Setting Self-Service Contact Information fails


when trying to set the contact information for the self-service I get the following error message:


The management-console-module-passwordreset.log shows following errors:

08.11.21 11:24:00.172  ADMIN       ( WARN    ) : The attribute 'univentionPasswordRecoveryEmailVerified' is not allowed by any object class.
08.11.21 11:24:00.173  MODULE      ( ERROR   ) : set_contact_data(): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/passwordreset/", line 1017, in set_contact_data
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/", line 1467, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/", line 1353, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response, rename_callback=wouldRename.on_rename)
  File "/usr/lib/python2.7/dist-packages/univention/admin/", line 902, in modify
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Undefined attribute type: univentionPasswordSelfServiceEmail: attribute type undefined

08.11.21 11:24:00.174  MODULE      ( PROCESS ) : Changing contact data failed.

UCS: 4.4-8 errata1069

I hope somebody can help me with that.


It seems that there’s a missing LDAP extension, but how can we add/install it?

@scheinig Sorry that I tag you directly, but the forum seems very inactive currently :frowning:

All the best,

Hello René,

this is not a school environment, is it?
In a school environment the ucs-school-selfservice-support Package has to be installed on the master.

Does this extended attribute exist?
udm settings/extended_attribute list --filter cn=UniventionPasswordSelfServiceEmail

Can you post the output?


Hi Christina,

thanks for reaching out :slight_smile:

No it’s not a school environment, it’s a relative new single server UCS installation.

Here’s the requested output:

root@dc1:~# udm settings/extended_attribute list --filter cn=UniventionPasswordSelfServiceEmail
DN: cn=UniventionPasswordSelfServiceEmail,cn=custom attributes,cn=univention,dc=ldap,dc=domain,dc=com
  CLIName: PasswordRecoveryEmail
  copyable: None
  default: None
  deleteObjectClass: 0
  disableUDMWeb: None
  doNotSearch: 0
  fullWidth: 1
  groupName: None
  groupPosition: None
  hook: None
  ldapMapping: univentionPasswordSelfServiceEmail
  longDescription: During the password recovery process an e-mail is sent to the specified e-mail address. Password recovery via e-mail is only available for users if configured and enabled by the administrator.
  mayChange: 1
  module: users/user
  multivalue: 0
  name: UniventionPasswordSelfServiceEmail
  notEditable: 0
  objectClass: univentionPasswordSelfService
  overwritePosition: None
  overwriteTab: 0
  shortDescription: E-mail address
  syntax: emailAddress
  tabAdvanced: 0
  tabName: Password recovery
  tabPosition: None
  translationLongDescription: de_DE: An diese E-Mail-Adresse wird während der Passwort-Wiederherstellung eine Mail verschickt. Der Mail-Versand steht dem Benutzer nur zur Verfügung, wenn dieser vom Administrator eingerichtet und freigeschaltet wurde.
  translationShortDescription: de_DE: E-Mail-Adresse
  translationTabName: de_DE: Passwort-Wiederherstellung
  valueRequired: 0
  version: 2

liebe Grüße,

Hi René,

okay, that looks just like mine.
Has a user template been created, or is there one?
Let’s start with this output:
univention-ldapsearch -b cn=templates,cn=univention,$(ucr get ldap/base) dn

I have this one from the self service:
udm settings/usertemplate list --filter cn=selfserviceregistrationtemplate

For completeness:

Master-180 root@master:~# dpkg -l  |grep self
ii  univention-self-service                             4.0.3-50A~                                        all          Univention Self Service
ii  univention-self-service-invitation                  4.0.3-50A~                                        all          Invitation module for Univention Self Service.
ii  univention-self-service-master                      4.0.3-50A~                                        all          Univention Self Service
ii  univention-self-service-passwordreset-umc           4.0.3-50A~                                        all          Password reset module for Univention Self Service.

