Attachment #7297 for bug #37890

View | Details | Raw Unified | Return to bug 37890
Collapse All | Expand All





eval "$(ucr shell)"

udm policies/umc create "$@" \
	--position="cn=UMC,cn=policies,$ldap_base" \
	--set name=selfservice-umc-servers \
	--set ldapFilter='(|(objectClass=univentionMemberserver)(objectClass=univentionDomainController))'
udm policies/umc modify "$@" \
	--dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \
	--append "allow=cn=passwordchange-all,cn=operations,cn=UMC,cn=univention,$ldap_base"
udm container/cn modify "$@" \
	--dn "cn=dc,cn=computers,$ldap_base" \
	--policy-reference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
udm container/cn modify "$@" \
	--dn "cn=memberserver,cn=computers,$ldap_base" \
	--policy-reference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"

stop_udm_cli_server

MASTER=$(ucr get ldap/master)
univention-config-registry set \
	"self-service/backend-server?$MASTER" \
	self-service/web/enabled?yes

a2enmod wsgi
a2ensite univention-self-service

# restart, so apache reloads WSGI and sees activated plugin in its config
# retry if fail because of to quick successive restarts (from other frontend packages)
invoke-rc.d apache2 restart || (sleep 2; invoke-rc.d apache2 restart)

joinscript_save_current_version

exit 0




ucs_addServiceToLocalhost "univention-self-service-passwordreset-umc" "$@"
ucs_registerLDAPExtension "$@" --schema /usr/share/univention-self-service/self-service-passwordreset.schema

groups_default_administrators=$(custom_groupname "Administrators")
groups_default_domainadmins=$(custom_groupname "Domain Admins")
groups_default_domainusers=$(custom_groupname "Domain Users")


univention-config-registry set \
	umc/self-service/passwordreset/enabled?yes \
	umc/self-service/passwordreset/blacklist/groups?"$groups_default_administrators,$groups_default_domainadmins" \
	umc/self-service/passwordreset/whitelist/groups?"$groups_default_domainusers" \
	umc/self-service/passwordreset/email/enabled?yes \
	umc/self-service/passwordreset/email/server?localhost \
	umc/self-service/passwordreset/external/enabled?no \
	umc/self-service/passwordreset/sms/enabled?no

eval "$(ucr shell)"
udm settings/extended_attribute create "$@" --ignore_exists \
	--position "cn=custom attributes,cn=univention,$ldap_base" \


umc_init
umc_operation_create "passwordreset-all" "Password reset service" "" "passwordreset/*"
udm policies/umc modify "$@" \
	--dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \
	--append "allow=cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base"

stop_udm_cli_server





		--dn "cn=UniventionPasswordSelfServiceContactEmail,cn=custom attributes,cn=univention,$ldap_base"
	udm settings/extended_attribute remove "$@" \
		--dn "cn=UniventionPasswordSelfServiceContactMobile,cn=custom attributes,cn=univention,$ldap_base"
	udm policies/umc modify "$@" \
		--dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \
		--remove "allow=cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base"
	udm settings/umc_operationset remove "$@" \
		--dn "cn=passwordreset-all,cn=operations,cn=UMC,cn=univention,$ldap_base"
	ucs_unregisterLDAPExtension "$@" --schema /usr/share/univention-self-service/self-service-passwordreset.schema
fi

joinscript_remove_script_from_status_file univention-management-console-module-passwordreset




if ucs_isServiceUnused "univention-self-service" "$@"
then
	eval "$(ucr shell)"
	udm policies/umc modify "$@" \
		--dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base" \
		--remove "allow=cn=passwordchange-all,cn=operations,cn=UMC,cn=univention,$ldap_base"
	udm container/cn modify "$@" \
		--dn "cn=dc,cn=computers,$ldap_base" \
		--policy-dereference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
	udm container/cn modify "$@" \
		--dn "cn=memberserver,cn=computers,$ldap_base" \
		--policy-dereference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
	udm policies/umc remove "$@" \
		--dn "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
fi

joinscript_remove_script_from_status_file univention-self-service




	su - postgres -c "echo \"ALTER ROLE selfservice WITH ENCRYPTED PASSWORD '$selfservice_pwd';\" | psql"
fi

univention-config-registry set \
	umc/self-service/passwordreset/enabled?yes \
	umc/self-service/passwordreset/blacklist/groups?"Administrators,Domain Admins" \
	umc/self-service/passwordreset/whitelist/groups?"Domain Users" \
	umc/self-service/passwordreset/email/enabled?yes \
	umc/self-service/passwordreset/email/server?localhost \
	umc/self-service/passwordreset/external/enabled=no \
	umc/self-service/passwordreset/sms/enabled?no

if [ "$1" = "configure" ]; then
	uinst=/usr/lib/univention-install/65univention-self-service-passwordreset-umc.uinst
	[ -e "$uinst" ] && rm "$uinst"





/usr/lib/univention-server/server_password_change.d/univention-self-service postchange

