First Last Prev Next    This bug is not in your last search results.
Bug 50230 - Self-service should not send invitation mails to users created deactivated to avoid reaching security limits
Self-service should not send invitation mails to users created deactivated to...
Status: RESOLVED DUPLICATE of bug 51245
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
https://help.univention.com/t/problem...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-20 12:15 CEST by Christina Scheinig
Modified: 2020-06-24 15:37 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019091621000317, 2020022721000468
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2019-09-20 12:15:16 CEST 
Environment:

UCS@school with self-service installed → 4.4-1 errata234 self-service=4.0 ucsschool=4.4 v3
root@ucs01:~# dpkg -l |grep self
ii  univention-self-service  4.0.3-9A~4.4.0.201904291701    all   Univention Self Service
ii  univention-self-service-invitation    4.0.3-9A~4.4.0.201904291701   all Invitation module for Univention Self Service.
ii  univention-self-service-master        4.0.3-9A~4.4.0.201904291701    all  Univention Self Service
ii  univention-self-service-passwordreset-umc  4.0.3-9A~4.4.0.201904291701    all  Password reset module for Univention Self Service.

------------------------------------------------------------------------
Problem description:

Within 6 minutes 59 trials are completed
 Active: active (running) since Mon 2019-09-16 16:38:12 CEST; 6min ago

t:c_day:            1 / 1000      expiration in 86116 seconds (at 17.09.2019 16:38:30)
t:c_hour:          59 /  200      expiration in  3316 seconds (at 16.09.2019 17:38:30)
t:c_minute:         1 /  120      expiration in    46 seconds (at 16.09.2019 16:44:00)
-----------------------------------------------------------------------
Cherrypicked one user:

user1_day:       1 /  120      expiration in 27096 seconds (at 17.09.2019 16:38:30)
user1_hour:    883 /   60      expiration in  2338 seconds (at 17.09.2019 09:45:52)
user1_minute:    19 /   10      expiration in    10 seconds (at 17.09.2019 09:07:04)


dn: uid=user1,cn=schueler,cn=users,ou=sun,dc=schein,dc=me
sambaAcctFlags: [UD         ] → Account disabled

The user was shown in
/var/cache/univention-directory-listener/selfservice-invitation/
-rw------- 1 listener nogroup    0 Sep 11 12:09 user1.send

-------------------------------------------------------------------------
Impact on the customer

Self-service is not working anymore, caused by reaching the limits in a very short time
Comment 1 Christina Scheinig univentionstaff 2019-10-01 14:49:39 CEST 
see note  #13 in the Ticket for more information
Comment 2 Michel Smidt 2019-10-01 15:17:47 CEST 
Reason seems to be:
"Die Ursache war, das scheinbar den deaktivierten Benutzern eine Einladung für den SelfService zugeschickt werden sollte, die aber nicht zugestellt werden konnte und daher in einem Cache-Verzeichnis lagen. Jede Minute wurde dann vom Listenermodul versucht die Einladung wieder zuzustellen, welches jedesmal als ein Zugriffsversuch auf den SelfService gezählt wurde. Daher hat das leeren des Cache-Verzeichnisses das Problem gelöst."
Comment 3 Ingo Steuwer univentionstaff 2019-10-23 09:38:07 CEST 
Can you provide a description how to reproduce this issue? 


If I understand correctly, I see two issues here:

1. Somehow password reset requests for deactivated accounts were initiated, that makes no sense

2. The number of valid requests seems to be too low


Which one should be fixed in this bug entry?
Comment 4 Erik Damrose univentionstaff 2019-10-23 09:59:28 CEST 
(In reply to Ingo Steuwer from comment #3)
> 1. Somehow password reset requests for deactivated accounts were initiated,
> that makes no sense

The culprit is the user invitation feature introduced in UCS 4.4. There is a service that checks if invitation mails for a user have to be sent, this triggers the self-service backend function to initiate the password reset mail. It seems like the backend function does count a request from a deactivated user as an invalid request.

We could adapt the filter for the invitation feature to not send out mails if the user is created in a deactivated state.
Comment 6 Michel Smidt 2020-06-24 15:37:16 CEST 
I close this bug as duplicate of Bug #51245.
Fortunately a fix will be released there soon.

*** This bug has been marked as a duplicate of bug 51245 ***
First Last Prev Next    This bug is not in your last search results.