Bug 50037 - school LDAP ACLs: Teachers/staff/schooladmins cannot maintain self service profile attributes, permissionDenied traceback in school environments
school LDAP ACLs: Teachers/staff/schooladmins cannot maintain self service pr...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-2-errata
Assigned To: Felix Botner
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-21 16:24 CEST by Christina Scheinig
Modified: 2019-10-16 14:11 CEST (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019082021000383
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2019-08-21 16:24:41 CEST
On the Master in a school environment, a teacher is not able to change the mobile phone number attribute.
The following traceback occures

------------------------------------------------------------------------------------------------------------------
21.08.19 16:02:13.327  DEBUG_INIT
21.08.19 16:02:13.941  MODULE      ( PROCESS ) : Loading python module.
21.08.19 16:02:14.004  MODULE      ( PROCESS ) : Imported python module.
21.08.19 16:02:14.004  MODULE      ( PROCESS ) : Module instance created.
21.08.19 16:02:14.004  MODULE      ( PROCESS ) : Module socket initialized.
21.08.19 16:02:14.024  MODULE      ( PROCESS ) : Setting user LDAP DN None
21.08.19 16:02:14.024  MODULE      ( PROCESS ) : Setting auth type to None
21.08.19 16:02:14.024  MODULE      ( PROCESS ) : Initializing module.
21.08.19 16:02:14.034  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled.
21.08.19 16:02:14.037  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'.
21.08.19 16:02:14.043  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled.
21.08.19 16:02:14.043  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64'
21.08.19 16:02:14.187  MODULE      ( ERROR   ) : set_user_attributes(): modifying the user failed: Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 418, in set_user_attributes
    user.modify()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1395, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 643, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1318, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 895, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

21.08.19 16:02:14.187  MODULE      ( PROCESS ) : The attributes could not be saved: Permission denied.
-------------------------------------------------------------------------------------------------------------------------------
ucr dump | grep self | grep -e attribute -e properti 
self-service/ldap_attributes: jpegPhoto,mobile
self-service/udm_attributes: jpegPhoto,mobileTelephoneNumber

------------------------------------------------------------------------------
ACLs in ldap:

access to filter="univentionObjectType=users/user" attrs=jpegPhoto,mobile     
by self write     
by * +0 break

-------------------------------------------------------------------------------
It is reproduceable in school environments
UCS: 4.4-1 errata234
ucsschool=4.4 v3
Comment 1 Erik Damrose univentionstaff 2019-08-21 17:57:07 CEST
This is caused by a stop rule in the ucs@school ldap ACLs, as the problematic object is a teacher and thus has the objectclass ucsschoolTeacher.

./ucs-school-ldap-acls-master/65ucsschool line 257

If i remove that line, changing self-service attributes is possible. relevant part from a slapd.conf is below; the line "by set.expand..." corresponds to line 257 in the template.

# Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.)
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts

access to dn.regex="^(.+,)?ou=([^,]+),dc=single,dc=intranet$$"
  by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop
Comment 2 Florian Best univentionstaff 2019-08-22 12:12:15 CEST
Maybe we can rearrange the order of the Self-Service ACL's here? That would probably the easiest solution.

We should have a test case for this with all school user roles.
Comment 3 Michel Smidt 2019-08-22 12:23:51 CEST
(In reply to Florian Best from comment #2)
> Maybe we can rearrange the order of the Self-Service ACL's here? That would
> probably the easiest solution.
> 
> We should have a test case for this with all school user roles.

Full support for the proposal.
Comment 4 Christina Scheinig univentionstaff 2019-08-22 14:11:42 CEST
The customer asked for an errata. I set the 'waiting support' flag in this case.

I moved the section temporary beneath  
--------------------
# grant write access to users own UMC properties
access to attrs="univentionUMCProperty" filter="objectClass=person"
   by self write
   by * none break
access to filter="objectClass=person" attrs=objectClass value=univentionPerson
   by self write
   by * none break

access to filter="univentionObjectType=users/user" attrs=jpegPhoto,mobile
        by self write
        by * +0 break
---------------

and it works.
Comment 5 Valentin Heidelberger univentionstaff 2019-09-03 15:36:01 CEST
The self service is a very common requirement, especially in school domains and even vital for certain scenarios, which is why I'm taking the freedom of increasing the user pain.
Comment 6 Florian Best univentionstaff 2019-10-11 10:17:14 CEST
Can you move the file to 64* instead of 65*, otherwise it's the same number as the UCS@school ACL's have and not clear that the order is on purpose.
Comment 7 Felix Botner univentionstaff 2019-10-14 11:50:49 CEST
(In reply to Florian Best from comment #6)
> Can you move the file to 64* instead of 65*, otherwise it's the same number
> as the UCS@school ACL's have and not clear that the order is on purpose.

yes, the acl is now 64selfservice_userattributes.acl
Comment 8 Florian Best univentionstaff 2019-10-14 17:48:47 CEST
When I upgrade the package with slapd stopped the old file remains.
Please add the renaming also into any joinscript.

univention-self-service-master (4.0.3-11A~4.4.0.201910141145) wird eingerichtet ...
Neue Version der Konfigurationsdatei /etc/univention/templates/modules/self-service-acl.py wird installiert ...
Module: self-service-acl
Registering ACL in LDAP
authentication error: {'desc': "Can't contact LDAP server"}
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
no selfservice ACL found, nothing todo
Not updating umc/self-service/profiledata/enabled
Not updating self-service/ldap_attributes
Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
Comment 9 Florian Best univentionstaff 2019-10-14 18:02:20 CEST
Grr.
The ACL creation of the profile self service module calls on every "ucr set self-service/ldap_attributes" ucs_registerLDAPExtension --packageversion with the current date (datetime.now().strftime('%Y%m%d%H%M%S')) instead of e.g. $package-version-number-$current-date.
This makes it impossible to detect if the ACLs where created with an old package version.
I hope we don't get trouble in further upgrades due to this.
Comment 10 Felix Botner univentionstaff 2019-10-14 18:53:01 CEST
added join script 35univention-self-service-master.inst for the ACL renaming, Called in debian/univention-self-service-master.postinst. Please have a look.
Comment 11 Florian Best univentionstaff 2019-10-14 19:43:20 CEST
Btw: it would have been easier to just change the "univentionLDAPACLFilename" attribute instead of removing the object and re-creating it.
Then the listener would have moved the file and the register + unregister + ucr set wouldn't be necessary.
If you want, you can remove the prefix from the object name, so that we can just change the filename attribute next time a change is necessary.

OK: upgrade via joinscript
OK: after setting "ucr set umc/self-service/passwordreset/whitelist/groups='Domain Users,Domain Users oldschool'" I could change the attributes as teacher/staff.
Comment 12 Florian Best univentionstaff 2019-10-14 20:19:11 CEST
Implemented a test case for UCS@school:

ucs-test-ucsschool (6.0.65)
00c4bd65937a | Bug #50037: Add test case 115_modify_userattributes_and_ldap_acl


Migrated the UCS test case from bash to python:

ucs-test (9.0.3-80)
f88a674a97a0 | Bug #50037: migrate test case to python
Comment 13 Felix Botner univentionstaff 2019-10-15 13:36:02 CEST
OK, both test look good, ucsschool test fails with old univention-self-service, succeeds with new package, ucs test also fine
Comment 14 Arvid Requate univentionstaff 2019-10-16 14:11:05 CEST
<http://errata.software-univention.de/ucs/4.4/308.html>