Univention Bugzilla – Bug 37890
Password reset self service
Last modified: 2015-12-07 11:45:38 CET
A customer suggested a self service for UCS@school users so they are able to reset their own password over a second communication channel. Currently an additional person with more access permissions is required to reset a user password (student → teacher → school admin → domain admins). By implementing a second communication channel (e.g. SMS or eMail to a private mail address), a user would be able to reset it's own account without further help.
Moved to UCS.
(In reply to Sönke Schwardt-Krummrich from comment #0) > A customer suggested a self service for UCS@school users so they are able to > reset their own password over a second communication channel. It should also be possible to change the password in a normal way with this service. Currently, the users needs to logon in UMC which isn't always the best way.
Another customer requested this for UCS.
I have found two candidates for existing OSS projects that we could use: * Self Service Password * PWM Self Service Password: * http://ltb-project.org/wiki/documentation/self-service-password * PHP * project seems dormant * features: - Reset by questions - Reset by mail challenge - Reset by SMS - reCAPTCHA * should be fairly easy to adapt * css needs to be adapted PWM: * https://github.com/jrivard/pwm * Java in Tomcat * project active, but last release from 2/19/14 * features: - everything of Self Service Password - anything else you can think of * complex to integrate: configure tomcat, use either sql or install custom ldap schema, deactivate most of it's features * default look is ok We could also consider to implement it ourself. Using a Python micro web framework like bottle or flask it could be done really quick: * landing page - where user can enter username → if user has in contacts-section stored an external email address or mobil number → send link/token via mail or mail-sms-gateway (or pluggable sms-provider-api). -Token gets stored in extAttrib or sqlite. -Optionally integrate reCAPTCHA by google. * pw-change page for email/sms-token - email-link contains token or - field for token from mail/sms -form for new password → try to set pw → possibly return with error msg if pw-policy-fail
Implemented in packages univention-self-service, univention-self-service-passwordreset and univention-management-console-module-passwordreset in source package univention-self-service. The UMC backend univention-management-console-module-passwordreset must be installed on a UCS master/backup DC. The frontend packages univention-self-service and univention-self-service-passwordreset can be installed on any UCS role. The frontend selects the backend server with: ucr.get("self-service/backend-server", ucr.get("ldap/master")) As the backend installes a UCS "service" in LDAP, the selection may be done smarter. Permissions to run the UMC calls on the backend will be are granted to all univentionMemberserver and univentionDomainController (using their machine account). Needs a UI now (#39597).
(In reply to Daniel Tröder from comment #5) > Needs a UI now (#39597). The implementation has changed a little bit due to UI build package reasons, see Bug #39597. I guess this bug needs a changelog entry (changelog-4.1-0.xml) and can be closed?
The translation will not work the way it is currently implemented: _('some_string {}'.format(arg)) The error messages are also IMHO not user friendly, verbose enough or understandable. Please provide error messages which can be presented to the user in the frontend. "Failed to change contact information." → why? "Unknown group '{}'." → what context? … I personally don't like the "except-everyhing" clauses: If the code contains errors just let them raise so that at least the traceback can be represented to the user which is able to report it back to us.
We currently get a response when requesting a token twice saying: "Token for user 'test' still valid. Please retry in one hour." This is not good from a usability standpoint. In the frontend we need to differentiate between a regular error and this "error". Can you please adjust this so that it either returns 200 or better at all: send another token (and let it fail e.g. after the 10th request).
(In reply to Johannes Keiser from comment #8) > We currently get a response when requesting a token twice saying: > "Token for user 'test' still valid. Please retry in one hour." > > This is not good from a usability standpoint. In the frontend we need to > differentiate between a regular error and this "error". > Can you please adjust this so that it either returns 200 or better at all: > send another token (and let it fail e.g. after the 10th request). I have created a separate bug for this: Bug #39720
(In reply to Florian Best from comment #7) > The translation will not work the way it is currently implemented: > _('some_string {}'.format(arg)) Fixed in 65101. > The error messages are also IMHO not user friendly, verbose enough or > understandable. Please provide error messages which can be presented to the > user in the frontend. > > "Failed to change contact information." → why? > "Unknown group '{}'." → what context? > … Fixed in 65102. > I personally don't like the "except-everyhing" clauses: If the code contains > errors just let them raise so that at least the traceback can be represented > to the user which is able to report it back to us. There are no "except-everyhing" clauses that are not followed by a "raise".
The backends are ready for QA. Removed debug messages in commit 65144 (0.0.0-26).
univention-self-service and univention-self-service-passwordreset-umc are unmaintained. If these packages will become UCS components, please add the packages to base/univention-dvd/tasks/ucs410/task-ucs410. Otherwise just add them to svn/triggers/ucs_4.1-0.txt
Currently, get_reset_methods only returns an array. For i18n, however, we need an array of id-label-pairs where the label is localized, e.g.: [{"id": "email", label: "E-Mail"}, ... ]
Done in r65165 (but untested).
univention-dvd task added in r65171.
