Bug 37890 - Password reset self service
Password reset self service
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.1
Other Linux
: P5 enhancement with 2 votes (vote)
: UCS 4.1
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
: interim-2
Depends on: 39613 39936 39939
Blocks: 39983 39461 39489 39597 39615 39845
  Show dependency treegraph
 
Reported: 2015-02-26 15:44 CET by Sönke Schwardt-Krummrich
Modified: 2015-12-07 11:45 CET (History)
9 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Release Goal
Max CVSS v3 score:


Attachments
bug_37890.diff (15.28 KB, patch)
2015-11-14 21:05 CET, Stefan Gohmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2015-02-26 15:44:01 CET
A customer suggested a self service for UCS@school users so they are able to reset their own password over a second communication channel.

Currently an additional person with more access permissions is required to reset a user password (student → teacher → school admin → domain admins).
By implementing a second communication channel (e.g. SMS or eMail to a private mail address), a user would be able to reset it's own account without further help.
Comment 1 Stefan Gohmann univentionstaff 2015-07-10 08:18:35 CEST
Moved to UCS.
Comment 2 Stefan Gohmann univentionstaff 2015-07-13 06:57:16 CEST
(In reply to Sönke Schwardt-Krummrich from comment #0)
> A customer suggested a self service for UCS@school users so they are able to
> reset their own password over a second communication channel.

It should also be possible to change the password in a normal way with this service. Currently, the users needs to logon in UMC which isn't always the best way.
Comment 3 Stephan Luft univentionstaff 2015-08-26 09:42:45 CEST
Another customer requested this for UCS.
Comment 4 Daniel Tröder univentionstaff 2015-09-09 16:38:03 CEST
I have found two candidates for existing OSS projects that we could use:
* Self Service Password
* PWM

Self Service Password:
* http://ltb-project.org/wiki/documentation/self-service-password
* PHP
* project seems dormant
* features:
  - Reset by questions
  - Reset by mail challenge
  - Reset by SMS
  - reCAPTCHA
* should be fairly easy to adapt
* css needs to be adapted

PWM:
* https://github.com/jrivard/pwm
* Java in Tomcat
* project active, but last release from 2/19/14
* features:
  - everything of Self Service Password
  - anything else you can think of
* complex to integrate: configure tomcat, use either sql or install custom ldap schema, deactivate most of it's features
* default look is ok

We could also consider to implement it ourself. Using a Python micro web framework like bottle or flask it could be done really quick:
* landing page 
  - where user can enter username → if user has in contacts-section stored an external email address or mobil number → send link/token via mail or mail-sms-gateway (or pluggable sms-provider-api).
  -Token gets stored in extAttrib or sqlite.
  -Optionally integrate reCAPTCHA by google.
* pw-change page for email/sms-token
  - email-link contains token or
  - field for token from mail/sms
  -form for new password → try to set pw → possibly return with error msg if pw-policy-fail
Comment 5 Daniel Tröder univentionstaff 2015-10-20 12:04:18 CEST
Implemented in packages univention-self-service, univention-self-service-passwordreset and univention-management-console-module-passwordreset in source package univention-self-service.


The UMC backend univention-management-console-module-passwordreset must be installed on a UCS master/backup DC.

The frontend packages univention-self-service and univention-self-service-passwordreset can be installed on any UCS role. The frontend selects the backend server with:
ucr.get("self-service/backend-server", ucr.get("ldap/master"))
As the backend installes a UCS "service" in LDAP, the selection may be done smarter.

Permissions to run the UMC calls on the backend will be are granted to all univentionMemberserver and univentionDomainController (using their machine account).

Needs a UI now (#39597).
Comment 6 Stefan Gohmann univentionstaff 2015-10-30 08:20:47 CET
(In reply to Daniel Tröder from comment #5)
> Needs a UI now (#39597).

The implementation has changed a little bit due to UI build package reasons, see Bug #39597.

I guess this bug needs a changelog entry (changelog-4.1-0.xml) and can be closed?
Comment 7 Florian Best univentionstaff 2015-11-02 17:18:52 CET
The translation will not work the way it is currently implemented:
_('some_string {}'.format(arg))

The error messages are also IMHO not user friendly, verbose enough or understandable. Please provide error messages which can be presented to the user in the frontend.

"Failed to change contact information." → why?
"Unknown group '{}'." → what context?
…

I personally don't like the "except-everyhing" clauses: If the code contains errors just let them raise so that at least the traceback can be represented to the user which is able to report it back to us.
Comment 8 Johannes Keiser univentionstaff 2015-11-02 17:58:48 CET
We currently get a response when requesting a token twice saying:
"Token for user 'test' still valid. Please retry in one hour."

