How a UCS@school user should look like

The differences between UCS users and UCS@school users

Users, who are created with the UMC module Users (school) automatically receive a number of groups and roles. When creating users via UDM command or the UMC module users, one can easily miss one of these essential features, which might lead to errors. Thus, the safest way to create new users is by the school module or via the UCS@school import.

To illustrate missing groups and attributes, this article compares the UDM attributes of common UCS users and UCS@school users. The goal is to understand how school users differ in their groups and roles from normal users, as well as how to detect broken users. A similar german article has been published here.

Group membership

As mentioned earlier, school users have to be placed inside the special school groups. A user created via UDM or the UMC module users, will only be placed in

  groups: cn=Domain Users,cn=groups,$ldap_base

Let’s compare the group against the groups of a valid UCS@school student. Students are usually part of at least one class. Staff members and teachers do not have to be assigned to a class.

  groups: cn=schueler-$SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base
  groups: cn=Domain Users $SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base
  groups: cn=$SCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=$SCHOOL,$ldap_base

School admins, who are usually teachers or staff members, need the group

  groups: cn=admins-$SCHOOL,cn=ouadmins,cn=groups,$ldap_base

Position in LDAP tree

UCS@school users will be placed at position cn=$ROLE,cn=users,ou=$SCHOOL,$ldap_base, instead of cn=users,$ldap_base.

  • staff: cn=mitarbeiter,cn=users,ou=$SCHOOL,$ldap_base
  • student: cn=schueler,cn=users,ou=$SCHOOL,$ldap_base
  • teacher: cn=lehrer,cn=users,ou=$SCHOOL,$ldap_base
  • staff and teacher: cn=lehrer und mitarbeiter,ou=$SCHOOL,$ldap_base

:warning:To use the position of objects in LDAP to identify their role is deprecated, try to avoid relying on it. Never the less - until further notice - the above positions should be used when create new users!

Role attribute

UCS@school users have the attribute ucsschoolRole, which is used internally. It is composed as follows:

  • Staff users have an attribute ucsschoolRole: staff:school:DEMOSCHOOL
  • Students have an attribute ucsschoolRole: student:school:DEMOSCHOOL
  • Teachers have an attribute ucsschoolRole: teacher:school:DEMOSCHOOL

There will be one entry per role and school of the user.

:warning: UCS@school users also have the attributes departmentNumber and school which both hold the short form of the school name. Try to avoid relying on them, as they are deprecated.

Import related attributes

When using the UCS@school import, the attributes ucsschoolRecordUID and ucsschoolSourceUID are set as well. Users, which are created by UMC leave the values unset as well as ucsschoolPurgeTimestamp.
UCS@school users also have an additional e-mail attribute, which holds the same value as mailPrimaryAddress.

UDM options / LDAP objectClasses

Last but not least, at least one of the following options has to be activated:


This can be done by adding --append-option=ucsschoolStudent to the UDM command or by activating the checkbox in the Users (school) module.

The UDM options are saved as objectClass in the LDAP objects:

  • administrator: ucsschoolAdministrator
  • exam user: ucsschoolExam
  • staff: ucsschoolStaff
  • student: ucsschoolStudent
  • teacher: ucsschoolTeacher
  • staff and teacher: both ucsschoolStaff and ucsschoolTeacher

A sample command

Putting everything together, this command creates a valid UCS@school user via UDM:

udm users/user create  \
	--position 'cn=schueler,cn=users,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--set firstname='Demo'
	--set lastname='Student' \
	--set username='demo_student2' \
	--set password='secret' \
	--set displayName='Demo Student' \
	--append groups='cn=schueler-demoschool,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--append groups='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--append groups='cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--set primaryGroup='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \
	--set school=DEMOSCHOOL \
	--set ucsschoolRole=student:school:DEMOSCHOOL \

To fix groups or attributes, use the udm users/user modify command to append or modify the broken user objects.

1 Like