UPN selectabillity in UMC

We wish to change the UPN (User-Principal-Name) in the management console on users accounts. This does not appear to be exposed within the GUI, is this possible to do?

Regards

James

Hello,

the UPN (userPrincipalName in AD, krb5PrincipalName in LDAP) contains the Kerberos principal for that account which is derived from the username and the chosen kerberos realm (UCR kerberos/realm). Since the users principal needs to be part of the Kerberos realm the UCS system serves, changing it would lead to “broken” accounts (from Kerberos point of view). Thats why we don’t expose the field in the GUI.

Is there any specific reason why you want to change the user principals? Which part do you want to change (username or realm)?

Regards,
Janis Meybohm

Hello

Yes, we wish to use the server to authenticate users from different establishments. The users authenticate using their full email address, firstly so they can remember what their login name is and secondly so the server sending the authentication requests can send to the correct backend authentication server based on the UPN.

Regards

James

Also we have already setup the UPN prefix’s using a Windows 2008 R2 server joined to the UCS domain with the “active directory domains and trusts” MMC. We can set the UPN’s in the “active directory users and computers” MMC fine but would like to delegate this to various teams and the web GUI would seem to be a easy way to do this rather than making this server a terminal server and giving them access via RDP.

Regards

James

Hallo,

via extended attributes (described in chapter Expansion of the attributes managed in UMC with extended attributes of the UCS manual), you may add additional fields to the UMC. This adds no logic (to manage Kerberos realms, keys etc.) but should give you the possibility to simply modify the string stored in krb5PrincipalName (which is then synchronized with the AD attribute userPrincipalName).
You may create an extended attribute for this case with the following commands and test if that suits your requirements:

eval "$(ucr shell)" udm settings/extended_attribute create --position "cn=custom attributes,cn=univention,$ldap_base" \ --set name="userPrincipalName" \ --set shortDescription="userPrincipalName" \ --set module="users/user" \ --set objectClass="krb5Principal" \ --set ldapMapping="krb5PrincipalName" \ --set syntax="string" \ --set tabName="General" \ --set tabPosition=11 \ --set groupName="User account" \ --set valueRequired=0 \ --set mayChange=1

Regards,
Janis Meybohm

Thanks, that appears to change the UPN fine. Is there a way to make that a selectable box so we can select the UPN’s already setup within the active directory domains and trusts MMC.

Regards

James

Hallo,

I think there is no way to do this without further development. One could add UMC hooks and a special syntax definition to split the attribute in two fields (and join them when submitting the form).
We are not yet finished with adding/translating of our developer documentation to english but you may find some hints in the docs already: docs.univention.de/en.html

Regards,
Janis Meybohm

Hello

One last question, how do we remove the syntax checking from the “pager” attribute within the contacts. We use this attribute with an email address to send OTP (One Tim Password) via an SMS gateway. Can this be done or will we need to create a custom attribute for this also?

Regards

James

Hello,

you may overwrite any attributes syntax checks via UCR (be aware that this does not override the atributes syntax definition in OpenLDAP/AD):ucr set directory/manager/web/modules/users/user/properties/pagerTelephoneNumber/syntax=string /etc/init.d/univention-management-console-server restart

Regards,
Janis Meybohm

I now get the following error message:-

The UDM object could not be saved: LDAP Error Invalid syntax: pager: value #0 invalid per syntax

Is there anyway around this, i can add mobilenumber@send.sms where mobilenumber is the telephone number using the MMC tools but not within the webgui.

Regards

James

Hello,

this is most likely because of the LDAP syntax definition (tools.ietf.org/html/rfc4524#section-2.20) which is, as said, not affected by the syntax overwrite via UCR. You may change the syntax but as it is part of the OpenLDAP default schemata you may consider using a different attribute.

Regards,
Janis Meybohm

Mastodon