This is not good from a usability standpoint. In the frontend we need to differentiate between a regular error and this "error".
Can you please adjust this so that it either returns 200 or better at all: send another token (and let it fail e.g. after the 10th request).
Comment 9 Daniel Tröder univentionstaff 2015-11-03 08:04:41 CET
(In reply to Johannes Keiser from comment #8)
> We currently get a response when requesting a token twice saying:
> "Token for user 'test' still valid. Please retry in one hour."
> 
> This is not good from a usability standpoint. In the frontend we need to
> differentiate between a regular error and this "error".
> Can you please adjust this so that it either returns 200 or better at all:
> send another token (and let it fail e.g. after the 10th request).
I have created a separate bug for this: Bug #39720
Comment 10 Daniel Tröder univentionstaff 2015-11-03 08:34:48 CET
(In reply to Florian Best from comment #7)
> The translation will not work the way it is currently implemented:
> _('some_string {}'.format(arg))
Fixed in 65101.

> The error messages are also IMHO not user friendly, verbose enough or
> understandable. Please provide error messages which can be presented to the
> user in the frontend.
> 
> "Failed to change contact information." → why?
> "Unknown group '{}'." → what context?
> …
Fixed in 65102.

> I personally don't like the "except-everyhing" clauses: If the code contains
> errors just let them raise so that at least the traceback can be represented
> to the user which is able to report it back to us.
There are no "except-everyhing" clauses that are not followed by a "raise".
Comment 11 Daniel Tröder univentionstaff 2015-11-03 15:58:32 CET
The backends are ready for QA.
Removed debug messages in commit 65144 (0.0.0-26).
Comment 12 Stefan Gohmann univentionstaff 2015-11-04 08:17:53 CET
univention-self-service and univention-self-service-passwordreset-umc are unmaintained. If these packages will become UCS components, please add the packages to  base/univention-dvd/tasks/ucs410/task-ucs410. Otherwise just add them to svn/triggers/ucs_4.1-0.txt
Comment 13 Johannes Keiser univentionstaff 2015-11-04 11:44:10 CET
Currently, get_reset_methods only returns an array. For i18n, however, we need an array of id-label-pairs where the label is localized, e.g.:

[{"id": "email", label: "E-Mail"}, ... ]
Comment 14 Daniel Tröder univentionstaff 2015-11-04 13:13:17 CET
Done in r65165 (but untested).
Comment 15 Daniel Tröder univentionstaff 2015-11-04 14:51:38 CET
univention-dvd task added in r65171.
Comment 16 Daniel Tröder univentionstaff 2015-11-05 15:59:06 CET
Commit 65240 adds the UMC function passwordreset/get_contact.

# curl -s -H "Content-Type: application/json" -H "Accept-Language: de_DE" -X POST -d '{"username":"test1","password":"test1"}' http://10.200.3.26/univention-self-service/passwordreset/get_contact | json_xs

{
   "message" : null,
   "result" : [
      {
         "label" : "SMS",
         "value" : "123",
         "id" : "sms"
      },
      {
         "id" : "email",
         "value" : "test1neu@example.com",
         "label" : "E-Mail"
      }
   ]
}
Comment 17 Alexander Kramer univentionstaff 2015-11-09 08:03:47 CET
Password change:
For some cases I only get English response messages. It seems that the German translation is missing.

1.) Successfully changing the password
--> German msg is also: Password successfully changed.

2.) Entering a wrong username pr password
--> German msg is also: The authentication has failed, please login again.
It is possible to change this message? I would prefer to tell the user that the provided username or password is wrong.


Password reset:
Requesting the resets methods for a user that has not defined one method yet, still returns a response with an empty array:
passwordreset/get_reset_methods
{"message": null, "result": []}

I would prefer to respond with an error (status code >=400) and a message that no reset method is known and so the user can not reset his/her password.


TY
Comment 18 Daniel Tröder univentionstaff 2015-11-10 10:21:38 CET
(In reply to Alexander Kramer from comment #17)
> Password change:
> For some cases I only get English response messages. It seems that the
> German translation is missing.
> 
> 1.) Successfully changing the password
> --> German msg is also: Password successfully changed.
This is a problem in UMC. Somehow the locale is not set there or not translated. A separate bug will be used for this.

> 2.) Entering a wrong username pr password
Fixed in r65349 (setting locale before auth()).

