The differences between UCS users and UCS@school users
Users, who are created with the UMC module Users (school) automatically receive a number of groups and roles. When creating users via UDM command or the UMC module users, one can easily miss one of these essential features, which might lead to errors. Thus, the safest way to create new users is by the school module or via the UCS@school import.
To illustrate missing groups and attributes, this article compares the UDM attributes of common UCS users and UCS@school users. The goal is to understand how school users differ in their groups and roles from normal users, as well as how to detect broken users. A similar german article has been published here.
In UCS@school 4.4 v8 users are now validated before usage, when loading them from LDAP and errors will be logged to the regular log files (cf. manual).
In UCS@school 4.4 v9 the diagnostic module UCS@school Consistency Check is introduced. It checks, amongst other things, if existing users are consistent. If this diagnostic module displays errors, this does not necessarily mean that the UCS@school system is not working. Rather, it warns of objects that do not look the way UCS@school expects and that could cause future problems when using them.
Every school user must be a member of at least one school (OU). When a school user is removed from its last school, it is deleted.
- One of the user’s schools must be the OU below which the users LDAP object is located (see section Position in LDAP tree below).
- For each school the user is a member of, it must:
2.1 be member of a few groups (see section Group membership below),
2.2 the schools (OUs) name must be listed in the users
2.3 there must be (at least) one entry in the
ucsschoolRoleattribute (see section Role attribute below)
As mentioned earlier, school users have to be placed inside the special school groups. A user created via UDM or the UMC module users, will only be placed in
groups: cn=Domain Users,cn=groups,$ldap_base
Let’s compare the group against the groups of a valid UCS@school student:
- Every school user is in a
- All members of a school (OU) must be in the
Domain Users $SCHOOLgroup
- Students are usually part of at least one school class. Staff members and teachers do not have to be assigned to a class. The OU a class belongs to, must be listed in the users
groups: cn=schueler-$SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base groups: cn=Domain Users $SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base groups: cn=$SCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=$SCHOOL,$ldap_base
School admins, who are usually teachers or staff members, need the group
For detailed information about the special group types work group and school classes please see this article.
Position in LDAP tree
UCS@school users will be placed at position
cn=$ROLE,cn=users,ou=$SCHOOL,$ldap_base, instead of
- staff and teacher:
cn=lehrer und mitarbeiter,ou=$SCHOOL,$ldap_base
To use the position of objects in LDAP to identify their role is deprecated, try to avoid relying on it. Never the less - until further notice - the above positions should be used when create new users!
UCS@school users have the attribute
ucsschoolRole, which is used internally. It is composed as follows:
- Staff users have an attribute
- Students have an attribute
- Teachers have an attribute
There will be one entry per role and school of the user.
UCS@school users also have the attributes
school which both hold the short form of the school name. Try to avoid relying on them, as they are deprecated.
lastname attributes must be set for a school user.
Import related attributes
When using the UCS@school import, the attributes
ucsschoolSourceUID are set as well. Users, which are created by UMC leave the values unset as well as
UCS@school users also have an additional
UDM options / LDAP objectClasses
Last but not least, at least one of the following options has to be activated:
This can be done by adding
--append-option=ucsschoolStudent to the UDM command or by activating the checkbox in the Users (school) module.
The UDM options are saved as
objectClass in the LDAP objects:
- exam user:
- staff and teacher: both
A sample command
Putting everything together, this command creates a valid UCS@school user via UDM:
udm users/user create \ --position 'cn=schueler,cn=users,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --set firstname='Demo' \ --set lastname='Student' \ --set username='demo_student2' \ --set password='secret123' \ --set displayName='Demo Student' \ --append groups='cn=schueler-demoschool,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --append groups='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --append groups='cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --set primaryGroup='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --append school=DEMOSCHOOL \ --append ucsschoolRole=student:school:DEMOSCHOOL \ --append-option=ucsschoolStudent
For every school the user is a member of, there must be additional
To fix groups or attributes, use the
udm users/user modify command to modify the broken user object.