Problem: UCS 5.2: Self Service Password Change Returns 403 Forbidden

Knowledge Base Community
, , ,
1

Problem:

After upgrading to Univention Corporate Server (UCS) 5.2, password change tiles in school portals no longer work. Accessing the previously used Self Service URL results in a 403 Forbidden error.

Password change tiles configured in school portals reference the following URL:

/univention/self-service/#page=passwordchange

After the upgrade to UCS 5.2, accessing this URL on a Primary or Replica system results in the following error message:

403 Forbidden
You don't have permission to access this resource.

During analysis, it can also be observed that the directory

/var/www/univention/self-service

(or its target directory

/usr/share/univention-self-service/www

) only contains an icons subdirectory and no HTML or PHP files.

Environment

  • UCS Primary and Replica systems
  • UCS@School environment
  • Portal tiles linking directly to the legacy Self Service URL

Cause

With UCS 5.2, the Univention Self Service is no longer provided as a standalone web application under /univention/self-service/.

Instead, the Self Service is now fully integrated into the Univention Portal frontend. As a result:

  • Direct access to /univention/self-service/ is no longer supported
  • Requests to this path return 403 Forbidden
  • The former web resources are no longer present in the filesystem

Portal tiles or bookmarks that still reference the legacy URL therefore no longer work.

Solution:

The password change Self Service is now accessed via the Univention Portal.

The correct URL is:

https://<FQDN>/univention/portal/#/selfservice/passwordchange

Updating Portal Tiles

To restore functionality, update the affected portal tiles and set the Link field to:

#/selfservice/passwordchange
  • udm portals/entry modify --dn "cn=self-service-password-change,cn=entry,cn=portals,cn=univention,$(ucr get ldap/base)" --set link='"en_US" "#/selfservice/passwordchange"'

Check the object after the modify:

  • udm portals/entry list --filter cn=self-service-password-change
cn=self-service-password-change
DN: cn=self-service-password-change,cn=entry,cn=portals,cn=univention,dc=miro,dc=intranet
  activated: TRUE
  allowedGroups: cn=Anonymous Logon,cn=Builtin,dc=miro,dc=intranet
  allowedGroups: cn=Domain Users,cn=groups,dc=miro,dc=intranet
  allowedGroups: cn=Users,cn=Builtin,dc=miro,dc=intranet
  anonymous: FALSE
  backgroundColor: None
  description: de_DE: Ihr Passwort ändern
  description: en_US: Change your password
  displayName: de_DE: Ihr Passwort ändern
  displayName: en_US: Change your password
  icon: PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0
PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9IiNmZmZmZmYiIHN0
cm9rZS13aWR0aD0iMiIgc3Ryb2tlLWxpbmVjYXA9InJvdW5kIiBzdHJva2UtbGluZWpvaW49InJv
dW5kIiBjbGFzcz0iZmVhdGhlciBmZWF0aGVyLWtleSI+PHBhdGggZD0iTTIxIDJsLTIgMm0tNy42
MSA3LjYxYTUuNSA1LjUgMCAxIDEtNy43NzggNy43NzggNS41IDUuNSAwIDAgMSA3Ljc3Ny03Ljc3
N3ptMCAwTDE1LjUgNy41bTAgMGwzIDNMMjIgN2wtMy0zbS0zLjUgMy41TDE5IDQiPjwvcGF0aD48
L3N2Zz4K
  link: en_US: #/selfservice/passwordchange
  linkTarget: samewindow
  name: self-service-password-change
  target: None
  univentionObjectIdentifier: 79eaa862-24be-103f-8a18-4385963527eb

This ensures the link is resolved correctly within the Univention Portal context and works as expected on UCS 5.2 systems.

Result

After updating the portal tile configuration, users can again access the password change functionality without encountering a 403 Forbidden error.