Univention Bugzilla – Bug 41499
Manual: Handling of UCS@school admins
Last modified: 2017-05-08 09:43:13 CEST
Update chapter on how to create OU admins: Untested steps: - create teacher - open teacher in UDM and edit [options] → add "UCS@school Administrator" - add teacher to group "admins-${OU}" - (optional) move user object to cn=admins → the object will not show up in UMC modules if objectclass ucsschoolTeacher has been deselected via UDM options +++ This bug was initially created as a clone of Bug #41494 +++ Currently the UCS@school admins are identified by their object class. But this will not work if a teacher is schooladmin in school A but only normal teacher in school B, C, ...
We should also document invalid combinations of UCS@school UDM options.
Because not clearly stated in original description: The user will NOT show up ONLY, if the optional step "(optional) move user object to cn=admins" has been performed.
(In reply to Sönke Schwardt-Krummrich from comment #2) > Because not clearly stated in original description: > The user will NOT show up ONLY, if the optional step "(optional) move user > object to cn=admins" has been performed. This is due to the fallback in current code, that considers object position in LDAP *AND* object class of user objects. → currently intended behaviour.
The text regarding creation of admins from teacher accounts was updated. Text change: 71299 Indentation: 71300 I have not published this yet, as I don't feel confident enough about this section. Waiting for QA to approve.
Too much whitespace: admins- OU (twice) lehrer- OU (twice) I am unsure about this: """ Damit das Konto nicht mehr in den UCS@school UMC-Modulen aufgelistet wird, muss es noch in einen anderen Container verschoben werden. """ → @Sönke: what is your opinion on this sentence? I would rephrase the sentence: """ Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des Verwaltungsnetzes verfügbar sein, so reicht es nicht aus, die Gruppenmitgliedschaft zu ändern. Es muss manuell ein neues Benutzerkonto über das Univention Management Console-Modul Benutzer auf dem Domänencontroller Master angelegt werden.""" into """ Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des Verwaltungsnetzes verfügbar sein, so muss manuell ein neues Benutzerkonto über das Univention Management Console-Modul Benutzer auf dem Domänencontroller Master angelegt werden. """" (…?) @Sönke: Should we write "OU" or "Schule" ? """ Die Benutzerkonten der Schuladministratoren müssen unterhalb der OU der Schule im Container cn=admins,cn=users angelegt werden. """ @Sönke: Is this still necessary wiht UCS@school 4.1R2? Why? Missing whitespace: (siehe dazu auchAbschnitt 6.2).
(In reply to Florian Best from comment #5) > I am unsure about this: > """ > Damit das Konto nicht mehr in den UCS@school UMC-Modulen aufgelistet wird, > muss es noch in einen anderen Container verschoben werden. > """ > → @Sönke: what is your opinion on this sentence? If I'm not wrong, the container cn=admin,cn=users,ou=… is not really used. In most cases, the user is still a teacher and should be listet. So I would suggest to delete the sentence without substitution. > I would rephrase the sentence: > """ > Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des > Verwaltungsnetzes verfügbar sein, so reicht es nicht aus, die > Gruppenmitgliedschaft zu ändern. Es muss manuell ein neues Benutzerkonto > über das Univention Management Console-Modul Benutzer auf dem > Domänencontroller Master angelegt werden.""" > into > """ > Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des > Verwaltungsnetzes verfügbar sein, so muss manuell ein neues Benutzerkonto > über das Univention Management Console-Modul Benutzer auf dem > Domänencontroller Master angelegt werden. > """" (…?) Huh? Why this? A School-Admin should be always replicated to educational slave AND administrative slaves (regardless of the LDAP container). Is this not the case? > @Sönke: > Should we write "OU" or "Schule" ? Generally I would prefer "Schule" if not the explicit OU container/subtree is meant. > """ > Die Benutzerkonten der Schuladministratoren müssen unterhalb der OU der > Schule im Container cn=admins,cn=users angelegt werden. > """ > @Sönke: Is this still necessary wiht UCS@school 4.1R2? Why? I thought, that this is no longer required. Is it?
