Question:

a. Is it possible to adapt the self-service module to the automatically generated e-mail including link per school slave?

b. And is there the possibility that each slave can accept the password reset request itself, process it and generate the e-mail including the link?

c. To what extent does a master-slave system become more secure if all users under the slave must still be able to access the master via ports 443 and 80 for certain actions.

Answer:

a.

ucr info umc/self-service/account-verification/email/webserver_address
Defines the ‘host’ part to use in the verification link URL. The default is to use the FQDN of the system defined via the self-service/backend-server UCR variable. This variable must the set on the Self Service backend defined via the self-service/backend-server UCR variable since requests regarding this UCR variable are forwarded to the Self Service backend.

This is just possible for one server!

b.

For security reasons this is unfortunately only possible on master and backup.
The risk is that the link points to a server (slave) which is not allowed to change the password. To change the password of another user, it must create a user with ‘domain admin’ rights. For such a user, the password would then have to be on the server so that the UMC module can change a password. This is the security risk of the thing.

c.

On a slave you can only change the password if you are either the user yourself or an administrator user does so. But if you forgot the password (for which you will get a mail), you can’t be either one of them.