When was an LDAP object created or modified? - display LDAP operational attributes in extended attributes

Steuwer · January 9, 2023, 2:05pm

Hi,

since Errata 489 of UCS 5.0 it is possible to include “operational attributes” in UDMs extended attribute mechanism, which allows to get access to internal information of OpenLDAP.

I’d like to share the following example in which I add 6 operational attributes to be shown in an “LDAP Details” section of user and group objects. This includes information about the creation and modification timestamp and also the internal OpenLDAP Database ID “EntryUUID”.

Code to create the attributes on the command line:

udm settings/extended_attribute create \
 --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \
 --set name="createTimestamp" \
 --set CLIName="createTimestamp" \
 --set ldapMapping="createTimestamp" \
 --set shortDescription="timestamp of object creation" \
 --set translationShortDescription='de_DE "Zeitstempel der Objekterstellung"' \
 --set longDescription="Database timestamp of the LDAP object creation, typically UTC" \
 --set translationLongDescription='de_DE "Zeitpunkt der Erstellung des LDAP Objekts, typischer Weise UTC"' \
 --set tabName="LDAP details" \
 --set tabPosition="1" \
 --set translationTabName='de_DE "LDAP Details"' \
 --set groupName="object creation" \
 --set translationGroupName='de_DE "Objekterstellung"' \
 --set groupPosition="1" \
 --append module="users/user" \
 --append module="groups/group" \
 --set  objectClass="top" \
 --set  syntax="string"

udm settings/extended_attribute create \
 --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \
 --set name="creatorsName" \
 --set CLIName="creatorsName" \
 --set ldapMapping="creatorsName" \
 --set shortDescription="LDAP DN of the object creator" \
 --set translationShortDescription='de_DE "LDAP DN des Objekterstellers"' \
 --set longDescription="LDAP DN of the authenticated account which created the object" \
 --set translationLongDescription='de_DE "LDAP DN des authentifizierten Accounts der das Objekt angelegt hat"' \
 --set tabName="LDAP details" \
 --set tabPosition="2" \
 --set translationTabName='de_DE "LDAP Details"' \
 --set groupName="object creation" \
 --set translationGroupName='de_DE "Objekterstellung"' \
 --set groupPosition="1" \
 --append  module="users/user" \
 --append module="groups/group" \
 --set objectClass="top" \
 --set syntax="string" \
 --set fullWidth="1"

udm settings/extended_attribute create \
 --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \
 --set name="modifyTimestamp" \
 --set CLIName="modifyTimestamp" \
 --set ldapMapping="modifyTimestamp" \
 --set shortDescription="timestamp of last object modification" \
 --set translationShortDescription='de_DE "Zeitstempel der letzten Objektänderung"' \
 --set longDescription="Database timestamp of the last LDAP object modification, typically UTC" \
 --set translationLongDescription='de_DE "Zeitpunkt der letzten Änderung des LDAP Objekts, typischer Weise UTC"' \
 --set tabName="LDAP details" \
 --set tabPosition="3" \
 --set translationTabName='de_DE "LDAP Details"' \
 --set groupName="object modification" \
 --set translationGroupName='de_DE "Objektveränderung"' \
 --set groupPosition="2" \
 --append  module="users/user" \
 --append module="groups/group" \
 --set objectClass="top" \
 --set syntax="string"

udm settings/extended_attribute create \
 --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \
 --set name="modifiersName" \
 --set CLIName="modifiersName" \
 --set ldapMapping="modifiersName" \
 --set shortDescription="LDAP DN of the object modifier" \
 --set translationShortDescription='de_DE "LDAP DN des Objektmodifizierenden"' \
 --set longDescription="LDAP DN of the authenticated account which did the last object modification" \
 --set translationLongDescription='de_DE "LDAP DN des authentifizierten Accounts der das Objekt zuletzt modifiziert hat"' \
 --set tabName="LDAP details" \
 --set tabPosition="4" \
 --set translationTabName='de_DE "LDAP Details"' \
 --set groupName="object modification" \
 --set translationGroupName='de_DE "Objektveränderung"' \
 --set groupPosition="2" \
 --append  module="users/user" \
 --append module="groups/group" \
 --set objectClass="top" \
 --set syntax="string" \
 --set fullWidth="1"

