Problem:UCS@school Kelvin API Cannot Manage the ucsschoolAdministrator Role

Knowledge Base Community
, , , ,
1

Problem

The UCS@school role model was enhanced by introducing a dedicated role named ucsschoolAdministrator. However, as of now, the Kelvin REST API does not support management capabilities for this role. Although the API can detect the older school_admin role, it cannot properly interpret or administer the new ucsschoolAdministrator role. This limitation may impact automated user management workflows and school IT delegation models.

Symptoms

Users with the ucsschoolAdministrator role are not recognized properly by the Kelvin API. Attempts to query or manage such users via the API fail, and log messages similar to the following are observed.

Example Log Output from: /var/log/univention/ucsschool-kelvin-rest-api/http.log

2025-04-24 17:49:43 INFO  [226][e23dfcacc6] h11_impl.send:473  172.17.42.1:44360 - "POST /ucsschool/kelvin/token HTTP/1.1" 200
2025-04-24 17:49:43 WARNING [226][e23dfcacc6] main.timing:91  kelvin_app.ucsschool.kelvin.main.login_for_access_token - 4.109 s - ['http_status:200', 'http_method:POST', 'time:wall']
2025-04-24 17:49:43 WARNING [226][e23dfcacc6] main.timing:91  kelvin_app.ucsschool.kelvin.main.login_for_access_token - 0.091 s - ['http_status:200', 'http_method:POST', 'time:cpu']
2025-04-24 17:49:43 DEBUG [226][231386985b] base.from_dn:1172  Looking up ImportUser with dn 'uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de'
2025-04-24 17:49:43 DEBUG [226][231386985b] base_http.call_openapi:464  'get' 'users/user' -> udm_users_user_object_with_http_info(**{'dn': 'uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de'}) -> UsersUser('uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de') [200]
2025-04-24 17:49:43 WARNING [226][231386985b] base.from_udm_obj:1083  UDM object 'uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de' does not correspond to a Python class in the UCS school lib.
2025-04-24 17:49:43 WARNING [226][231386985b] base.get_lib_obj:89  No ImportUser with name=None dn='uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de' and school=None found.
2025-04-24 17:49:43 INFO  [226][231386985b] h11_impl.send:473  172.17.42.1:44368 - "GET /ucsschool/kelvin/v1/users/test-user-cont HTTP/1.1" 404
2025-04-24 17:49:43 WARNING [226][231386985b] main.timing:91  kelvin_app.ucsschool.kelvin.routers.user.get - 0.200 s - ['http_status:404', 'http_method:GET', 'time:wall']
2025-04-24 17:49:43 WARNING [226][231386985b] main.timing:91  kelvin_app.ucsschool.kelvin.routers.user.get - 0.055 s - ['http_status:404', 'http_method:GET', 'time:cpu']

Root Cause

The Kelvin API has not yet been updated to recognize or manage users with the ucsschoolAdministrator role. This discrepancy arises from the role’s relatively recent addition to the UCS@school role model. The backend mapping to UCS@school’s internal user object classes is incomplete.

For detailed technical context:
Univention Bug 54051

Workaround

Until proper support is implemented, users intended to have administrative capabilities must be assigned additional attributes to ensure compatibility with the Kelvin API.

Steps:

  1. Add objectClass=ucsschoolTeacher to the user in LDAP.
  2. Assign a compatible ucsschoolRole value (e.g., teacher).
  3. Ensure appropriate group memberships (such as the Domain Admins group or school admin groups) are present to reflect administrative privileges.

Screenshot from 2025-06-13 13-29-00
Screenshot from 2025-06-13 13-29-001364×824 70.3 KB

Screenshot from 2025-06-13 13-34-35
Screenshot from 2025-06-13 13-34-351364×824 61.2 KB

This workaround tricks the Kelvin API into recognizing the user as a valid school-type user by using compatible, legacy role definitions.

univention-ldapsearch uid=mirac.erde objectClass

# mirac.erde, schueler, users, mejneschool2, ucs5schoolhejne.intranet
dn: uid=mirac.erde,cn=schueler,cn=users,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
objectClass: wekanUser
objectClass: automount
objectClass: oxUserObject
objectClass: jitsimeetUser
objectClass: univentionObject
objectClass: univentionMail
objectClass: posixAccount
objectClass: kopano-user
objectClass: univentionPWHistory
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: univentionPerson
objectClass: ucsschoolAdministrator
objectClass: person
objectClass: ucsschoolType
objectClass: sambaSamAccount
objectClass: inetOrgPerson
objectClass: univentionNetworkAccess
objectClass: top
objectClass: univentionOffice365
objectClass: krb5KDCEntry
objectClass: krb5Principal
objectClass: ucsschoolTeacher