Bug 43899 - Self Service App in UCS 4.2
Self Service App in UCS 4.2
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Daniel Tröder
Erik Damrose
: interim-4
Depends on: 44180 44216
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-16 11:12 CET by Florian Best
Modified: 2017-04-04 18:30 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Release Management
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
installer-selfservice.png (60.24 KB, image/png)
2017-03-30 09:23 CEST, Stefan Gohmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-03-16 11:12:06 CET
We need to update the Self Service App in UCS 4.2.

At least the screenshots needs to be updated.
I adjusted the texts and links and translations already in the App Provider Portal.
Comment 1 Florian Best univentionstaff 2017-03-20 17:03:49 CET
Updated the screenshots.
Comment 2 Erik Damrose univentionstaff 2017-03-21 12:55:10 CET
Reopen: The app misses the setting to be installed on UCS slave systems
Comment 3 Florian Best univentionstaff 2017-03-21 13:00:24 CET
done
Comment 4 Daniel Tröder univentionstaff 2017-03-23 09:29:13 CET
On a DC master (with school app):

2017-03-23 08:51:41.166562814+01:00 (in joinscript_init)
/usr/lib/univention-install/35univention-self-service-passwordreset-umc.inst: 45: [: domaincontroller_master: unexpected operator

[..]

Object created: cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,dc=uni,dc=dtr
E: object not found
2017-03-23 08:52:13.499528681+01:00 (in joinscript_save_current_version)
Joinscript 35univention-self-service-passwordreset-umc.inst finished with exitcode 0
Comment 5 Florian Best univentionstaff 2017-03-23 13:36:29 CET
Thanks.

univention-self-service (2.0.11-1):
r78202 | Bug #42231: Bug #43899: fix shell comparision
Comment 6 Daniel Tröder univentionstaff 2017-03-24 13:24:27 CET
* no entry in any portal - users cannot find the password reset page

* when following the link from the app center and entering any username I get "Verboten"

in /var/log/univention/management-console-web-server.log:

24.03.17 13:07:28.392  MAIN        ( PROCESS ) : CPCommand (10.205.1.238:59296) response status code: 403
24.03.17 13:07:28.392  MAIN        ( PROCESS ) : CPCommand (10.205.1.238:59296) response message: Verboten
24.03.17 13:07:28.392  MAIN        ( PROCESS ) : CPCommand (10.205.1.238:59296) response result: None

* When a normal user logs in, no UMC modules are displayed. The UI thus feels broken. That the password-change self-service-module is in the hamburger menu is not obvious. I opened separate Bug #44068 for this.
...do I assume correctly that the password-change self-service is not part of this app anymore?
Comment 7 Florian Best univentionstaff 2017-03-24 13:29:59 CET
Btw: This bug is against the App-Ini file. For the Self-Service there is Bug #42267. Please use that Bug for the implementation things.

(In reply to Daniel Tröder from comment #6)
> * no entry in any portal - users cannot find the password reset page
This is done on purpose. The entries are part of the menu.

> * when following the link from the app center and entering any username I
> get "Verboten"
> 
> in /var/log/univention/management-console-web-server.log:
> 
> 24.03.17 13:07:28.392  MAIN        ( PROCESS ) : CPCommand
> (10.205.1.238:59296) response status code: 403
> 24.03.17 13:07:28.392  MAIN        ( PROCESS ) : CPCommand
> (10.205.1.238:59296) response message: Verboten
> 24.03.17 13:07:28.392  MAIN        ( PROCESS ) : CPCommand
> (10.205.1.238:59296) response result: None
Which link is this? Which request is forbidden? (network console or apache/access.log).

> * When a normal user logs in, no UMC modules are displayed. The UI thus
> feels broken. That the password-change self-service-module is in the
> hamburger menu is not obvious. I opened separate Bug #44068 for this.
> ...do I assume correctly that the password-change self-service is not part
> of this app anymore?
Yes, this doesn't belong to the self-service anymore and is part of the UMC core.
Comment 8 Daniel Tröder univentionstaff 2017-03-24 13:44:34 CET
(In reply to Daniel Tröder from comment #6)
> * no entry in any portal - users cannot find the password reset page
This may be true only for edu-slaves that have their own portal ("school-edu").