MASTER=$(ucr get ldap/master)
univention-config-registry set \
	"self-service/backend-server?$MASTER" \
	self-service/web/enabled?yes

a2enmod wsgi
a2ensite univention-self-service

univention-config-registry set \
	self-service/passwordreset/web/enabled?yes \
	"ucs/web/overview/entries/service/passwordreset/description=Reset your password or provide contact information" \
	"ucs/web/overview/entries/service/passwordreset/description/de=Setzen Sie Ihr Passwort zurück oder hinterlegen Sie Kontaktinformationen." \

	"ucs/web/overview/entries/service/passwordchange/port_http=" \
	"ucs/web/overview/entries/service/passwordchange/port_https=443"

# restart, so apache reloads WSGI and sees activated plugin in its config
# retry if fail because of to quick successive restarts (from other frontend packages)
invoke-rc.d apache2 restart || (sleep 2; invoke-rc.d apache2 restart)

exit 0




	;;
esac

if [ "$1" = "remove" -o "$1" = "pruge" ]; then
	univention-config-registry unset \
		ucs/web/overview/entries/service/passwordreset/description \
		ucs/web/overview/entries/service/passwordreset/description/de \
		ucs/web/overview/entries/service/passwordreset/icon \
		ucs/web/overview/entries/service/passwordreset/label \
		ucs/web/overview/entries/service/passwordreset/label/de \
		ucs/web/overview/entries/service/passwordreset/link \
		ucs/web/overview/entries/service/passwordreset/port_http \
		ucs/web/overview/entries/service/passwordreset/port_https

	univention-config-registry unset \
		ucs/web/overview/entries/service/passwordchange/description \
		ucs/web/overview/entries/service/passwordchange/description/de \
		ucs/web/overview/entries/service/passwordchange/icon \
		ucs/web/overview/entries/service/passwordchange/label \
		ucs/web/overview/entries/service/passwordchange/label/de \
		ucs/web/overview/entries/service/passwordchange/link \
		ucs/web/overview/entries/service/passwordchange/port_http \
		ucs/web/overview/entries/service/passwordchange/port_https

	# restart, so apache unloads WSGI and deactivats plugin in its config
	# retry if fail because of to quick successive restarts (from other frontend packages)
	invoke-rc.d apache2 restart || (sleep 2; invoke-rc.d apache2 restart)
fi

exit 0

(-)js/ucs/de.po (-1 / +1 lines)

Lines 86-92	Link Here

#: setcontactinformation.js:134

#: setcontactinformation.js:134

msgid "Mobile"

msgid "Mobile"

msgstr ""

msgstr "Mobiltelefon"

#: passwordchange.js:96 passwordreset.js:157

#: passwordchange.js:96 passwordreset.js:157

msgid "New password"

msgid "New password"





TOKEN_VALIDITY_TIME = 3600

GRP_BLACKLIST = ["Domain Admins", "Windows Hosts", "DC Backup Hosts", "DC Slave", "Hosts", "Computers", "Backup Join", "Slave Join", "World Authority", "Null Authority", "Nobody", "Enterprise Domain Controllers", "Remote Interactive Logon", "SChannel Authentication", "Digest Authentication", "Terminal Server User", "NTLM Authentication", "Other Organization", "This Organization", "Anonymous Logon", "Network Service", "Creator Group", "Creator Owner", "Local Service", "Owner Rights", "Interactive", "Restricted", "Network", "Service", "System", "Batch", "Proxy", "IUSR", "Self", "Performance Log Users", "DnsUpdateProxy", "Cryptographic Operators", "Schema Admins", "Backup Operators", "Administrators", "Domain Computers", "Windows Authorization Access Group", "IIS_IUSRS", "RAS and IAS Servers", "Network Configuration Operators", "Account Operators", "Distributed COM Users", "Read-Only Domain Controllers", "Terminal Server License Servers", "Replicator", "Allowed RODC Password Replication Group", "Denied RODC Password Replication Group", "Enterprise Admins", "Group Policy Creator Owners", "Server Operators", "Domain Controllers", "DnsAdmins", "Cert Publishers", "Incoming Forest Trust Builders", "Event Log Readers", "Pre-Windows 2000 Compatible Access", "Remote Desktop Users", "Performance Monitor Users", "Certificate Service DCOM Access", "Enterprise Read-Only Domain Controllers"]

USER_BLACKLIST = ["Administrator", "krbtgt"]


def prevent_denial_of_service(func):
	def _decorated(self, request, *args, **kwargs):
		self.prevent_denial_of_service()

		wh_users = listize(ucr.get("umc/self-service/passwordreset/whitelist/users", ""))
		wh_groups = listize(ucr.get("umc/self-service/passwordreset/whitelist/groups", ""))

		bl_users.extend(map(str.lower, USER_BLACKLIST))
		bl_groups.extend(map(str.lower, GRP_BLACKLIST))

		# user blacklist
		if username.lower() in bl_users:
			MODULE.info("is_blacklisted({}): match in blacklisted users".format(username))

(-)umc/python/passwordreset/sending/send_sms.py (-1 / +1 lines)

Lines 77-83	Link Here

	@property

	@property

	def token_length(self):

	def token_length(self):

		length = self.ucr.get("umc/self-service/passwordreset/email/token_length", 12)

		length = self.ucr.get("umc/self-service/passwordreset/sms/token_length", 12)

		try:

		try:

			length = int(length)

			length = int(length)

		except ValueError:

		except ValueError:

Return to bug 37890