> --> German msg is also: The authentication has failed, please login again.
> It is possible to change this message? I would prefer to tell the user that
> the provided username or password is wrong.
That is the reply that UMC gets from PAM :/

> Password reset:
> Requesting the resets methods for a user that has not defined one method
> yet, still returns a response with an empty array:
> passwordreset/get_reset_methods
> {"message": null, "result": []}
> 
> I would prefer to respond with an error (status code >=400) and a message
> that no reset method is known and so the user can not reset his/her password.
Done in r65356.
→ HTTP/1.1 400
→ {"message": "F\u00fcr diesen Benutzer ist keine Methode zum Passwort zur\u00fccksetzen vorhanden."}
Comment 19 Daniel Tröder univentionstaff 2015-11-10 11:51:31 CET
(In reply to Daniel Tröder from comment #18)
> (In reply to Alexander Kramer from comment #17)
> > Password change:
> > For some cases I only get English response messages. It seems that the
> > German translation is missing.
> > 
> > 1.) Successfully changing the password
> > --> German msg is also: Password successfully changed.
> This is a problem in UMC. Somehow the locale is not set there or not
> translated. A separate bug will be used for this.
Fixed by commit r65361.
Comment 20 Alexander Kramer univentionstaff 2015-11-10 13:15:44 CET
with univention-self-service 1.0.2-2.26.201511101303

i can not send an empty email str to set_contact:

curl 'https://10.200.36.12/univention-self-service/passwordreset/set_contact' -H 'Pragma: no-cache' -H 'Origin: https://10.200.36.12' -H 'Accept-Encoding: gzip,deflate' -H 'Accept-Language: de-DE' -H 'User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.120 Chrome/37.0.2062.120 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: _pk_id.14.8a18=e35b44ae2f60dad1.1447147485.4.1447157327.1447157148.; _pk_ses.14.8a18=*' -H 'Connection: keep-alive' -H 'Referer: https://10.200.36.12/univention-self-service/?lang=de-DE' --data-binary '{"username":"jane","password":"univention","email":"","mobile":"123"}' --compressed


out of /var/log/univention/self-service-error.log

[10/Nov/2015:13:13:44]  Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 169, in trap
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 96, in __call__
    return self.nextapp(environ, start_response)
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 379, in tail
    return self.response_class(environ, start_response, self.cpapp)
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 248, in __init__
    self.write = start_response(outstatus, outheaders)
ValueError: status message was not supplied

[10/Nov/2015:13:13:44]  Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 193, in trap
    self.start_response(s, h, _sys.exc_info())
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 169, in trap
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 96, in __call__
    return self.nextapp(environ, start_response)
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 379, in tail
    return self.response_class(environ, start_response, self.cpapp)
  File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 248, in __init__
    self.write = start_response(outstatus, outheaders)
ValueError: status message was not supplied


FYI: No problem if I do not send no mobile number - is email required?
Comment 21 Alexander Kramer univentionstaff 2015-11-10 13:19:48 CET
A request to get_contact give me this:

{"message": null, "result": [{"id": "sms", "value": "123", "label": "SMS"}, {"id": "email", "value": "hi@du.da", "label": "E-Mail"}]}

But a request to set_contact requires the id 'mobile'. Can you please change the id 'sms' and label 'SMS' to mobile/Mobile for 'get_contact'.
Comment 22 Alexander Kramer univentionstaff 2015-11-10 15:14:42 CET
Can we also change this messages?:

EN: User is blacklisted.
DE: Benutzer ist auf der schwarzen Liste.

Maybe like:

EN: Service is not available for this user.
DE: Der Dienst steht für diesen Benutzer nicht zur Verfügung.
Comment 23 Daniel Tröder univentionstaff 2015-11-10 15:39:49 CET
Comment 21+22: done in r65381
Comment 24 Erik Damrose univentionstaff 2015-11-11 16:38:21 CET
In addition to adding the packages to the dvd in comment #15, i added u-self-service-passwordreset-umc and u-self-service to the download-packages script in univention-system-setup. This ensures that the packages are available in UCS appliances.

r65421 univention-system-setup 9.0.2-9.924.201511111635
Comment 25 Daniel Tröder univentionstaff 2015-11-13 13:24:07 CET
Added a script (r65486) to en/disable modules.
Comment 26 Sönke Schwardt-Krummrich univentionstaff 2015-11-13 16:44:19 CET
The token email contains the following URLs, but neither of them is correct:

https://master73.nstx.local/self-service/passwordreset/
→ 404 not found
https://master73.nstx.local/self-service/passwordreset/token/TAQyK6EQsBp70n…
→ 404 not found
Comment 27 Sönke Schwardt-Krummrich univentionstaff 2015-11-13 17:02:38 CET
Being just curious... why is there a "umc/" prefix to most of the UCR variables?