I think an entry in the "domain" portal would be better and the one customers would expect.
Comment 9 Daniel Tröder univentionstaff 2017-03-24 13:46:14 CET
> (In reply to Daniel Tröder from comment #6)
> > * no entry in any portal - users cannot find the password reset page
> This is done on purpose. The entries are part of the menu.
How does a user that cannot login anymore and wants to reset her password reach that menu?
Comment 10 Florian Best univentionstaff 2017-03-24 14:03:55 CET
(In reply to Daniel Tröder from comment #9)
> > (In reply to Daniel Tröder from comment #6)
> > > * no entry in any portal - users cannot find the password reset page
> > This is done on purpose. The entries are part of the menu.
> How does a user that cannot login anymore and wants to reset her password
> reach that menu?
There is a link in the login dialog.
Comment 11 Florian Best univentionstaff 2017-03-24 14:33:59 CET
I added DefaultPackagesMaster = univention-self-service, univention-self-server-umc-passwordreset in the App INI file.
Comment 12 Daniel Tröder univentionstaff 2017-03-27 15:47:30 CEST
univention-self-service-passwordreset-umc is installed on the the app host (for example a dc slave) and on the dc master, unnecessarily installing a PostgreSQL server on both.
PostgreSQL is only needed on the dc master.
Comment 13 Florian Best univentionstaff 2017-03-27 19:08:24 CEST
I introduced a new package univention-self-service-master and changed the DefaultPackagesMaster. Into this package I moved the postgres/memcache dependencies. I hope the appcenter installs that package for 4.1-4 Systems which do an upgrade.

univention-self-service (2.0.12-1):
r78379 | Bug #43899: Add univention-self-service-master package for the
dependencies for univention-self-service-passwordreset-umc as this package
is installed on DC Slaves, as well, now.
Comment 14 Daniel Tröder univentionstaff 2017-03-28 10:03:56 CEST
Installation of app on a slave s122, master is m120:
--------------------------------------------------------------
The following software changes on s122 will be applied: 2 packages will be installed / upgraded

univention-self-service
univention-self-service-passwordreset-umc

The following software changes on m120.uni.dtr will be applied: 9 packages will be installed / upgraded

libmemcached11
postgresql-9.4
postgresql-common
python-psycopg2
python-pylibmc
univention-postgresql
univention-postgresql-9.4
univention-self-service-master
univention-self-service-passwordreset-umc
Comment 15 Daniel Tröder univentionstaff 2017-03-28 10:05:51 CEST
OK: r78379 | Add univention-self-service-master package
REOPEN: python-pylibmc dependency must be moved to univention-self-service-passwordreset-umc

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 99, in _load_module
    self.__module = __import__(file_, [], [], modname)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 41, in <module>
    import pylibmc
ImportError: No module named pylibmc
 Failed to load module passwordreset: No module named pylibmc
Comment 16 Daniel Tröder univentionstaff 2017-03-28 10:12:10 CEST
Also python-psycopg2.

Then (if both python-pylibmc and python-psycopg2) are installed:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 83, in _decorator
    return func(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 130, in _decorated
    total_limit_reached, total_max_wait = _check_limits(self.memcache, self.total_limits)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 112, in _check_limits
    count = memcache.incr(key)
MemcachedError: 1 keys failed
 Execution of command 'passwordreset/get_contact' has failed:
Comment 17 Florian Best univentionstaff 2017-03-28 19:40:16 CEST
univention-self-service (2.0.13-5):
r78447 | Bug #43899: move dependencies to package
Comment 18 Daniel Tröder univentionstaff 2017-03-28 20:12:56 CEST
Sorry - found another small error:

chown: ungültiger Benutzer: „self-service:self-service“

--- management/univention-self-service/univention-self-service	(Revision 78448)
+++ management/univention-self-service/univention-self-service	(Arbeitskopie)
@@ -33,8 +33,6 @@
 if [ "$1" = "postchange" ] ; then
 	dest="/etc/self-service-ldap.secret"
 	touch "$dest"
-	chown self-service:self-service "$dest"
 	chmod 600 "$dest"
 	cat /etc/machine.secret > "$dest"
 fi
-
Comment 19 Florian Best univentionstaff 2017-03-29 13:33:36 CEST
The password file is nowerdays unused and therefore removed during update.