Commit 65240 adds the UMC function passwordreset/get_contact. # curl -s -H "Content-Type: application/json" -H "Accept-Language: de_DE" -X POST -d '{"username":"test1","password":"test1"}' http://10.200.3.26/univention-self-service/passwordreset/get_contact | json_xs { "message" : null, "result" : [ { "label" : "SMS", "value" : "123", "id" : "sms" }, { "id" : "email", "value" : "test1neu@example.com", "label" : "E-Mail" } ] }
Password change: For some cases I only get English response messages. It seems that the German translation is missing. 1.) Successfully changing the password --> German msg is also: Password successfully changed. 2.) Entering a wrong username pr password --> German msg is also: The authentication has failed, please login again. It is possible to change this message? I would prefer to tell the user that the provided username or password is wrong. Password reset: Requesting the resets methods for a user that has not defined one method yet, still returns a response with an empty array: passwordreset/get_reset_methods {"message": null, "result": []} I would prefer to respond with an error (status code >=400) and a message that no reset method is known and so the user can not reset his/her password. TY
(In reply to Alexander Kramer from comment #17) > Password change: > For some cases I only get English response messages. It seems that the > German translation is missing. > > 1.) Successfully changing the password > --> German msg is also: Password successfully changed. This is a problem in UMC. Somehow the locale is not set there or not translated. A separate bug will be used for this. > 2.) Entering a wrong username pr password Fixed in r65349 (setting locale before auth()). > --> German msg is also: The authentication has failed, please login again. > It is possible to change this message? I would prefer to tell the user that > the provided username or password is wrong. That is the reply that UMC gets from PAM :/ > Password reset: > Requesting the resets methods for a user that has not defined one method > yet, still returns a response with an empty array: > passwordreset/get_reset_methods > {"message": null, "result": []} > > I would prefer to respond with an error (status code >=400) and a message > that no reset method is known and so the user can not reset his/her password. Done in r65356. → HTTP/1.1 400 → {"message": "F\u00fcr diesen Benutzer ist keine Methode zum Passwort zur\u00fccksetzen vorhanden."}
(In reply to Daniel Tröder from comment #18) > (In reply to Alexander Kramer from comment #17) > > Password change: > > For some cases I only get English response messages. It seems that the > > German translation is missing. > > > > 1.) Successfully changing the password > > --> German msg is also: Password successfully changed. > This is a problem in UMC. Somehow the locale is not set there or not > translated. A separate bug will be used for this. Fixed by commit r65361.
with univention-self-service 1.0.2-2.26.201511101303 i can not send an empty email str to set_contact: curl 'https://10.200.36.12/univention-self-service/passwordreset/set_contact' -H 'Pragma: no-cache' -H 'Origin: https://10.200.36.12' -H 'Accept-Encoding: gzip,deflate' -H 'Accept-Language: de-DE' -H 'User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.120 Chrome/37.0.2062.120 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: _pk_id.14.8a18=e35b44ae2f60dad1.1447147485.4.1447157327.1447157148.; _pk_ses.14.8a18=*' -H 'Connection: keep-alive' -H 'Referer: https://10.200.36.12/univention-self-service/?lang=de-DE' --data-binary '{"username":"jane","password":"univention","email":"","mobile":"123"}' --compressed out of /var/log/univention/self-service-error.log [10/Nov/2015:13:13:44] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 169, in trap return func(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 96, in __call__ return self.nextapp(environ, start_response) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 379, in tail return self.response_class(environ, start_response, self.cpapp) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 248, in __init__ self.write = start_response(outstatus, outheaders) ValueError: status message was not supplied [10/Nov/2015:13:13:44] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 193, in trap self.start_response(s, h, _sys.exc_info()) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 169, in trap return func(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 96, in __call__ return self.nextapp(environ, start_response) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 379, in tail return self.response_class(environ, start_response, self.cpapp) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpwsgi.py", line 248, in __init__ self.write = start_response(outstatus, outheaders) ValueError: status message was not supplied FYI: No problem if I do not send no mobile number - is email required?
A request to get_contact give me this: {"message": null, "result": [{"id": "sms", "value": "123", "label": "SMS"}, {"id": "email", "value": "hi@du.da", "label": "E-Mail"}]} But a request to set_contact requires the id 'mobile'. Can you please change the id 'sms' and label 'SMS' to mobile/Mobile for 'get_contact'.
Can we also change this messages?: EN: User is blacklisted. DE: Benutzer ist auf der schwarzen Liste. Maybe like: EN: Service is not available for this user. DE: Der Dienst steht für diesen Benutzer nicht zur Verfügung.
Comment 21+22: done in r65381
In addition to adding the packages to the dvd in comment #15, i added u-self-service-passwordreset-umc and u-self-service to the download-packages script in univention-system-setup. This ensures that the packages are available in UCS appliances. r65421 univention-system-setup 9.0.2-9.924.201511111635
Added a script (r65486) to en/disable modules.
