attribute “1on1”, created with this command, also uses an LDAP attribute from univentionFreeAttributes and will appear in the UMC next to the serial number. Due to the boolean syntax, a checkbox will be displayed in the UMC. If this is activated, a “1” will appear in the LDAP attribute univentionFreeAttribute2.
root@dn1:~# udm computers/windows list --filter cn=wingymnkop101 | grep -E "name|1on1|serialnumber" 1on1: 1 name: wingymnkop101 serialnumber: AABB1231 root@dn1:~# univention-ldapsearch -LLL "(&(objectClass=ucsschoolComputer)(cn=wingymnkop101))" cn univentionFreeAttribute1 univentionFreeAttribute2 dn: cn=wingymnkop101,cn=computers,ou=gym_nkop,dc=training,dc=ucs cn: wingymnkop101 univentionFreeAttribute1: AABB1231 univentionFreeAttribute2: 1
Creating Custom UDM Syntax for Personal Devices
With this, we already have the extensions for the computers in place. To store information about the 1:1 devices at the user level, a “univentionFreeAttribute” is also sufficient, in which we can store the computer object. To enable a targeted selection of existing UDM objects in the UMC, we create our own syntax class. The developer documentation contains notes on this in. Our syntax could now look like this:
cat > /usr/lib/python3/dist-packages/univention/admin/syntax.d/personaldevice.py <<EOF from univention.admin.syntax import UDM_Objects class personal_device(UDM_Objects): udm_modules = ( 'computers/windows', 'computers/linux', 'computers/ubuntu', 'computers/ipmanagedclient', 'computers/macos', ) label = '%(name)s - INV:%(inventoryNumber)s - SN:%(serialnumber)s' udm_filter = 'univentionFreeAttribute2=1' EOF pkill -f univention-cli-server && systemctl restart univention-management-c*
This procedure adds and activates the syntax available to the UMC. Please note during your own experiments that Python is somewhat sensitive to indentation. Clipboards that automatically adjust the number of spaces would be counterproductive here.
Our new syntax class personal_device identifies, among the relevant computer objects, those in which univentionFreeAttribute2 contains the information indicating whether the device is intended for a 1:1 assignment.
In the UMC, we can see the name and—if available—the inventory number and the serial number.
When defining our extension, we now use the new syntax.
univention-directory-manager settings/extended_attribute create \ --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \ --set name="1on1device" \ --set module="users/user" \ --set tabName="General" \ --set translationTabName='"de_DE" "Allgemein"' \ --set groupName="Devices" \ --set groupPosition=2 \ --set translationGroupName='"de_DE" "Geräte"' \ --set tabPosition=1 \ --set shortDescription="personal devices" \ --set translationShortDescription='"de_DE" "persönliche Geräte"' \ --set longDescription="devices assigned to this user" \ --set translationLongDescription='"de_DE" "dem Benutzerkonto zugewiesene Geräte"' \ --set syntax="personal_device" \ --set multivalue=1 \ --set mayChange=1 \ --set objectClass="univentionFreeAttributes" \ --set ldapMapping="univentionFreeAttribute3"
The option multivalue=1 allows multiple devices to be assigned.
This now enables us to select appropriate devices for users and store them on the user object. The task mentioned at the beginning can now be easily completed.
The extended search in the UMC also gives us the ability to search for users to whom personal devices have been assigned.
And What Else Is Possible – Extended Attributes for ''Hook Classes''
In the present solution, the DNs (distinguished names) of the computer objects are stored in univentionFreeAttribute3. However, if a computer object itself is deleted or moved, the device information on the user side would not change. Likewise, the information on the computer object about which user it is assigned to is not implemented.
To achieve this, extended attributes provide the option of specifying “hook classes” that allow changes on the computer object to also be reflected on the corresponding user object (or vice versa). However, this would go beyond the scope of this article and the knowledge of the author.
Nevertheless, I hope I was able to provide you with some interesting and useful guidance for inventorying your IT environment and I look forward to your feedback or your own experiences on the topic.
