This guide gathers essential steps - which are otherwise spread across different manuals - for setting up the Self-Service App for UCS@school-environments, including two common customer scenarios (activating ‘Password forgotten’ and ‘Password Wireless LAN’):
Installation of Self-Service App
- Install Self Service (backend und frontend apps) via App Center (see 6.5. User self services — Univention Corporate Server - Manual for users and administrators)
- Install Self Service Backend on Primary Directory Node.
- Install Self Service on the designated Portal Server (Backup Directory Node).
- There you also need to define the UCS system on which the backend of the Self-Service App is installed (the Primary Directory Node) using the UCR variable
self-service/backend-server(see 16.1. Univention Configuration Registry Variables — Univention Corporate Server - Manual for users and administrators).
- There you also need to define the UCS system on which the backend of the Self-Service App is installed (the Primary Directory Node) using the UCR variable
- In order to ensure that the users of all schools that are members of the
Domain Users <OUNAME>groups are allowed to use the Self-Service module, also install the packageucs-school-selfservice-supporton Primary Directory Node and Portal-Backup Directory Node (via UMC → Sofware → Package Management OR via CLI:univention-install ucs-school-selfservice-support) (see 2.4. Integration mit Self-Service App — UCS@school - Handbuch für Administratoren [German only] - Check join status für
35univention-selfservice-password-reset-umcon Portal-Backup Directory Node (via UMC → Domain → Domain join OR via CLI:univention-check-join-status) - NOTICE: The new Self-Service module entries in the portal will initially only appear in the user menu (≡). Via the editing mode of the portal the entries can be assigned to other or more portal categories. The visibility of the individual entries can be restricted to certain user groups in edit mode (‘Can only be seen by these groups’). You can also use the editing mode to set whether the entries should only be displayed before or after logging in the portal (cf. 4.3. UCS portal page — Univention Corporate Server - Manual for users and administrators ).
Scenario 1: Activate ‘Password forgotten’ (via e-mail)
Users are enabled to reset their forgotten password by requesting a token to be sent to a previously registered contact email address.
- To activate the ‘Forgot password’ module on the Primary Directory Node:
ucr set umc/self-service/passwordreset/backend/enabled=true(see 6.5. User self services — Univention Corporate Server - Manual for users and administrators) - NOTICE: Further configurations need to be considered before the function can be fully utilized:
- Depending on the desired user story the recovery option should be specified. The options available are e-mail (
umc/self-service/passwordreset/email/enabledis set toyesby default), SMS (umc/self-service/passwordreset/sms/enabled) or a self-defined sending process (umc/self-service/passwordreset/external/enabled). - Further configuration of the e-mail (subject, text, etc.) is possible via UCR variables:
- UCR variable for the sender address of the token e-mail:
umc/self-service/passwordreset/email/sender_address - UCR variable for token e-mail subject:
umc/self-service/passwordreset/email/subject. - UCR variable for the name of the server used for links in the token e-mail:
umc/self-service/passwordreset/email/webserver_address. - The message to be sent is generated from a text file. The UCR variable
umc/self-service/passwordreset/email/text_filecan be used to determine which one is to be used. To customize the text, the file with the standard text from/usr/share/pyshared/univention/management/console/modules/passwordreset/sending/email_body.txtshould be copied somewhere and edited. The path to the new file is then set in the UCR variable. - For further details / more options see Self Service to Reset Password in UCS 4.1 (including comment section).
- UCR variable for the sender address of the token e-mail:
- A recovery e-mail must also be supplied to the system by the users themselves. The easiest (and most data efficient) way to set this up is provided by the ‘Protect account’ module. To activate the module, execute
ucr set umc/self-service/protect-account/backend/enabled=trueon the Primary Directory Node. - Alternatively (or additionally?) the module ‘My profile’ can be activated to enable users to supply even more personal data themselves. For information about activation and configuration see 6.5. User self services — Univention Corporate Server - Manual for users and administrators.
- For details how to customize the description of fields in the web interface of Self-Service modules (e.g. the title for the recovery e-mail field in the ‘Protect account’ module.) via the
custom.csssee How-to: Customize UCS web interfaces via CSS
- Depending on the desired user story the recovery option should be specified. The options available are e-mail (
Scenario 2: Activate ‘Password Wireless LAN’
By default, users authenticate with their domain password. By activating ‘Password Wireless LAN’ a dedicated password for RADIUS will be used. Through the Self Service App users can then get such a password. The system will generate a random password for users to use.
- If not already done:
- Run UCS@school configuration wizard.
- Create school and school users.
- Install RADIUS app on the designated Replica Directory Node.
- Enable network access for the users of the respective school (via the Group module) (see 11.6. RADIUS — Univention Corporate Server - Manual for users and administrators)
- Groups/domain users /RADIUS
- Activate ‘allow Network access’
- Groups/domain users /RADIUS
- To activate the ‘Password Wireless LAN’ module (see 11.6. RADIUS — Univention Corporate Server - Manual for users and administrators):
- On the Replica Directory Node with the RADIUS-App:
ucr set radius/use-service-specific-password=true - On the Primary Directory Node (where the Self Service Backend was installed):
ucr set umc/self-service/service-specific-passwords/backend/enabled=true - The parameters used to generate the passwords can be displayed with
ucr search password/radius/qualityon the nodes where the RADIUS app is installed. However, they can only be adjusted on the Primary Directory Node (even if the RADIUS app is installed on another system)(cf. here). The parameter configurations fulfill the ‘Microsoft requirements’ (also BSI):- Upper and lower case letters via
password/radius/quality/credit/lowerandpassword/radius/quality/credit/upper. - Digits via
password/radius/quality/credit/digits. - Special characters via
password/radius/quality/credit/other(can also be switched off completely via0). - Limitation of the number of characters downwards (min. 8) via
password/radius/quality/length/min. - Additionally: You can also exclude characters via
password/radius/quality/forbidden/chars.
- Upper and lower case letters via
- On the Replica Directory Node with the RADIUS-App: