udm .... --set PasswordRecoveryEmailemail@example.com
If you run the UDM cli with just the module name as argument, it lists the available actions as well as the known attributes:
PasswordRecoveryMobile Mobile number
PasswordRecoveryEmail Email address
To use the mailPrimaryAddress you have to use the "external" method. You'd have to write a program that gets its information through environment variables. You can copy /usr/share/pyshared/univention/management/console/modules/passwordreset/sending/send_with_external.py to /usr/local/bin and edit it to your needs. Then set umc/self-service/passwordreset/external/command, umc/self-service/passwordreset/external/udm_property and the other umc/self-service/passwordreset/external/... UCR variables.
The external method currently has one major drawback: the user cannot edit her contact data like with the "email" and "sms" methods.
Using mailPrimaryAddress may also be problematic, because it usually has to be the mail address hosted by a UCS mail system. But access to that mailbox may not be possible to the user if the password has been forgotten.