Problem: Unable to Modify univentionFreeAttribute via Self Service

fdavid · December 10, 2025, 12:56pm

Problem

When trying to update univentionFreeAttribute4 through the UCS Self Service, saving a new value results in an LDAP authentication error. The log includes entries similar to the following:

05.12.25 15:22:20.605  MAIN        ( WARN    ) : Failed to open LDAP
connection for user
uid=my_user,cn=users,ou=internal,dc=domain,dc=de: An error
during LDAP authentication happened. Auth type: SAML; SAML message
length: 8408; DN length: 57; Original Error: {'result': 49, 'desc':
'Invalid credentials', 'ctrls': [], 'info': 'SASL(-13): authentication
failure: Untrusted assertion audience'} |
requester_dn=uid=my_user,cn=users,ou=internal,dc=domain,dc=de
05.12.25 15:22:20.606  MODULE      ( ERROR   ) : Internal server error:
passwordreset/set_user_attributes
AttributeError: 'NoneType' object has no attribute 'base' |
requester_dn=uid=my_user,cn=users,ou=internal,dc=domain,dc=de

The relevant parts are:

Failed to open LDAP connection ... Invalid credentials ...
authentication failure: Untrusted assertion audience
...
Internal server error: passwordreset/set_user_attributes
AttributeError: 'NoneType' object has no attribute 'base'

Root Cause

The user account does not have permission to modify the attribute univentionFreeAttribute4. Without a proper ACL, the Self Service process cannot write to this attribute and the request fails. To allow users to write this attribute, a custom ACL must be created and registered so it persists across configuration commits.

Solution

Create a custom ACL that grants write permission on the attribute:

cat >/etc/univention/templates/files/etc/ldap/slapd.conf.d/65univention-freeattr4.acl << 'EOF'
access to attrs=univentionFreeAttribute4
     by self write
     by * read
EOF

and register it as a UCS extension:

. /usr/share/univention-lib/ldap.sh

ucs_registerLDAPExtension \
   --packagename custom-freeattr4 \
   --packageversion 1.0 \
   --acl /etc/univention/templates/files/etc/ldap/slapd.conf.d/65univention-freeattr4.acl

ucr commit /etc/ldap/slapd.conf
systemctl restart slapd

After restarting the LDAP service, the Self Service Portal is able to update univentionFreeAttribute4 successfully.

system · December 11, 2025, 12:56pm

This topic was automatically closed after 24 hours. New replies are no longer allowed.