self-service/backend-server: master73.nstx.local
self-service/passwordchange/web/enabled: yes
self-service/passwordreset/web/enabled: yes
self-service/web/enabled: yes
umc/self-service/passwordreset/blacklist/groups: Administrators,Domain Admins
umc/self-service/passwordreset/blacklist/users: <empty>
umc/self-service/passwordreset/email/enabled: yes
umc/self-service/passwordreset/email/server: localhost
umc/self-service/passwordreset/email/token_length: <empty>
umc/self-service/passwordreset/enabled: yes
umc/self-service/passwordreset/external/command: <empty>
umc/self-service/passwordreset/external/enabled: no
umc/self-service/passwordreset/external/method: <empty>
umc/self-service/passwordreset/external/token_length: <empty>
umc/self-service/passwordreset/sms/enabled: no
umc/self-service/passwordreset/sms/server: <empty>
umc/self-service/passwordreset/sms/token_length: <empty>
umc/self-service/passwordreset/whitelist/groups: Domain Users
umc/self-service/passwordreset/whitelist/users: <empty>
Comment 28 Sönke Schwardt-Krummrich univentionstaff 2015-11-13 21:27:59 CET
1) user without contact → set contact: OK → resetpw: OK
2) user with expired pw → set contact: OK → resetpw: OK, not expired any longer
3) user with disabled account → set contact: OK → resetpw: OK, still disabled
4) user with locked account → set contact: OK → resetpw: OK, still locked

→ Apache web service is disabled via UCR → OK (test cmds follow)

root@master73:~# ucr set self-service/passwordchange/web/enabled='no'
Setting self-service/passwordchange/web/enabled
File: /etc/apache2/sites-available/univention-self-service
root@master73:~# invoke-rc.d apache2 reload
Restarting web server: apache2 ... waiting .
root@master73:~# ucr set self-service/passwordchange/web/enabled='yes'
Setting self-service/passwordchange/web/enabled
File: /etc/apache2/sites-available/univention-self-service
root@master73:~# invoke-rc.d apache2 reload
Reloading web server config: apache2.
root@master73:~# ucr set self-service/passwordreset/web/enabled='no'
Setting self-service/passwordreset/web/enabled
File: /etc/apache2/sites-available/univention-self-service
root@master73:~# invoke-rc.d apache2 reload
Reloading web server config: apache2.
root@master73:~# ucr set self-service/passwordreset/web/enabled='yes'
Setting self-service/passwordreset/web/enabled
File: /etc/apache2/sites-available/univention-self-service
root@master73:~# invoke-rc.d apache2 reload
Reloading web server config: apache2.
root@master73:~#

→ please note, that the web page is still accessible but will fail upon first 
  button click

→ OK: ucr set umc/self-service/passwordreset/email/token_length=10
→ REOPEN: umc/self-service/passwordreset/external/ldap_attribute is irritating because its not the LDAP attribute that has to be specified but the UDM users/user property name (e.g. "PasswordRecoveryMobile" for the extended attribute). A description is also missing

→ REOPEN: a UCR variable should provide the ability to redefine the default label for the "external" method. Currently the german UI provides "Extern" and "E-Mail". I think it's important to redefine "Extern" via UCR to something else like e.g. "Jabber". → add umc/self-service/passwordreset/external/method_label

→ REOPEN: minor bug: in send_with_external.py the class name is called "SendWithExernal" (→ missing "t")

→ REOPEN: send_with_external.py → the environment variables should be something more unique like "selfservice_username", "selfservice_address", "selfservice_token".

Tested external method with following setup:

ucr set repository/online/unmaintained="yes"
univention-install sendxmpp
ucr set repository/online/unmaintained="no"
cat > /usr/bin/send_jabber <<EOF
#!/bin/sh
#
echo "Hello \$username, your password recovery token is \$token. Greetings, Administrator" | sendxmpp -f /etc/send_jabber.cfg --tls "\$address"
EOF
chmod a+x /usr/bin/send_jabber
echo "sampleaccount@jabber.org myPassW0rd" > /etc/send_jabber.cfg
chmod 0600 /etc/send_jabber.cfg
ucr set umc/self-service/passwordreset/external/enabled='yes' \
     umc/self-service/passwordreset/external/command="/usr/bin/send_jabber" \
     umc/self-service/passwordreset/external/method=xmpp \
     umc/self-service/passwordreset/external/token_length=12 \
     umc/self-service/passwordreset/external/ldap_attribute=description
eval "$(ucr shell)"
udm users/user modify --dn "uid=user1,cn=users,$ldap_base" \
    --set description="user1@jabber.org"
udm users/user modify --dn "uid=user2,cn=users,$ldap_base" \
     --set description="user2@jabber.org"
udm users/user modify --dn "uid=user3,cn=users,$ldap_base" \
     --set description="user3@jabber.org"

→ REOPEN: send_sms.py
→ contains raise NotImplementedError("Text message sending not yet implemented")
→ maybe we should remove send_sms.py and provide a description for integrating external commands?