(In reply to Sönke Schwardt-Krummrich from comment #6) > (In reply to Florian Best from comment #5) > > I am unsure about this: > > """ > > Damit das Konto nicht mehr in den UCS@school UMC-Modulen aufgelistet wird, > > muss es noch in einen anderen Container verschoben werden. > > """ > > → @Sönke: what is your opinion on this sentence? > > If I'm not wrong, the container cn=admin,cn=users,ou=… is not really used. > In most cases, the user is still a teacher and should be listet. So I would > suggest to delete the sentence without substitution. That means, that users that are _not_ actually teachers will be listed as teachers in the school-users, workgroups, classes and teachers module and in all selection windows when editing workgroups, teachers, classes etc. I think that is confusing. Furthermore school admins will be able to reset the passwords of those admins, as they are listed in the reset-teacher-passwords module. The text offers a solution to something that will correctly be seen as a bug. If the users wish to keep the school admin account as teacher, than they will simply not apply this whole section. I'd keep it. > > I would rephrase the sentence: > > """ > > Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des > > Verwaltungsnetzes verfügbar sein, so reicht es nicht aus, die > > Gruppenmitgliedschaft zu ändern. Es muss manuell ein neues Benutzerkonto > > über das Univention Management Console-Modul Benutzer auf dem > > Domänencontroller Master angelegt werden."""dtroeder_76-sch-edu-s > > into > > """ > > Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des > > Verwaltungsnetzes verfügbar sein, so muss manuell ein neues Benutzerkonto > > über das Univention Management Console-Modul Benutzer auf dem > > Domänencontroller Master angelegt werden. > > """" (…?) > > Huh? Why this? A School-Admin should be always replicated to educational > slave AND administrative slaves (regardless of the LDAP container). Is this > not the case? Currently installing a non-edu slave to investigate... > > """ > > Die Benutzerkonten der Schuladministratoren müssen unterhalb der OU der > > Schule im Container cn=admins,cn=users angelegt werden. > > """ > > @Sönke: Is this still necessary wiht UCS@school 4.1R2? Why? > > I thought, that this is no longer required. Is it? Ah yes - it seems it's no longer needed.
(In reply to Sönke Schwardt-Krummrich from comment #6) > (In reply to Florian Best from comment #5) > > I am unsure about this: > > """ > > Damit das Konto nicht mehr in den UCS@school UMC-Modulen aufgelistet wird, > > muss es noch in einen anderen Container verschoben werden. > > """ > > → @Sönke: what is your opinion on this sentence? > > If I'm not wrong, the container cn=admin,cn=users,ou=… is not really used. > In most cases, the user is still a teacher and should be listet. So I would > suggest to delete the sentence without substitution. > > > I would rephrase the sentence: > > """ > > Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des > > Verwaltungsnetzes verfügbar sein, so reicht es nicht aus, die > > Gruppenmitgliedschaft zu ändern. Es muss manuell ein neues Benutzerkonto > > über das Univention Management Console-Modul Benutzer auf dem > > Domänencontroller Master angelegt werden.""" > > into > > """ > > Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des > > Verwaltungsnetzes verfügbar sein, so muss manuell ein neues Benutzerkonto > > über das Univention Management Console-Modul Benutzer auf dem > > Domänencontroller Master angelegt werden. > > """" (…?) > > Huh? Why this? A School-Admin should be always replicated to educational > slave AND administrative slaves (regardless of the LDAP container). Is this > not the case? It's not. They are replicated only when moved to cn=admin,cn=users,ou=… Even then, when I login to the non-edu-slave with such an admin, he has no UMC-modules and is sent directly to the password-change module. On the edu-slave the school-modules are shown. When a _new_ user is created as admin (as described in the manual) and I login to the non-edu-slave, *no* module is shown, not even a redirect to the password-change module happens.
(In reply to Daniel Tröder from comment #8) > > > Soll das Benutzerkonto des Schuladministrators auch auf den Systemen des > > > Verwaltungsnetzes verfügbar sein, so muss manuell ein neues Benutzerkonto > > > über das Univention Management Console-Modul Benutzer auf dem > > > Domänencontroller Master angelegt werden. > > > """" (…?) > > > > Huh? Why this? A School-Admin should be always replicated to educational > > slave AND administrative slaves (regardless of the LDAP container). Is this > > not the case? > It's not. > They are replicated only when moved to cn=admin,cn=users,ou=… Seems to be an ACL problem. @Florian: can you have a look at it? > Even then, when I login to the non-edu-slave with such an admin, he has no > UMC-modules and is sent directly to the password-change module. On the > edu-slave the school-modules are shown. This is the correct behaviour. On non-edu-slaves there are no special UCS@school UMC modules. So a school admin is merely a "normal UCS user" on a non-edu-slave. > When a _new_ user is created as admin (as described in the manual) and I > login to the non-edu-slave, *no* module is shown, not even a redirect to the > password-change module happens. This depends on group memberships. I would assume that the group memberships between your 2 test school admins differ.
r72926: updated manual on handling of school admins r72927: white space fixes http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20R2%20Manual/46/artifact/webroot/
r73085: improved wording http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20R2%20Manual/54/artifact/webroot/
OK: the wording is fine now!
Already published.