objectClass univentionPerson


#1

Hello,

I want to share some found information.

I noticed that the objectClass ‘univentionPerson’ is really useful especially when you want to perform the search of real users and separate them from accounts used for some internal workflows like ‘ucs-sso’ or ‘krbtgt’.

I set up some external service for authenticating users that have such objectClass. And I was surprised by the fact that newly created user has no this objectClass until you add the birth date in Personal Information section. The fact is interesting by that that personal information ‘Display name’ is filled in by UCS itself during the user creation process, but the objectClass ‘univentionPerson’ is not assigned to account automatically.

Therefore, could somebody explain to me how I can set using the class for created users without specifying their birth dates?

I am asking because this behavior looks for me like a bug since the ‘Display name’ parameter is being set automatically but objectClass is not being assigned despite on the fact that ‘Display name’ is located in section ‘Personal information’.

Thanks in advance.


#2

Hey,

Additional LDAP object classes are only added whenever an attribute only provided by that class is needed. The object classes do not simply correspond to the sections you see in the UMC. In the case of e.g. “display name”, that attribute is already provided by the standard LDAP class inetOrgPerson.

However, your use case seems to be easy separation of functional accounts and real-person accounts. That can be achieved easily by creating more organizational units (OUs) in the LDAP tree, and moving the user accounts into corresponding OUs and then using one of those OUs as the search base:

  1. Log in to the UMC.
  2. Navigate to “Domain” → “LDAP”.
  3. Navigate to the “users” container in the tree, click on “add”, add a new container.
  4. Make that container a standard container for the users so that you can select it when adding new users.
  5. Move the users to the corresponding new containers.
  6. Enjoy.

Kind regards,
mosu


#3

Hi,

Thank you for your response and suggestion.
And I appreciate for your explanation about dependency of user attributes and objectClasses.

I know about the opportunity of creating special containers in LDAP and we have been using this approach for DSA accounts since the start using UCS that that was several years ago.
I agree this is a good capability and it is really useful. I just have never thought about applying this scheme for separating real users from functional ones.

Thanks again for your answer and reminder about the cool feature!


#4

You’re quite welcome.