univention-self-service (2.0.13-9):
r78465 | Bug #43899: remove obsolete password file and machine account rotation script
Comment 20 Stefan Gohmann univentionstaff 2017-03-30 09:23:28 CEST
If I select 'Self Service' during the installation, I get a message that the package univention-self-service-master is not available.
Comment 21 Stefan Gohmann univentionstaff 2017-03-30 09:23:58 CEST
Created attachment 8687 [details]
installer-selfservice.png
Comment 22 Erik Damrose univentionstaff 2017-03-30 09:31:10 CEST
univention-self-service-master is a new package. I added it to the DVD task list

r78486 univention-dvd 2.0.0-11A~4.2.0.201703300929
Comment 23 Daniel Tröder univentionstaff 2017-03-30 17:37:04 CEST
DVD has built (ucs_4.2-0-20170330-145412-dvd-amd64.iso), testing installation from it now.
Comment 24 Daniel Tröder univentionstaff 2017-03-31 17:30:09 CEST
OK: installation from DVD works.
OK: when app is installed on slave the postgresql server is installed only on master
OK: installation on member: enhancement bug for later: Bug #44199

REOPEN: installation on a slave - when trying to set contacts ("Protect account"):

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 83, in _decorator
    return func(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 130, in _decorated
    total_limit_reached, total_max_wait = _check_limits(self.memcache, self.total_limits)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 112, in _check_limits
    count = memcache.incr(key)
MemcachedError: 1 keys failed
 Execution of command 'passwordreset/get_contact' has failed:
Comment 25 Florian Best univentionstaff 2017-03-31 18:06:43 CEST
(In reply to Daniel Tröder from comment #24)
> REOPEN: installation on a slave - when trying to set contacts ("Protect
> account"):
> 
> Traceback (most recent call last):
>   File "/usr/lib/pymodules/python2.7/univention/management/console/base.py",
> line 249, in execute
>     function.__func__(self, request, *args, **kwargs)
>   File
> "/usr/lib/pymodules/python2.7/univention/management/console/modules/
> passwordreset/__init__.py", line 83, in _decorator
>     return func(self, request, *args, **kwargs)
>   File
> "/usr/lib/pymodules/python2.7/univention/management/console/modules/
> passwordreset/__init__.py", line 130, in _decorated
>     total_limit_reached, total_max_wait = _check_limits(self.memcache,
> self.total_limits)
>   File
> "/usr/lib/pymodules/python2.7/univention/management/console/modules/
> passwordreset/__init__.py", line 112, in _check_limits
>     count = memcache.incr(key)
> MemcachedError: 1 keys failed
>  Execution of command 'passwordreset/get_contact' has failed:

I don't understad what is going on here: The code is correct:

>>> SELFSERVICE_MASTER = ucr.get("self-service/backend-server", ucr.get("ldap/master"))
>>> IS_SELFSERVICE_MASTER = '%s.%s' % (ucr.get('hostname'), ucr.get('domainname')) == SELFSERVICE_MASTER
>>> 
>>> SELFSERVICE_MASTER
'm120.uni.dtr'
>>> IS_SELFSERVICE_MASTER
False

 68 def forward_to_master(func):
 69 »   @wraps(func)
 70 »   def _decorator(self, request, *args, **kwargs):
→ here is should go into this if statement. In the traceback one can see that it's not the case. But why?
 71 »   »   if not IS_SELFSERVICE_MASTER:
…
 81 »   »   »   self.finished(request.id, response.result, message=response.message, status=response.status)
 82 »   »   »   return
→ Here is the return statement.
 83 »   »   return func(self, request, *args, **kwargs)
 84 »   return _decorator
Comment 26 Daniel Tröder univentionstaff 2017-03-31 18:16:15 CEST
You were on the wrong host.

On the dc slave:
------------------------------------------------------------
root@s122:~# python
>>> from univention.management.console.config import ucr
>>> SELFSERVICE_MASTER = ucr.get("self-service/backend-server", ucr.get("ldap/master"))
>>> IS_SELFSERVICE_MASTER = '%s.%s' % (ucr.get('hostname'), ucr.get('domainname')) == SELFSERVICE_MASTER
>>> IS_SELFSERVICE_MASTER
False
------------------------------------------------------------

On the dc master (also the "self-service master"):
------------------------------------------------------------
root@m120:~# python
>>> from univention.management.console.config import ucr
>>> SELFSERVICE_MASTER = ucr.get("self-service/backend-server", ucr.get("ldap/master"))
>>> IS_SELFSERVICE_MASTER = '%s.%s' % (ucr.get('hostname'), ucr.get('domainname')) == SELFSERVICE_MASTER
>>> IS_SELFSERVICE_MASTER
True
------------------------------------------------------------
Comment 27 Daniel Tröder univentionstaff 2017-03-31 18:33:31 CEST
The reason is, that the saml service is not running.
The saml init script doesn't work anymore as it did once.

systemd starts /usr/share/memcached/scripts/systemd-memcached-wrapper which only reads /etc/memcached.conf.

I guess what's done in ucs-4.2-0/saml/univention-saml with debian/univention-saml.init works too, but here is a page that describes an easy way to create a more systemd'ish additional saml service: https://moopi.uk/mod/page/view.php?id=71
Comment 28 Daniel Tröder univentionstaff 2017-04-03 09:27:46 CEST
(In reply to Daniel Tröder from comment #27)
> The reason is, that the saml service is not running.
> The saml init script doesn't work anymore as it did once.
> 
> systemd starts /usr/share/memcached/scripts/systemd-memcached-wrapper which
> only reads /etc/memcached.conf.
> 
> I guess what's done in ucs-4.2-0/saml/univention-saml with
> debian/univention-saml.init works too, but here is a page that describes an
> easy way to create a more systemd'ish additional saml service:
> https://moopi.uk/mod/page/view.php?id=71
s/saml/memcached/
Comment 29 Daniel Tröder univentionstaff 2017-04-03 10:22:02 CEST
r78602: add systemd service for memcached instance

Package: univention-self-service
Version: 2.0.16-2A~4.2.0.201704031021
Branch: ucs_4.2-0
Scope:
Comment 30 Daniel Tröder univentionstaff 2017-04-03 13:30:07 CEST
(In reply to Erik Damrose from comment #22)
> univention-self-service-master is a new package. I added it to the DVD task
> list
> 
> r78486 univention-dvd 2.0.0-11A~4.2.0.201703300929
Doesn't work for an upgrade.

The package univention-postgresql is uninstalled during an upgrade from 4.1 to 4.2.
It had been installed as a requirement of binary univention-self-service-passwordreset-umc in 4.1.
Its dependency moved with 4.2 to the binary univention-self-service-master.
but univention-self-service-master is not installed when upgrading.

Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
[..]
  univention-management-console-frontend-theme univention-postgresql
  univention-postgresql-9.1 wwwconfig-common
[..]

Die folgenden Pakete werden ENTFERNT:
[..]
  univention-postgresql univention-postgresql-9.1 wwwconfig-common

Entfernen von univention-postgresql (9.0.0-4A~4.2.0.201703151958) ...
Entfernen von univention-postgresql-9.1 (9.0.0-4A~4.2.0.201703151958) ...


After the upgrade:

root@m100:~# dpkg -l 'univention-postgres*'
rc  univention-postgresql     9.0.0-4A~4.2.0.20
rc  univention-postgresql-9.1 9.0.0-4A~4.2.0.20
un  univention-postgresql-9.4 <keine>          

root@m100:~# dpkg -l '*self*'
ii  univention-self-service               2.0.16-1A~4.2.0.2017040
ii  univention-self-service-passwordreset 2.0.16-1A~4.2.0.2017040

When upgrading from 4.1 to 4.2
Comment 31 Daniel Tröder univentionstaff 2017-04-03 14:55:36 CEST
r78619: install new master package in preup.sh

Package: univention-updater
Version: 12.0.10-2A~4.2.0.201704031454
Branch: ucs_4.2-0
Scope:
Comment 32 Daniel Tröder univentionstaff 2017-04-03 15:23:52 CEST
r78624: install master package of self-service app in postup.sh

univention-updater 12.0.10-3A~4.2.0.201704031523
Comment 33 Erik Damrose univentionstaff 2017-04-03 17:37:59 CEST
OK: check and installation in postup
OK: tests in 2 environments
OK: self service useable on master after update
Verified
Comment 34 Stefan Gohmann univentionstaff 2017-04-04 18:30:07 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".