LG Christina


here we go:

root@dc1:~# univention-ldapsearch -b cn=templates,cn=univention,$(ucr get ldap/base) dn                   

# extended LDIF
# LDAPv3
# base <cn=templates,cn=univention,dc=ldap,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: dn 

# templates, univention,
dn: cn=templates,cn=univention,dc=ldap,dc=domain,dc=com

# selfserviceregistrationtemplate, templates, univention,
dn: cn=selfserviceregistrationtemplate,cn=templates,cn=univention,dc=ldap,dc=domain,dc=com

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2
root@dc1:~#  udm settings/usertemplate list --filter cn=selfserviceregistrationtemplate

DN: cn=selfserviceregistrationtemplate,cn=templates,cn=univention,dc=ldap,dc=domain,dc=com
  DeregisteredThroughSelfService: None
  DeregistrationTimestamp: None
  PasswordRecoveryEmail: None
  PasswordRecoveryEmailVerified: None
  PasswordRecoveryMobile: None
  RegisteredThroughSelfService: None
  city: None
  country: None
  description: None
  disabled: None
  displayName: <firstname> <lastname><:strip>
  employeeNumber: None
  employeeType: None
  homeShare: None
  homeSharePath: None
  homedrive: None
  initials: None
  lastbind: None
  mailPrimaryAddress: None
  name: selfserviceregistrationtemplate
  organisation: None
  physicalDeliveryOfficeName: None
  postcode: None
  preferredDeliveryMethod: None
  preferredLanguage: None
  primaryGroup: cn=Domain Users,cn=groups,dc=ldap,dc=domain,dc=com
  profilepath: None
  pwdChangeNextLogin: None
  roomNumber: None
  sambahome: None
  scriptpath: None
  shell: /bin/bash
  street: None
  title: None
  unixhome: /home/<username>
  zimbraAccountStatus: none
  zimbraHideInGal: 0
  zimbraIsAdminAccount: 0
  zimbraIsSystemAccount: 0
  zimbraIsSystemResource: 0
root@dc1:~# dpkg -l  |grep self
ii  univention-self-service                             4.0.3-50A~                                        all          Univention Self Service
ii  univention-self-service-invitation                  4.0.3-50A~                                        all          Invitation module for Univention Self Service.
ii  univention-self-service-master                      4.0.3-50A~                                        all          Univention Self Service
ii  univention-self-service-passwordreset-umc           4.0.3-50A~                                        all          Password reset module for Univention Self Service.


Hi René,

can you provide the univention-ldapsearch from the userobject, which causes the error?
univention-ldapsearch -LLL uid=<username> '*' '+'

thanks and lg

Hi Christina,

here’s the requested output:

dn: uid=siedl,cn=users,dc=ldap,dc=domain,dc=com                                                                                                                                         
uid: siedl 
krb5PrincipalName: siedl@LDAP.DOMAIN.COM
objectClass: krb5KDCEntry
objectClass: zimbra4ucsUser
objectClass: organizationalPerson
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: person
objectClass: univentionPWHistory
objectClass: shadowAccount
objectClass: univentionObject
objectClass: univentionMail
objectClass: krb5Principal
objectClass: posixAccount
uidNumber: 2093
sambaAcctFlags: [U          ]
sambaBadPasswordCount: 0
krb5MaxLife: 86400
cn: Siedl Networks
mailForwardCopyToSelf: 0
krb5MaxRenew: 604800
sambaBadPasswordTime: 0
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
gidNumber: 5001
zimbraHideInGal: 1
displayName: Siedl Networks
zimbraAccountStatus: active
gecos: Siedl Networks
sn: Networks
homeDirectory: /home/siedl
givenName: Siedl
sambaPrimaryGroupSID: S-1-5-21-3510874815-1049332411-1564533752-513
structuralObjectClass: inetOrgPerson
entryUUID: ed146e32-d28b-103b-8c8d-9b44cc5d3f4d
creatorsName: uid=Administrator,cn=users,dc=ldap,dc=domain,dc=com
createTimestamp: 20211105135632Z
memberOf: cn=Domain Users,cn=groups,dc=ldap,dc=domain,dc=com
sambaSID: S-1-5-21-3510874815-1049332411-1564533752-1197
krb5KeyVersionNumber: 5
pwhistory: $6$2YEvPr7COsjLvR4/$jo8Bpqu8CdYAz3Aqe/VhaeDmLqWODPJlR15JILlMlh.MBllqTs4wdXjCc/PFO.RipaTgrRf8xEBfKOmnySOpz/ $6$86SSejsX4hl..X1d$fE4lJaqZLo3Pbgcq3rg7Hh2uZq5fvkvqNdJPedSy0flW4BbBWZoTtCkpc9kqLFVTgwnbKi7bXCketUTIaWwgL. $6$tfNcAMJED6RMFthv$11JqziDQ6mZo.5F9SPez9b6x9VAxx6a8tJongF.fGjwocdfxUVVk31LmgwXQgEM5qcPxYiwj2.wAr4HZ9.oFR1
sambaNTPassword: 6EEE71B3C0CF178D810A48F1885E7EEC
sambaPasswordHistory: 6B5E2980F9ABD8B4C33DABAA88AE6E8A501C02C2B0191F8B83D85936AF417FA5BB367F5AE637C14EEF117036FB0763A9683F5E0C8E35EA1BAA6667866CF2FC79DEAA444A45DC1619443E5D65BFE5B270696BBE58114525B13249E370727B4E9499D46240DF62B812D34494C6B3360C4D36AE583EDC149D94D6FE02D4233479B1D0A01727741274949D910BC4B1DF6B8204B32AAAAF389790213DC47D266FB124
sambaPwdLastSet: 1637158325
shadowLastChange: 18948
entryCSN: 20211117141208.792571Z#000000#000#000000
modifiersName: cn=admin,dc=ldap,dc=domain,dc=com
modifyTimestamp: 20211117141208Z
entryDN: uid=siedl,cn=users,dc=ldap,dc=domain,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Liebe Grüße,

Hi René,

lets step back.
The error occurs ins the UMC when a user tries to change the contact data via self-service, or if the Administrator changes the contact data in the UMC for the user.

I am a little bit confused because the error is shown in the passwordreset.log. I would expect that in the m-c-web-server.log, because it is not a password reset.

So it is possible to make the changes for the user via udm, or does the same error occure?


Hi Christina,

the error occurs, when the user tries to set the restore email for himself over the self service module (Protect Account function).

additionally to the error in the management-console-module-passwordreset.log … the following error occurs in the management-console-web-server.log:

19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand ( response status code: 500
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand ( response reason : None
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand ( response message: Changing contact data failed.
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand ( response result: None
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand ( response error: {u'traceback': None, u'command': u'set_contact'}

Liebe Grüße,

Hi René,

sorry for the delay. Can you post the output of

ucr get self-service/ldap_attributes
ucr get self-service/udm_attributes

Ach ja und bitte einmal ein

Hi Christina,
here is the output:

ucr get self-service/ldap_attributes

ucr get self-service/udm_attributes

Joined successfully


Any updates to this?

First I looked where the message came from

  • the message “Undefined attribute type” is reported by the underlying OpenLDAP library: error.c#L60.
  • and the meaning of the placeholder is, that it is reported, if an attribute is unknown: LDAP_UNDEFINED_TYPE

It seems that when modifying the attribute “univentionPasswordSelfServiceEmail” and its content, the Schema definition is unknown to OpenLDAP. Please double check that

  • the Schema file is present on all servers /var/lib/univention-ldap/local-schema/self-service-passwordreset.schema, otherwise reinstall the self-service app
  • “self-service-passwordreset.schema” is included in /etc/ldap/slapd.conf, otherwise type ucr commit /etc/ldap/slapd.conf and restart the ldap service

There is also a similar topic at the forum, see

Hi peichert,

thanks for your update.

The schema file was in fact missing.
However, reinstalling the app did not resolve that. I just copied the file from another installation and put it in that directory. Is this alright or could this cause issues?

The commit on the slapd.conf then added the mentioned schema-file and after restarting the slapd setting the e-mail address works.

Thanks and Regards