This patch addresses the following issues: * Fix quoting in join scripts * Use the right order for UDM arguments * Don't unregister the LDAP schema while removing the package * Move UCR commands from the postinst to the join script * send_sms.py: use ../sms/token_length instead of ../email/token_length * Remove GRP_BLACKLIST and USER_BLACKLIST * Use custom_groupname * Move self-service/backend-server from postinst to join script * js/ucs/de.po: Added translation for Mobile * Unset UCR variables only on remove in postrm script Index: 34univention-self-service.inst =================================================================== --- 34univention-self-service.inst (Revision 65517) +++ 34univention-self-service.inst (Arbeitskopie) @@ -43,22 +43,34 @@ eval "$(ucr shell)" -udm policies/umc "$@" create \ - --position=cn=UMC,cn=policies,$ldap_base \ +udm policies/umc create "$@" \ + --position="cn=UMC,cn=policies,$ldap_base" \ --set name=selfservice-umc-servers \ --set ldapFilter='(|(objectClass=univentionMemberserver)(objectClass=univentionDomainController))' -udm policies/umc "$@" modify \ - --dn cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base \ - --append allow=cn=passwordchange-all,cn=operations,cn=UMC,cn=univention,$ldap_base -udm container/cn "$@" modify \ - --dn=cn=dc,cn=computers,$ldap_base \ - --policy-reference cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base -udm container/cn "$@" modify \ - --dn=cn=memberserver,cn=computers,$ldap_base \ - --policy-reference cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base +udm policies/umc modify "$@" \ + --dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \ + --append "allow=cn=passwordchange-all,cn=operations,cn=UMC,cn=univention,$ldap_base" +udm container/cn modify "$@" \ + --dn "cn=dc,cn=computers,$ldap_base" \ + --policy-reference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" +udm container/cn modify "$@" \ + --dn "cn=memberserver,cn=computers,$ldap_base" \ + --policy-reference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" stop_udm_cli_server +MASTER=$(ucr get ldap/master) +univention-config-registry set \ + "self-service/backend-server?$MASTER" \ + self-service/web/enabled?yes + +a2enmod wsgi +a2ensite univention-self-service + +# restart, so apache reloads WSGI and sees activated plugin in its config +# retry if fail because of to quick successive restarts (from other frontend packages) +invoke-rc.d apache2 restart || (sleep 2; invoke-rc.d apache2 restart) + joinscript_save_current_version exit 0 Index: 35univention-self-service-passwordreset-umc.inst =================================================================== --- 35univention-self-service-passwordreset-umc.inst (Revision 65517) +++ 35univention-self-service-passwordreset-umc.inst (Arbeitskopie) @@ -43,6 +43,20 @@ ucs_addServiceToLocalhost "univention-self-service-passwordreset-umc" "$@" ucs_registerLDAPExtension "$@" --schema /usr/share/univention-self-service/self-service-passwordreset.schema +groups_default_administrators=$(custom_groupname "Administrators") +groups_default_domainadmins=$(custom_groupname "Domain Admins") +groups_default_domainusers=$(custom_groupname "Domain Users") + + +univention-config-registry set \ + umc/self-service/passwordreset/enabled?yes \ + umc/self-service/passwordreset/blacklist/groups?"$groups_default_administrators,$groups_default_domainadmins" \ + umc/self-service/passwordreset/whitelist/groups?"$groups_default_domainusers" \ + umc/self-service/passwordreset/email/enabled?yes \ + umc/self-service/passwordreset/email/server?localhost \ + umc/self-service/passwordreset/external/enabled?no \ + umc/self-service/passwordreset/sms/enabled?no + eval "$(ucr shell)" udm settings/extended_attribute create "$@" --ignore_exists \ --position "cn=custom attributes,cn=univention,$ldap_base" \ @@ -94,9 +108,9 @@ umc_init umc_operation_create "passwordreset-all" "Password reset service" "" "passwordreset/*" -udm policies/umc "$@" modify \ - --dn cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base \ - --append allow=cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base +udm policies/umc modify "$@" \ + --dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \ + --append "allow=cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base" stop_udm_cli_server Index: 65univention-self-service-passwordreset-umc.uinst =================================================================== --- 65univention-self-service-passwordreset-umc.uinst (Revision 65517) +++ 65univention-self-service-passwordreset-umc.uinst (Arbeitskopie) @@ -47,12 +47,11 @@ --dn "cn=UniventionPasswordSelfServiceContactEmail,cn=custom attributes,cn=univention,$ldap_base" udm settings/extended_attribute remove "$@" \ --dn "cn=UniventionPasswordSelfServiceContactMobile,cn=custom attributes,cn=univention,$ldap_base" - udm policies/umc "$@" modify \ - --dn cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base \ - --remove allow=cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base + udm policies/umc modify "$@" \ + --dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \ + --remove "allow=cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base" udm settings/umc_operationset remove "$@" \ - --dn cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base - ucs_unregisterLDAPExtension "$@" --schema /usr/share/univention-self-service/self-service-passwordreset.schema + --dn "cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base" fi joinscript_remove_script_from_status_file univention-management-console-module-passwordreset Index: 65univention-self-service.uinst =================================================================== --- 65univention-self-service.uinst (Revision 65517) +++ 65univention-self-service.uinst (Arbeitskopie) @@ -43,17 +43,17 @@ if ucs_isServiceUnused "univention-self-service" "$@" then eval "$(ucr shell)" - udm policies/umc "$@" modify \ - --dn cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base \ - --remove allow=cn=passwordchange-all,cn=operations,cn=UMC,cn=univention,$ldap_base - udm container/cn "$@" modify \ - --dn=cn=dc,cn=computers,$ldap_base \ - --policy-dereference cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base - udm container/cn "$@" modify \ - --dn=cn=memberserver,cn=computers,$ldap_base \ - --policy-dereference cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base - udm policies/umc "$@" remove \ - --dn cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base + udm policies/umc modify "$@" \ + --dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \ + --remove "allow=cn=passwordchange-all,cn=operations,cn=UMC,cn=univention,$ldap_base" + udm container/cn modify "$@" \ + --dn "cn=dc,cn=computers,$ldap_base" \ + --policy-dereference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" + udm container/cn modify "$@" \ + --dn "cn=memberserver,cn=computers,$ldap_base" \ + --policy-dereference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" + udm policies/umc remove "$@" \ + --dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" fi joinscript_remove_script_from_status_file univention-self-service Index: debian/univention-self-service-passwordreset-umc.postinst =================================================================== --- debian/univention-self-service-passwordreset-umc.postinst (Revision 65517) +++ debian/univention-self-service-passwordreset-umc.postinst (Arbeitskopie) @@ -60,15 +60,6 @@ su - postgres -c "echo \"ALTER ROLE selfservice WITH ENCRYPTED PASSWORD '$selfservice_pwd';\" | psql" fi -univention-config-registry set \ - umc/self-service/passwordreset/enabled?yes \ - umc/self-service/passwordreset/blacklist/groups?"Administrators,Domain Admins" \ - umc/self-service/passwordreset/whitelist/groups?"Domain Users" \ - umc/self-service/passwordreset/email/enabled?yes \ - umc/self-service/passwordreset/email/server?localhost \ - umc/self-service/passwordreset/external/enabled=no \ - umc/self-service/passwordreset/sms/enabled?no - if [ "$1" = "configure" ]; then uinst=/usr/lib/univention-install/65univention-self-service-passwordreset-umc.uinst [ -e "$uinst" ] && rm "$uinst" Index: debian/univention-self-service.postinst =================================================================== --- debian/univention-self-service.postinst (Revision 65517) +++ debian/univention-self-service.postinst (Arbeitskopie) @@ -62,15 +62,7 @@ /usr/lib/univention-server/server_password_change.d/univention-self-service postchange -MASTER=$(ucr get ldap/master) univention-config-registry set \ - "self-service/backend-server?$MASTER" \ - self-service/web/enabled?yes - -a2enmod wsgi -a2ensite univention-self-service - -univention-config-registry set \ self-service/passwordreset/web/enabled?yes \ "ucs/web/overview/entries/service/passwordreset/description=Reset your password or provide contact information" \ "ucs/web/overview/entries/service/passwordreset/description/de=Setzen Sie Ihr Passwort zurück oder hinterlegen Sie Kontaktinformationen." \ @@ -92,8 +84,5 @@ "ucs/web/overview/entries/service/passwordchange/port_http=" \ "ucs/web/overview/entries/service/passwordchange/port_https=443" -# restart, so apache reloads WSGI and sees activated plugin in its config -# retry if fail because of to quick successive restarts (from other frontend packages) -invoke-rc.d apache2 restart || (sleep 2; invoke-rc.d apache2 restart) exit 0 Index: debian/univention-self-service.postrm =================================================================== --- debian/univention-self-service.postrm (Revision 65517) +++ debian/univention-self-service.postrm (Arbeitskopie) @@ -38,28 +38,30 @@ ;; esac -univention-config-registry unset \ - ucs/web/overview/entries/service/passwordreset/description \ - ucs/web/overview/entries/service/passwordreset/description/de \ - ucs/web/overview/entries/service/passwordreset/icon \ - ucs/web/overview/entries/service/passwordreset/label \ - ucs/web/overview/entries/service/passwordreset/label/de \ - ucs/web/overview/entries/service/passwordreset/link \ - ucs/web/overview/entries/service/passwordreset/port_http \ - ucs/web/overview/entries/service/passwordreset/port_https +if [ "$1" = "remove" -o "$1" = "pruge" ]; then + univention-config-registry unset \ + ucs/web/overview/entries/service/passwordreset/description \ + ucs/web/overview/entries/service/passwordreset/description/de \ + ucs/web/overview/entries/service/passwordreset/icon \ + ucs/web/overview/entries/service/passwordreset/label \ + ucs/web/overview/entries/service/passwordreset/label/de \ + ucs/web/overview/entries/service/passwordreset/link \ + ucs/web/overview/entries/service/passwordreset/port_http \ + ucs/web/overview/entries/service/passwordreset/port_https -univention-config-registry unset \ - ucs/web/overview/entries/service/passwordchange/description \ - ucs/web/overview/entries/service/passwordchange/description/de \ - ucs/web/overview/entries/service/passwordchange/icon \ - ucs/web/overview/entries/service/passwordchange/label \ - ucs/web/overview/entries/service/passwordchange/label/de \ - ucs/web/overview/entries/service/passwordchange/link \ - ucs/web/overview/entries/service/passwordchange/port_http \ - ucs/web/overview/entries/service/passwordchange/port_https + univention-config-registry unset \ + ucs/web/overview/entries/service/passwordchange/description \ + ucs/web/overview/entries/service/passwordchange/description/de \ + ucs/web/overview/entries/service/passwordchange/icon \ + ucs/web/overview/entries/service/passwordchange/label \ + ucs/web/overview/entries/service/passwordchange/label/de \ + ucs/web/overview/entries/service/passwordchange/link \ + ucs/web/overview/entries/service/passwordchange/port_http \ + ucs/web/overview/entries/service/passwordchange/port_https -# restart, so apache unloads WSGI and deactivats plugin in its config -# retry if fail because of to quick successive restarts (from other frontend packages) -invoke-rc.d apache2 restart || (sleep 2; invoke-rc.d apache2 restart) + # restart, so apache unloads WSGI and deactivats plugin in its config + # retry if fail because of to quick successive restarts (from other frontend packages) + invoke-rc.d apache2 restart || (sleep 2; invoke-rc.d apache2 restart) +fi exit 0 Index: js/ucs/de.po =================================================================== --- js/ucs/de.po (Revision 65517) +++ js/ucs/de.po (Arbeitskopie) @@ -86,7 +86,7 @@ #: setcontactinformation.js:134 msgid "Mobile" -msgstr "" +msgstr "Mobiltelefon" #: passwordchange.js:96 passwordreset.js:157 msgid "New password" Index: umc/python/passwordreset/__init__.py =================================================================== --- umc/python/passwordreset/__init__.py (Revision 65517) +++ umc/python/passwordreset/__init__.py (Arbeitskopie) @@ -61,11 +61,6 @@ TOKEN_VALIDITY_TIME = 3600 -GRP_BLACKLIST = ["Domain Admins", "Windows Hosts", "DC Backup Hosts", "DC Slave", "Hosts", "Computers", "Backup Join", "Slave Join", "World Authority", "Null Authority", "Nobody", "Enterprise Domain Controllers", "Remote Interactive Logon", "SChannel Authentication", "Digest Authentication", "Terminal Server User", "NTLM Authentication", "Other Organization", "This Organization", "Anonymous Logon", "Network Service", "Creator Group", "Creator Owner", "Local Service", "Owner Rights", "Interactive", "Restricted", "Network", "Service", "System", "Batch", "Proxy", "IUSR", "Self", "Performance Log Users", "DnsUpdateProxy", "Cryptographic Operators", "Schema Admins", "Backup Operators", "Administrators", "Domain Computers", "Windows Authorization Access Group", "IIS_IUSRS", "RAS and IAS Servers", "Network Configuration Operators", "Account Operators", "Distributed COM Users", "Read-Only Domain Controllers", "Terminal Server License Servers", "Replicator", "Allowed RODC Password Replication Group", "Denied RODC Password Replication Group", "Enterprise Admins", "Group Policy Creator Owners", "Server Operators", "Domain Controllers", "DnsAdmins", "Cert Publishers", "Incoming Forest Trust Builders", "Event Log Readers", "Pre-Windows 2000 Compatible Access", "Remote Desktop Users", "Performance Monitor Users", "Certificate Service DCOM Access", "Enterprise Read-Only Domain Controllers"] - -USER_BLACKLIST = ["Administrator", "krbtgt"] - - def prevent_denial_of_service(func): def _decorated(self, request, *args, **kwargs): self.prevent_denial_of_service() @@ -345,9 +340,6 @@ wh_users = listize(ucr.get("umc/self-service/passwordreset/whitelist/users", "")) wh_groups = listize(ucr.get("umc/self-service/passwordreset/whitelist/groups", "")) - bl_users.extend(map(str.lower, USER_BLACKLIST)) - bl_groups.extend(map(str.lower, GRP_BLACKLIST)) - # user blacklist if username.lower() in bl_users: MODULE.info("is_blacklisted({}): match in blacklisted users".format(username)) Index: umc/python/passwordreset/sending/send_sms.py =================================================================== --- umc/python/passwordreset/sending/send_sms.py (Revision 65517) +++ umc/python/passwordreset/sending/send_sms.py (Arbeitskopie) @@ -77,7 +77,7 @@ @property def token_length(self): - length = self.ucr.get("umc/self-service/passwordreset/email/token_length", 12) + length = self.ucr.get("umc/self-service/passwordreset/sms/token_length", 12) try: length = int(length) except ValueError: