How a UCS@school user should look like

The differences between UCS users and UCS@school users

Users, who are created with the UMC module Users (school) automatically receive a number of groups and roles. When creating users via UDM command or the UMC module users, one can easily miss one of these essential features, which might lead to errors. Thus, the safest way to create new users is by the school module or via the UCS@school import.

To illustrate missing groups and attributes, this article compares the UDM attributes of common UCS users and UCS@school users. The goal is to understand how school users differ in their groups and roles from normal users, as well as how to detect broken users. A similar german article has been published here.

School membership

Every school user must be a member of at least one school (OU). When a school user is removed from its last school, it is deleted.

  1. One of the users schools must be the OU below which the users LDAP object is located (see section Position in LDAP tree below).
  2. For each school the user is a member of, it must:
    2.1 be member of a few groups (see section Group membership below),
    2.2 the schools (OUs) name must be listed in the users schools attribute,
    2.3 there must be (at least) one entry in the ucsschoolRole attribute (see section Role attribute below)

Group membership

As mentioned earlier, school users have to be placed inside the special school groups. A user created via UDM or the UMC module users, will only be placed in

  groups: cn=Domain Users,cn=groups,$ldap_base

Let’s compare the group against the groups of a valid UCS@school student:

  • Every school user is in a $ROLE-$SCHOOL group (with $ROLE being schueler, lehrer or mitarbeiter).
  • All members of a school (OU) must be in the Domain Users $SCHOOL group
  • Students are usually part of at least one school class. Staff members and teachers do not have to be assigned to a class. The OU a class belongs to, must be listed in the users schools attribute.
  groups: cn=schueler-$SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base
  groups: cn=Domain Users $SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base
  groups: cn=$SCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=$SCHOOL,$ldap_base

School admins, who are usually teachers or staff members, need the group

  groups: cn=admins-$SCHOOL,cn=ouadmins,cn=groups,$ldap_base

Position in LDAP tree

UCS@school users will be placed at position cn=$ROLE,cn=users,ou=$SCHOOL,$ldap_base, instead of cn=users,$ldap_base.

  • staff: cn=mitarbeiter,cn=users,ou=$SCHOOL,$ldap_base
  • student: cn=schueler,cn=users,ou=$SCHOOL,$ldap_base
  • teacher: cn=lehrer,cn=users,ou=$SCHOOL,$ldap_base
  • staff and teacher: cn=lehrer und mitarbeiter,ou=$SCHOOL,$ldap_base

:warning:To use the position of objects in LDAP to identify their role is deprecated, try to avoid relying on it. Never the less - until further notice - the above positions should be used when create new users!

Role attribute

UCS@school users have the attribute ucsschoolRole, which is used internally. It is composed as follows:

  • Staff users have an attribute ucsschoolRole: staff:school:DEMOSCHOOL
  • Students have an attribute ucsschoolRole: student:school:DEMOSCHOOL
  • Teachers have an attribute ucsschoolRole: teacher:school:DEMOSCHOOL

There will be one entry per role and school of the user.

:warning: UCS@school users also have the attributes departmentNumber and school which both hold the short form of the school name. Try to avoid relying on them, as they are deprecated.

Required attributes

The firstname and lastname attributes must be set for a school user.

Import related attributes

When using the UCS@school import, the attributes ucsschoolRecordUID and ucsschoolSourceUID are set as well. Users, which are created by UMC leave the values unset as well as ucsschoolPurgeTimestamp.
UCS@school users also have an additional e-mail attribute, which holds the same value as mailPrimaryAddress.

UDM options / LDAP objectClasses

Last but not least, at least one of the following options has to be activated:


This can be done by adding --append-option=ucsschoolStudent to the UDM command or by activating the checkbox in the Users (school) module.

The UDM options are saved as objectClass in the LDAP objects:

  • administrator: ucsschoolAdministrator
  • exam user: ucsschoolExam
  • staff: ucsschoolStaff
  • student: ucsschoolStudent
  • teacher: ucsschoolTeacher
  • staff and teacher: both ucsschoolStaff and ucsschoolTeacher

A sample command

Putting everything together, this command creates a valid UCS@school user via UDM:

udm users/user create  \
	--position 'cn=schueler,cn=users,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--set firstname='Demo'
	--set lastname='Student' \
	--set username='demo_student2' \
	--set password='secret' \
	--set displayName='Demo Student' \
	--append groups='cn=schueler-demoschool,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--append groups='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--append groups='cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--set primaryGroup='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--append school=DEMOSCHOOL \
	--append ucsschoolRole=student:school:DEMOSCHOOL \

For every school the user is a member of, there must be additional groups, school and ucsschoolRole entries.

To fix groups or attributes, use the udm users/user modify command to modify the broken user object.

1 Like