→ REOPEN: send_sms.py
→ uses umc/self-service/passwordreset/email/token_length instead of
  umc/self-service/passwordreset/sms/token_length

→ ENHANCEMENT: optionally the path of email_body.txt should be definable via UCR
Comment 29 Sönke Schwardt-Krummrich univentionstaff 2015-11-13 23:22:20 CET
Side note: My tests if the web interface have been performed with chromium 46 and firefox 42.

→ REOPEN: *.inst + *.uinst
  1) $ldap_base is not escaped/quoted → will fail if whitespace in LDAP base DN
  2) wrong argument order for nearly all udm calls
     →→→ incorrect: udm container/cn "$@" modify
     →→→ correct is: udm container/cn modify "$@"

→ REOPEN: 65univention-self-service-passwordreset-umc.uinst
  1) do NOT unregister LDAP schema; during the update slapcat+slapadd is 
     performed and this will fail if there are still attributes in LDAP using 
     this deregistered LDAP schema

→ NOTE: debian/univention-self-service-passwordreset-umc.postinst
  1) "if ! grep -q relayhost /etc/postfix/main.cf; then" and following lines:
     → this message is never seen by the user if installed via App Center
  2) message improvements:
     echo "Please check the configuration of the local mail system. It must be configured"
     echo "to deliver mails to external systems directly or via a relay host."
     echo "Please consult the UCS documentation for configuration of a mail relay host:"
  3) Quoting variables with filenames is always a good idea. They may contain 
     whitespaces, e.g.: touch $DB_SECRET_FILE


→ REOPEN: debian/univention-self-service-passwordreset-umc.postinst
  1) umc/self-service/passwordreset/external/enabled=no is set the hard way 
     → during updated the external command will be disabled automatically
  2) The postgres DB setup should be moved to the join script. If the DB setup 
     fails, because postgres was down, the joinscript should fail and the user 
     is able to reexcute it. Currently, if postgres is unavailable, the DB 
     setup will not take place.

→ REOPEN: univention-self-service.postinst
  1) ldap/master may be undefined during package installation because the 
     system has not joined into domain yet. Please set UCR variable 
     "self-service/backend-server" in join script (and restart services if 
     required).

→ REOPEN: univention-self-service.postrm
  1) are the UCR variables unset intentionally? During package update, *.postrm 
     is also called:
   dpkg script execution order and script arguments during upgrade from package 
   version 1 to version 2:
      prerm-1 upgrade 2
      preinst-2 upgrade 1
      ==> unpacking version2
      ==> removing files of version1 that are not part of version2 and no 
          conffile
      postrm-1 upgrade 2
      postinst-2 configure 1
  2) why is apache restarted in postrm? is the restart in 
     univention-self-service.prerm not sufficient?

→ REOPEN: umc/python/passwordreset/__init__.py
  1) Why is the list of blacklisted groups and users always extended by a hard 
     coded list of users/groups?
     This way, the admin is never able to allow password recovery for a user 
     that is member of one of these groups, even if he sets the UCR variable 
     for blacklisted groups/users manually.
	 
  GRP_BLACKLIST = ["Domain Admins", "Windows Hosts", "DC Backup Hosts", "DC Slave", "Hosts", "Computers", "Backup Join", "Slave Join", "World Authority", "Null Authority", "Nobody", "Enterprise Domain Controllers", "Remote Interactive Logon", "SChannel Authentication", "Digest Authentication", "Terminal Server User", "NTLM Authentication", "Other Organization", "This Organization", "Anonymous Logon", "Network Service", "Creator Group", "Creator Owner", "Local Service", "Owner Rights", "Interactive", "Restricted", "Network", "Service", "System", "Batch", "Proxy", "IUSR", "Self", "Performance Log Users", "DnsUpdateProxy", "Cryptographic Operators", "Schema Admins", "Backup Operators", "Administrators", "Domain Computers", "Windows Authorization Access Group", "IIS_IUSRS", "RAS and IAS Servers", "Network Configuration Operators", "Account Operators", "Distributed COM Users", "Read-Only Domain Controllers", "Terminal Server License Servers", "Replicator", "Allowed RODC Password Replication Group", "Denied RODC Password Replication Group", "Enterprise Admins", "Group Policy Creator Owners", "Server Operators", "Domain Controllers", "DnsAdmins", "Cert Publishers", "Incoming Forest Trust Builders", "Event Log Readers", "Pre-Windows 2000 Compatible Access", "Remote Desktop Users", "Performance Monitor Users", "Certificate Service DCOM Access", "Enterprise Read-Only Domain Controllers"]

