Univention Bugzilla – Bug 50037
school LDAP ACLs: Teachers/staff/schooladmins cannot maintain self service profile attributes, permissionDenied traceback in school environments
Last modified: 2019-10-16 14:11:05 CEST
On the Master in a school environment, a teacher is not able to change the mobile phone number attribute. The following traceback occures ------------------------------------------------------------------------------------------------------------------ 21.08.19 16:02:13.327 DEBUG_INIT 21.08.19 16:02:13.941 MODULE ( PROCESS ) : Loading python module. 21.08.19 16:02:14.004 MODULE ( PROCESS ) : Imported python module. 21.08.19 16:02:14.004 MODULE ( PROCESS ) : Module instance created. 21.08.19 16:02:14.004 MODULE ( PROCESS ) : Module socket initialized. 21.08.19 16:02:14.024 MODULE ( PROCESS ) : Setting user LDAP DN None 21.08.19 16:02:14.024 MODULE ( PROCESS ) : Setting auth type to None 21.08.19 16:02:14.024 MODULE ( PROCESS ) : Initializing module. 21.08.19 16:02:14.034 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled. 21.08.19 16:02:14.037 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'. 21.08.19 16:02:14.043 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 21.08.19 16:02:14.043 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64' 21.08.19 16:02:14.187 MODULE ( ERROR ) : set_user_attributes(): modifying the user failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 418, in set_user_attributes user.modify() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1395, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 643, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1318, in _modify self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 895, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied 21.08.19 16:02:14.187 MODULE ( PROCESS ) : The attributes could not be saved: Permission denied. ------------------------------------------------------------------------------------------------------------------------------- ucr dump | grep self | grep -e attribute -e properti self-service/ldap_attributes: jpegPhoto,mobile self-service/udm_attributes: jpegPhoto,mobileTelephoneNumber ------------------------------------------------------------------------------ ACLs in ldap: access to filter="univentionObjectType=users/user" attrs=jpegPhoto,mobile by self write by * +0 break ------------------------------------------------------------------------------- It is reproduceable in school environments UCS: 4.4-1 errata234 ucsschool=4.4 v3
This is caused by a stop rule in the ucs@school ldap ACLs, as the problematic object is a teacher and thus has the objectclass ucsschoolTeacher. ./ucs-school-ldap-acls-master/65ucsschool line 257 If i remove that line, changing self-service attributes is possible. relevant part from a slapd.conf is below; the line "by set.expand..." corresponds to line 257 in the template. # Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.) # Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts access to dn.regex="^(.+,)?ou=([^,]+),dc=single,dc=intranet$$" by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop
Maybe we can rearrange the order of the Self-Service ACL's here? That would probably the easiest solution. We should have a test case for this with all school user roles.
(In reply to Florian Best from comment #2) > Maybe we can rearrange the order of the Self-Service ACL's here? That would > probably the easiest solution. > > We should have a test case for this with all school user roles. Full support for the proposal.
The customer asked for an errata. I set the 'waiting support' flag in this case. I moved the section temporary beneath -------------------- # grant write access to users own UMC properties access to attrs="univentionUMCProperty" filter="objectClass=person" by self write by * none break access to filter="objectClass=person" attrs=objectClass value=univentionPerson by self write by * none break access to filter="univentionObjectType=users/user" attrs=jpegPhoto,mobile by self write by * +0 break --------------- and it works.
The self service is a very common requirement, especially in school domains and even vital for certain scenarios, which is why I'm taking the freedom of increasing the user pain.
Can you move the file to 64* instead of 65*, otherwise it's the same number as the UCS@school ACL's have and not clear that the order is on purpose.
(In reply to Florian Best from comment #6) > Can you move the file to 64* instead of 65*, otherwise it's the same number > as the UCS@school ACL's have and not clear that the order is on purpose. yes, the acl is now 64selfservice_userattributes.acl
When I upgrade the package with slapd stopped the old file remains. Please add the renaming also into any joinscript. univention-self-service-master (4.0.3-11A~4.4.0.201910141145) wird eingerichtet ... Neue Version der Konfigurationsdatei /etc/univention/templates/modules/self-service-acl.py wird installiert ... Module: self-service-acl Registering ACL in LDAP authentication error: {'desc': "Can't contact LDAP server"} ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) ldap_start_tls: Can't contact LDAP server (-1) no selfservice ACL found, nothing todo Not updating umc/self-service/profiledata/enabled Not updating self-service/ldap_attributes Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
Grr. The ACL creation of the profile self service module calls on every "ucr set self-service/ldap_attributes" ucs_registerLDAPExtension --packageversion with the current date (datetime.now().strftime('%Y%m%d%H%M%S')) instead of e.g. $package-version-number-$current-date. This makes it impossible to detect if the ACLs where created with an old package version. I hope we don't get trouble in further upgrades due to this.
added join script 35univention-self-service-master.inst for the ACL renaming, Called in debian/univention-self-service-master.postinst. Please have a look.
Btw: it would have been easier to just change the "univentionLDAPACLFilename" attribute instead of removing the object and re-creating it. Then the listener would have moved the file and the register + unregister + ucr set wouldn't be necessary. If you want, you can remove the prefix from the object name, so that we can just change the filename attribute next time a change is necessary. OK: upgrade via joinscript OK: after setting "ucr set umc/self-service/passwordreset/whitelist/groups='Domain Users,Domain Users oldschool'" I could change the attributes as teacher/staff.
Implemented a test case for UCS@school: ucs-test-ucsschool (6.0.65) 00c4bd65937a | Bug #50037: Add test case 115_modify_userattributes_and_ldap_acl Migrated the UCS test case from bash to python: ucs-test (9.0.3-80) f88a674a97a0 | Bug #50037: migrate test case to python
OK, both test look good, ucsschool test fails with old univention-self-service, succeeds with new package, ucs test also fine
<http://errata.software-univention.de/ucs/4.4/308.html>