Environment

You are using an UCS master as MS/AD member so the ad-connector only replicates from MS/AD to OpenLDAP. However the Univention SelfService module can be configured to also work in such an environment.

1.Step - Create an delegated User in MS/AD

In case you prefer not to use an existing administrative account (e.g. Domain Administrator) you should create a delegated user who has access to reset passwords of other users.

2. Step - Configure SelfService

To enable the SelfService module, the UCR variables ad/reset/username and ad/reset/password need to be set to this respective credentials.

See also http://errata.software-univention.de/ucs/4.2/237.html