  2) Sidenote for
     chars = string.ascii_letters.replace("l", "").replace("I", 
                                      "").replace("O", "") + string.digits
     If "l", "I" and "O" are removed. "0" and "1" should also be removed, to
     avoid user confusion if the user uses "ugly" fonts.

→ REOPEN: js/ucs/de.po
  1) already mentioned earlier, but for completeness: found missing translation:
     #: setcontactinformation.js:134
     msgid "Mobile"
     msgstr ""
Comment 30 Sönke Schwardt-Krummrich univentionstaff 2015-11-13 23:30:24 CET
→ REOPEN: Either the blacklist is not working or I my configuration was wrong:

root@master73:~# id anton2
uid=2023(anton2) gid=5023(Domain Users gsmitte) Gruppen=5023(Domain Users gsmitte),5020(schueler-gsmitte),5090(gsmitte-1B)
root@master73:~# ucr set umc/self-service/passwordreset/blacklist/groups=\
                                       'Administrators,Domain Admins,gsmitte-1B' 
Setting umc/self-service/passwordreset/blacklist/groups
root@master73:~# invoke-rc.d apache2 restart
Restarting web server: apache2 ... waiting .
root@master73:~# 

Afterwards I tried to get a token for "anton2" and to reset the user's password. Both steps were successful.
Comment 31 Stefan Gohmann univentionstaff 2015-11-14 21:05:40 CET
Created attachment 7297 [details]
bug_37890.diff

The attached patch addresses the following issues:

 * Fix quoting in join scripts
 * Use the right order for UDM arguments
 * Don't unregister the LDAP schema while removing the package
 * Move UCR commands from the postinst to the join script
 * send_sms.py: use ../sms/token_length instead of ../email/token_length
 * Remove GRP_BLACKLIST and USER_BLACKLIST
 * Use custom_groupname
 * Move self-service/backend-server from postinst to join script
 * js/ucs/de.po: Added translation for Mobile
 * Unset UCR variables only on remove in postrm script
Comment 32 Daniel Tröder univentionstaff 2015-11-15 22:06:49 CET
(In reply to Sönke Schwardt-Krummrich from comment #26)
> The token email contains the following URLs, but neither of them is correct:
> 
> https://master73.nstx.local/self-service/passwordreset/
> → 404 not found
> https://master73.nstx.local/self-service/passwordreset/token/TAQyK6EQsBp70n…
> → 404 not found
fixed in r65524

(In reply to Sönke Schwardt-Krummrich from comment #27)
> Being just curious... why is there a "umc/" prefix to most of the UCR
> variables?
> 
> self-service/backend-server: master73.nstx.local
> self-service/passwordchange/web/enabled: yes
> self-service/passwordreset/web/enabled: yes
> self-service/web/enabled: yes
> umc/self-service/passwordreset/blacklist/groups: Administrators,Domain Admins
> umc/self-service/passwordreset/blacklist/users: <empty>
> umc/self-service/passwordreset/email/enabled: yes
> umc/self-service/passwordreset/email/server: localhost
> umc/self-service/passwordreset/email/token_length: <empty>
> umc/self-service/passwordreset/enabled: yes
> umc/self-service/passwordreset/external/command: <empty>
> umc/self-service/passwordreset/external/enabled: no
> umc/self-service/passwordreset/external/method: <empty>
> umc/self-service/passwordreset/external/token_length: <empty>
> umc/self-service/passwordreset/sms/enabled: no
> umc/self-service/passwordreset/sms/server: <empty>
> umc/self-service/passwordreset/sms/token_length: <empty>
> umc/self-service/passwordreset/whitelist/groups: Domain Users
> umc/self-service/passwordreset/whitelist/users: <empty>
Historically the packages were to be installed separately on frontend and backend servers.

UCRs that refer to configuration that is meant to be configured on the frontends start with 'self-service', UCRs that must be configured on backends and are used by a UMC module start with 'umc'. As the packages are now to be installed on dc master/backup only, the distinction is no longer useful and could be removed.

→ Please decide on the naming and I will make the necessary changes.

