Univention Bugzilla – Bug 50230
Self-service should not send invitation mails to users created deactivated to avoid reaching security limits
Last modified: 2020-06-24 15:37:16 CEST
Environment: UCS@school with self-service installed → 4.4-1 errata234 self-service=4.0 ucsschool=4.4 v3 root@ucs01:~# dpkg -l |grep self ii univention-self-service 4.0.3-9A~4.4.0.201904291701 all Univention Self Service ii univention-self-service-invitation 4.0.3-9A~4.4.0.201904291701 all Invitation module for Univention Self Service. ii univention-self-service-master 4.0.3-9A~4.4.0.201904291701 all Univention Self Service ii univention-self-service-passwordreset-umc 4.0.3-9A~4.4.0.201904291701 all Password reset module for Univention Self Service. ------------------------------------------------------------------------ Problem description: Within 6 minutes 59 trials are completed Active: active (running) since Mon 2019-09-16 16:38:12 CEST; 6min ago t:c_day: 1 / 1000 expiration in 86116 seconds (at 17.09.2019 16:38:30) t:c_hour: 59 / 200 expiration in 3316 seconds (at 16.09.2019 17:38:30) t:c_minute: 1 / 120 expiration in 46 seconds (at 16.09.2019 16:44:00) ----------------------------------------------------------------------- Cherrypicked one user: user1_day: 1 / 120 expiration in 27096 seconds (at 17.09.2019 16:38:30) user1_hour: 883 / 60 expiration in 2338 seconds (at 17.09.2019 09:45:52) user1_minute: 19 / 10 expiration in 10 seconds (at 17.09.2019 09:07:04) dn: uid=user1,cn=schueler,cn=users,ou=sun,dc=schein,dc=me sambaAcctFlags: [UD ] → Account disabled The user was shown in /var/cache/univention-directory-listener/selfservice-invitation/ -rw------- 1 listener nogroup 0 Sep 11 12:09 user1.send ------------------------------------------------------------------------- Impact on the customer Self-service is not working anymore, caused by reaching the limits in a very short time
see note #13 in the Ticket for more information
Reason seems to be: "Die Ursache war, das scheinbar den deaktivierten Benutzern eine Einladung für den SelfService zugeschickt werden sollte, die aber nicht zugestellt werden konnte und daher in einem Cache-Verzeichnis lagen. Jede Minute wurde dann vom Listenermodul versucht die Einladung wieder zuzustellen, welches jedesmal als ein Zugriffsversuch auf den SelfService gezählt wurde. Daher hat das leeren des Cache-Verzeichnisses das Problem gelöst."
Can you provide a description how to reproduce this issue? If I understand correctly, I see two issues here: 1. Somehow password reset requests for deactivated accounts were initiated, that makes no sense 2. The number of valid requests seems to be too low Which one should be fixed in this bug entry?
(In reply to Ingo Steuwer from comment #3) > 1. Somehow password reset requests for deactivated accounts were initiated, > that makes no sense The culprit is the user invitation feature introduced in UCS 4.4. There is a service that checks if invitation mails for a user have to be sent, this triggers the self-service backend function to initiate the password reset mail. It seems like the backend function does count a request from a deactivated user as an invalid request. We could adapt the filter for the invitation feature to not send out mails if the user is created in a deactivated state.
I close this bug as duplicate of Bug #51245. Fortunately a fix will be released there soon. *** This bug has been marked as a duplicate of bug 51245 ***