Problem: Unable to Modify univentionFreeAttribute via Self Service

Knowledge Base Community
, , , ,
1

Problem

When trying to update univentionFreeAttribute4 through the UCS Self Service, saving a new value results in an LDAP authentication error. The log includes entries similar to the following:

05.12.25 15:22:20.605  MAIN        ( WARN    ) : Failed to open LDAP
connection for user
uid=my_user,cn=users,ou=internal,dc=domain,dc=de: An error
during LDAP authentication happened. Auth type: SAML; SAML message
length: 8408; DN length: 57; Original Error: {'result': 49, 'desc':
'Invalid credentials', 'ctrls': [], 'info': 'SASL(-13): authentication
failure: Untrusted assertion audience'} |
requester_dn=uid=my_user,cn=users,ou=internal,dc=domain,dc=de
05.12.25 15:22:20.606  MODULE      ( ERROR   ) : Internal server error:
passwordreset/set_user_attributes
AttributeError: 'NoneType' object has no attribute 'base' |
requester_dn=uid=my_user,cn=users,ou=internal,dc=domain,dc=de

The relevant parts are:

Failed to open LDAP connection ... Invalid credentials ...
authentication failure: Untrusted assertion audience
...
Internal server error: passwordreset/set_user_attributes
AttributeError: 'NoneType' object has no attribute 'base'

Root Cause

The user account does not have permission to modify the attribute univentionFreeAttribute4. Without a proper ACL, the Self Service process cannot write to this attribute and the request fails. To allow users to write this attribute, a custom ACL must be created and registered so it persists across configuration commits.

Solution

Create a custom ACL that grants write permission on the attribute:

cat >/etc/univention/templates/files/etc/ldap/slapd.conf.d/65univention-freeattr4.acl << 'EOF'
access to attrs=univentionFreeAttribute4
     by self write
     by * read
EOF

and register it as a UCS extension:

. /usr/share/univention-lib/ldap.sh

ucs_registerLDAPExtension \
   --packagename custom-freeattr4 \
   --packageversion 1.0 \
   --ucsversionend 5.99-0 \
   --ucsversionstart 5.0-0 \
   --acl /etc/univention/templates/files/etc/ldap/slapd.conf.d/65univention-freeattr4.acl

ucr commit /etc/ldap/slapd.conf
systemctl restart slapd

After restarting the LDAP service, the Self Service Portal is able to update univentionFreeAttribute4 successfully.

Result:

udm settings/ldapacl list --filter cn=65univention-freeattr4

cn=65univention-freeattr4
DN: cn=65univention-freeattr4,cn=ldapacl,cn=univention,dc=univention,dc=intranet
  active: TRUE
  data: QlpoOTFBWSZTWaoF6GwAAAxdgCAQQBAEAiEAPyWfoCAAVFAMmgAMg1TyMpofqh6nqNNCgsaDJh9Nl8h9KJ3ZayREpcPca4f2roc4wrHfzkZUoAAk8FHc0GLVfF3JFOFCQqgXobA=
  filename: 65univention-freeattr4.acl
  name: 65univention-freeattr4
  package: custom-freeattr4
  packageversion: 1.0
  ucsversionend: 5.99-0
  ucsversionstart: 5.0-0
  univentionObjectIdentifier: fecb44a0-2093-44ce-974e-168a93051501

Investigation:

If you don’t set the ucsversionend and ucsversionstart for the LDAPExtension, you could probably get a failure from the update-checks.

ucs_registerLDAPExtension \
   --packagename custom-freeattr4 \
   --packageversion 1.0 \
   --acl /etc/univention/templates/files/etc/ldap/slapd.conf.d/65univention-freeattr4.acl

root@ucs5primary:~/univention-support# bash pre-update-checks-5.2-4

Starting pre-update-checks-5.2-4 (Di 3. Feb 06:34:36 CET 2026):
Checking disk_space ...                           OK
Checking failed_ldif ...                          OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
Checking master_version ...                       OK
Checking minimum_ucs_version_of_all_systems_in_domain ... FAIL
Checking net_installer ...                        OK
Checking overwritten_umc_templates ...            OK
Checking package_status ...                       OK
Checking role_package_removed ...                 OK
Checking slapd_on_member ...                      OK
Checking system_date_too_old ...                  OK
Checking ucsschool ...                            OK
Checking valid_machine_credentials ...            OK

The system can not be updated to UCS 5.2 due to the following reasons:

minimum_ucs_version_of_all_systems_in_domain:
The following extensions are incompatible with UCS 5.0:
        cn=65univention-freeattr4,cn=ldapacl,cn=univention,dc=univention,dc=intranet: [unspecified..unspecified)

Create a custom ACL that grants write permission for Domain Admins on the attribute:

cat >/etc/univention/templates/files/etc/ldap/slapd.conf.d/65univention-freeattr4.acl << 'EOF'
access to attrs=univentionFreeAttribute4
     by self write
     by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=int,dc=tux42,dc=ch" write
     by * read
EOF
1 Like
3

This topic was automatically closed after 24 hours. New replies are no longer allowed.