The differences between UCS users and UCS@school users
Users, who are created with the UMC module Users (school) automatically receive a number of groups and roles. When creating users via UDM command or the UMC module users, one can easily miss one of these essential features, which might lead to errors. Thus, the safest way to create new users is by the school module or via the UCS@school import.
To illustrate missing groups and attributes, this article compares the UDM attributes of common UCS users and UCS@school users. The goal is to understand how school users differ in their groups and roles from normal users, as well as how to detect broken users. A similar german article has been published here.
As mentioned earlier, school users have to be placed inside the special school groups. A user created via UDM or the UMC module users, will only be placed in
groups: cn=Domain Users,cn=groups,$ldap_base
Let’s compare the group against the groups of a valid UCS@school student. Students are usually part of at least one class. Staff members and teachers do not have to be assigned to a class.
groups: cn=schueler-$SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base groups: cn=Domain Users $SCHOOL,cn=groups,ou=$SCHOOL,$ldap_base groups: cn=$SCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=$SCHOOL,$ldap_base
School admins, who are usually teachers or staff members, need the group
Position in LDAP tree
UCS@school users will be placed at position
cn=$ROLE,cn=users,ou=$SCHOOL,$ldap_base, instead of
- staff and teacher:
cn=lehrer und mitarbeiter,ou=$SCHOOL,$ldap_base
To use the position of objects in LDAP to identify their role is deprecated, try to avoid relying on it. Never the less - until further notice - the above positions should be used when create new users!
UCS@school users have the attribute
ucsschoolRole, which is used internally. It is composed as follows:
- Staff users have an attribute
- Students have an attribute
- Teachers have an attribute
There will be one entry per role and school of the user.
UCS@school users also have the attributes
school which both hold the short form of the school name. Try to avoid relying on them, as they are deprecated.
Import related attributes
When using the UCS@school import, the attributes
ucsschoolSourceUID are set as well. Users, which are created by UMC leave the values unset as well as
UCS@school users also have an additional
UDM options / LDAP objectClasses
Last but not least, at least one of the following options has to be activated:
This can be done by adding
--append-option=ucsschoolStudent to the UDM command or by activating the checkbox in the Users (school) module.
The UDM options are saved as
objectClass in the LDAP objects:
- exam user:
- staff and teacher: both
A sample command
Putting everything together, this command creates a valid UCS@school user via UDM:
udm users/user create \ --position 'cn=schueler,cn=users,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --set firstname='Demo' --set lastname='Student' \ --set username='demo_student2' \ --set password='secret' \ --set displayName='Demo Student' \ --append groups='cn=schueler-demoschool,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --append groups='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --append groups='cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --set primaryGroup='cn=Domain Users DEMOSCHOOL,cn=groups,ou=DEMOSCHOOL,'$(ucr get ldap/base) \ --set school=DEMOSCHOOL \ --set ucsschoolRole=student:school:DEMOSCHOOL \ --append-option=ucsschoolStudent
To fix groups or attributes, use the
udm users/user modify command to append or modify the broken user objects.