(In reply to Sönke Schwardt-Krummrich from comment #28)
> → Apache web service is disabled via UCR → OK (test cmds follow)
> 
> [..]
> 
> → please note, that the web page is still accessible but will fail upon
> first 
>   button click
Was "fixed" in r65486 / 1.0.2-8 by adding a script to en/disable modules. It sets the corresponding ucs/web/overview/entries/... additionally to self-service/*/web/enabled. The script should be advertised for that purpose (App-README_POST (r65523) and blog post: Bug #39461).

> → OK: ucr set umc/self-service/passwordreset/email/token_length=10
> → REOPEN: umc/self-service/passwordreset/external/ldap_attribute is
> irritating because its not the LDAP attribute that has to be specified but
> the UDM users/user property name (e.g. "PasswordRecoveryMobile" for the
> extended attribute).
Canged in r65526: ldap_attribute → udm_property

> A description is also missing
That was on purpose, as discussed a while ago. The functionality of set_contact_data() is not generalized enough to allow for arbitrary data to be saved. While changing that isn't really difficult, it is not necessary in the first release.

> → REOPEN: a UCR variable should provide the ability to redefine the default
> label for the "external" method. Currently the german UI provides "Extern"
> and "E-Mail". I think it's important to redefine "Extern" via UCR to
> something else like e.g. "Jabber". → add
> umc/self-service/passwordreset/external/method_label
Added UCRV umc/self-service/passwordreset/external/method_label with default _("External") in r65527.

> → REOPEN: minor bug: in send_with_external.py the class name is called
> "SendWithExernal" (→ missing "t")
→ r65528

> → REOPEN: send_with_external.py → the environment variables should be
> something more unique like "selfservice_username", "selfservice_address",
> "selfservice_token".
→ r65528

> → REOPEN: send_sms.py
> → contains raise NotImplementedError("Text message sending not yet
> implemented")
The method is disabled by default, as it hadn't been decided how to proceed with it.
It would be simple to make it more usefull. I could tomorrow completing the example with sipgate as provider. It's very easy, I have done this before: https://github.com/dansan/sms_notify_if_host_down/blob/master/notify_sms/sipgate_sms.py

> → maybe we should remove send_sms.py and provide a description for
> integrating external commands?
IMHO that is what the external method is for, and should be part of the blog post (and sdb?). The idea of the sms-example was to show admins a way to create a method directly in python in the framework. The advantages are: auto-discovery of new modules, use of the logging system, add more than 1 method, and for us, that we can modify the BaseClass and add more functionality if our customers need it.

> → REOPEN: send_sms.py
> → uses umc/self-service/passwordreset/email/token_length instead of
>   umc/self-service/passwordreset/sms/token_length
→ r65529

> → ENHANCEMENT: optionally the path of email_body.txt should be definable via
> UCR
→ r65529
Maybe the current example text file should be moved, so users can be pointed to it, for reference (current location is /usr/share/pyshared/univention/management/console/modules/passwordreset/sending/email_body.txt).
Comment 33 Daniel Tröder univentionstaff 2015-11-16 01:17:51 CET
r65533 adds support for sending text messages with Sipgate.
Comment 34 Daniel Tröder univentionstaff 2015-11-16 10:16:01 CET
(In reply to Sönke Schwardt-Krummrich from comment #30)
> → REOPEN: Either the blacklist is not working or I my configuration was
> wrong:
> 
> root@master73:~# id anton2
> uid=2023(anton2) gid=5023(Domain Users gsmitte) Gruppen=5023(Domain Users
> gsmitte),5020(schueler-gsmitte),5090(gsmitte-1B)
> root@master73:~# ucr set umc/self-service/passwordreset/blacklist/groups=\
>                                        'Administrators,Domain
> Admins,gsmitte-1B' 
> Setting umc/self-service/passwordreset/blacklist/groups
> root@master73:~# invoke-rc.d apache2 restart
> Restarting web server: apache2 ... waiting .
> root@master73:~# 
> 
> Afterwards I tried to get a token for "anton2" and to reset the user's
> password. Both steps were successful.
* fixed in r65545 (typo).