udm settings/extended_attribute create \
 --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \
 --set name="entryUUID" \
 --set CLIName="entryUUID" \
 --set ldapMapping="entryUUID" \
 --set shortDescription="entryUUID" \
 --set translationShortDescription='de_DE "entryUUID"' \
 --set longDescription="Internal LDAP database ID" \
 --set translationLongDescription='de_DE "Interne LDAP Datenbank-ID"' \
 --set tabName="LDAP details" \
 --set tabPosition="5" \
 --set translationTabName='de_DE "LDAP Details"' \
 --set groupName="LDAP database details" \
 --set translationGroupName='de_DE "LDAP Datenbankdetails"' \
 --set groupPosition="3" \
 --append  module="users/user" \
 --append module="groups/group" \
 --set objectClass="top" \
 --set syntax="string" \
 --set fullWidth="1"

udm settings/extended_attribute create \
 --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" \
 --set name="entryDN" \
 --set CLIName="entryDN" \
 --set ldapMapping="entryDN" \
 --set shortDescription="entryDN" \
 --set translationShortDescription='de_DE "entryDN"' \
 --set longDescription="Distinguished Name (DN) of this LDAP object" \
 --set translationLongDescription='de_DE "Distinguished Name (DN) dieses LDAP-Objects"' \
 --set tabName="LDAP details" \
 --set tabPosition="6" \
 --set translationTabName='de_DE "LDAP Details"' \
 --set groupName="LDAP database details" \
 --set translationGroupName='de_DE "LDAP Datenbankdetails"' \
 --set groupPosition="3" \
 --append  module="users/user" \
 --append module="groups/group" \
 --set objectClass="top" \
 --set syntax="string" \
 --set fullWidth="1"

Restart the UMC and the UDM REST API to make them aware of the change:

systemctl restart univention-management-console-server.service
systemctl restart univention-directory-manager-rest.service

Example screenshot of the result (a user object in the UMC):

Hope this is helpfull!

talleyrand · February 7, 2023, 2:02am

Yep… really cool…

just a few questions:

Can we have multi byte characters without breaking anything in the back ends?
Can we set multiple translations?

--set longDescription="Internal LDAP database ID" \
 --set translationLongDescription='de_DE "Interne LDAP Datenbank-ID"' \

 --set translationLongDescription='cn_CN  "內部 LDAP 數據庫 ID"' \

3.  Is there any functionality to "go back in" & add additional translations later?
4. how does adding these additional strings work on setting up chosen language?
do we have to add some sort of "language" to the language menu first, or does adding these translations automatically configure this functionality?

Steuwer · February 8, 2023, 2:47pm

Hi, thanks for the feedback!

about your questions:

can you give an example?
the translations field is multivalue, to define additional translations you can use “–append” instead of “–set”
sure, use “udm settings/extended_attribute modify --dn …” and “–append” for additional translations. For details see the udm commandline documentation 4.10. Command line interface of domain management (Univention Directory Manager) — Univention Corporate Server - Manual for users and administrators
afaik translations are choosen based on the browser language. But please keep in mind that “out of the box” UDM is only available in english, german and french

talleyrand · February 10, 2023, 8:54am

I already did… my example includes Asian characters…

My question was simply, if i do this … will it break anything back end… (have you specifically tested MBC)
because in the past using UCS causes major problems and code breaking bugs if MBC was floating about.

one of the bugs i filed was for MBC floating about in SYSVOL, which totally derailed AD takeover… in 5.x

Steuwer · February 10, 2023, 9:11am

Hi,

OK - then I misunderstood the question, I thought you found some bugs in the UI if using byte characters.

The situation is:

the implementation of the Univention UI is done with focus on supporting UTF8, which should include the character sets you need
the testing is done in the available languages, which are english, german and french. So there might be issues
this article covers Univention Directory Manager and its Web UI, not the connected services. The SYSVOL share is provided by Samba which might have it’s own limits and issues

Ingo

Andreas_T · June 19, 2023, 8:58pm

Hi,

Thank you for this, it’s really useful. Unfortunately I’m getting the error

Constraint violation: createTimestamp: no user modification allowed.

when I try to copy a group. Not a big deal for me since I can also just create a new group, but I thought I should let you know.

Steuwer · June 20, 2023, 12:25pm

Thanks for the report, I created a Bugzilla entry: Bug 56172 – Object copy fails if extended attributes for operational LDAP attributes are defined - bug in "copyable" flag?