* Mobile numbers are now more securely handled, when sending a text message.
Comment 35 Sönke Schwardt-Krummrich univentionstaff 2015-11-16 12:59:01 CET
Wrong command order within postinst (see below). 
As far as I can see, univention-self-service.postinst should call the join script as last action. Especially the user has to be created before the joinscript is called/apache is restarted.

univention-self-service (1.0.2-16.32.201511161217) wird eingerichtet ...    
File: /usr/share/univention-self-service/www/languages.json                 
File: /etc/apache2/sites-available/univention-self-service
Calling joinscript 34univention-self-service.inst ...
2015-11-12 05:20:19.328706807+01:00 (in joinscript_init)
Object exists: cn=services,cn=univention,dc=nstx,dc=local
Object created: cn=univention-self-service,cn=services,cn=univention,dc=nstx,dc=local
Object modified: cn=master70,cn=dc,cn=computers,dc=nstx,dc=local
Object created: cn=selfservice-umc-servers,cn=UMC,cn=policies,dc=nstx,dc=local
Object modified: cn=selfservice-umc-servers,cn=UMC,cn=policies,dc=nstx,dc=local
Object modified: cn=dc,cn=computers,dc=nstx,dc=local
Object modified: cn=memberserver,cn=computers,dc=nstx,dc=local
Create self-service/backend-server
Create self-service/web/enabled
Module: ox-config
File: /etc/apache2/sites-available/univention-self-service
Module wsgi already enabled
Enabling site univention-self-service.
To activate the new configuration, you need to run:
  service apache2 reload
apache2: bad user name self-service
Action 'configtest' failed.
The Apache error log may have more information.
 failed!
invoke-rc.d: initscript apache2, action "restart" failed.
apache2: bad user name self-service
Action 'configtest' failed.
The Apache error log may have more information.
 failed!
invoke-rc.d: initscript apache2, action "restart" failed.
2015-11-12 05:20:25.940802872+01:00 (in joinscript_save_current_version)
Joinscript 34univention-self-service.inst finished with exitcode 0
Fresh installation...
Lege Systembenutzer »self-service« (UID 127) an ...
Lege neue Gruppe »self-service« (GID 130) an ...
Lege neuen Benutzer »self-service« (UID 127) mit Gruppe »self-service« an ...
Erstelle Home-Verzeichnis »/home/self-service« nicht.                       
Create self-service/passwordreset/web/enabled                               
Create ucs/web/overview/entries/service/passwordreset/description           
Create ucs/web/overview/entries/service/passwordreset/description/de        
Create ucs/web/overview/entries/service/passwordreset/label
Comment 36 Daniel Tröder univentionstaff 2015-11-16 13:57:15 CET
r65572: fix postinst, remove dependency for specific version of PostgreSQL
r65575: add description for UCRV umc/self-service/passwordreset/external/udm_property (formerly known as .../ldap_attribute)
Comment 37 Sönke Schwardt-Krummrich univentionstaff 2015-11-16 22:17:28 CET
Ok, Self Service contains no show blocker:
- tested sending mails
  - with default body
  - with custom mail body
- tested sending SMS (see below for example)
- tested sending via external (fails → no blocker, bug 39979)
- join scripts are ok
- unjoin scripts are not executed before deinstallation (→ bug 39980, no 
  blocker) 
→ VERIFIED

Sending SMS via service sms77.de:

# univention-install -y curl
# echo "myuser:mySMS77APIkey" > /etc/send_sms.secret 
# chmod 0600 /etc/send_sms.secret
# chown root:root /etc/send_sms.secret
# cat > /usr/bin/send_sms << EOF
#!/bin/sh
exec curl https://gateway.sms77.de \
        -d "u=${sms_username}" \
        -d "p=${sms_password}" \
        -d "to=${selfservice_address}" \
        -d "type=direct" \
        -d "text=Hi ${selfservice_username}, your password reset token is '${selfservice_token}'. Greetings, your admin" \
        -d "from=0000"
EOF
# chown root:root /usr/bin/send_sms
# chmod 700 /usr/bin/send_sms
# ucr set umc/self-service/passwordreset/sms/enabled=yes \
    umc/self-service/passwordreset/sms/command=/usr/bin/send_sms \
	umc/self-service/passwordreset/sms/country_code=49 \
	umc/self-service/passwordreset/sms/password_file=/etc/send_sms.secret
#


Sending mail with custom mail body:

# ucr set umc/self-service/passwordreset/email/text_file=/etc/send_mail
# cat > /etc/send_mail << EOF
Hi {username},

your token is {token}.

Please visit {link} or click here:
{tokenlink}

Greetings,

your admin
EOF
#
Comment 38 Sönke Schwardt-Krummrich univentionstaff 2015-11-16 22:29:56 CET
Redirection after password change works as expected. 
Tested with relative URLs:
https://10.200.18.70/univention-self-service/?lang=de-DE&url=/umc/#passwordchange
and absolute URLs (external blocked URL):
https://10.200.18.70/univention-self-service/?url=http://www.univention.de/#passwordchange
Comment 39 Stefan Gohmann univentionstaff 2015-11-17 12:12:25 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".