The token email contains the following URLs, but neither of them is correct: https://master73.nstx.local/self-service/passwordreset/ → 404 not found https://master73.nstx.local/self-service/passwordreset/token/TAQyK6EQsBp70n… → 404 not found
Being just curious... why is there a "umc/" prefix to most of the UCR variables? self-service/backend-server: master73.nstx.local self-service/passwordchange/web/enabled: yes self-service/passwordreset/web/enabled: yes self-service/web/enabled: yes umc/self-service/passwordreset/blacklist/groups: Administrators,Domain Admins umc/self-service/passwordreset/blacklist/users: <empty> umc/self-service/passwordreset/email/enabled: yes umc/self-service/passwordreset/email/server: localhost umc/self-service/passwordreset/email/token_length: <empty> umc/self-service/passwordreset/enabled: yes umc/self-service/passwordreset/external/command: <empty> umc/self-service/passwordreset/external/enabled: no umc/self-service/passwordreset/external/method: <empty> umc/self-service/passwordreset/external/token_length: <empty> umc/self-service/passwordreset/sms/enabled: no umc/self-service/passwordreset/sms/server: <empty> umc/self-service/passwordreset/sms/token_length: <empty> umc/self-service/passwordreset/whitelist/groups: Domain Users umc/self-service/passwordreset/whitelist/users: <empty>
1) user without contact → set contact: OK → resetpw: OK 2) user with expired pw → set contact: OK → resetpw: OK, not expired any longer 3) user with disabled account → set contact: OK → resetpw: OK, still disabled 4) user with locked account → set contact: OK → resetpw: OK, still locked → Apache web service is disabled via UCR → OK (test cmds follow) root@master73:~# ucr set self-service/passwordchange/web/enabled='no' Setting self-service/passwordchange/web/enabled File: /etc/apache2/sites-available/univention-self-service root@master73:~# invoke-rc.d apache2 reload Restarting web server: apache2 ... waiting . root@master73:~# ucr set self-service/passwordchange/web/enabled='yes' Setting self-service/passwordchange/web/enabled File: /etc/apache2/sites-available/univention-self-service root@master73:~# invoke-rc.d apache2 reload Reloading web server config: apache2. root@master73:~# ucr set self-service/passwordreset/web/enabled='no' Setting self-service/passwordreset/web/enabled File: /etc/apache2/sites-available/univention-self-service root@master73:~# invoke-rc.d apache2 reload Reloading web server config: apache2. root@master73:~# ucr set self-service/passwordreset/web/enabled='yes' Setting self-service/passwordreset/web/enabled File: /etc/apache2/sites-available/univention-self-service root@master73:~# invoke-rc.d apache2 reload Reloading web server config: apache2. root@master73:~# → please note, that the web page is still accessible but will fail upon first button click → OK: ucr set umc/self-service/passwordreset/email/token_length=10 → REOPEN: umc/self-service/passwordreset/external/ldap_attribute is irritating because its not the LDAP attribute that has to be specified but the UDM users/user property name (e.g. "PasswordRecoveryMobile" for the extended attribute). A description is also missing → REOPEN: a UCR variable should provide the ability to redefine the default label for the "external" method. Currently the german UI provides "Extern" and "E-Mail". I think it's important to redefine "Extern" via UCR to something else like e.g. "Jabber". → add umc/self-service/passwordreset/external/method_label → REOPEN: minor bug: in send_with_external.py the class name is called "SendWithExernal" (→ missing "t") → REOPEN: send_with_external.py → the environment variables should be something more unique like "selfservice_username", "selfservice_address", "selfservice_token". Tested external method with following setup: ucr set repository/online/unmaintained="yes" univention-install sendxmpp ucr set repository/online/unmaintained="no" cat > /usr/bin/send_jabber <<EOF #!/bin/sh # echo "Hello \$username, your password recovery token is \$token. Greetings, Administrator" | sendxmpp -f /etc/send_jabber.cfg --tls "\$address" EOF chmod a+x /usr/bin/send_jabber echo "sampleaccount@jabber.org myPassW0rd" > /etc/send_jabber.cfg chmod 0600 /etc/send_jabber.cfg ucr set umc/self-service/passwordreset/external/enabled='yes' \ umc/self-service/passwordreset/external/command="/usr/bin/send_jabber" \ umc/self-service/passwordreset/external/method=xmpp \ umc/self-service/passwordreset/external/token_length=12 \ umc/self-service/passwordreset/external/ldap_attribute=description eval "$(ucr shell)" udm users/user modify --dn "uid=user1,cn=users,$ldap_base" \ --set description="user1@jabber.org" udm users/user modify --dn "uid=user2,cn=users,$ldap_base" \ --set description="user2@jabber.org" udm users/user modify --dn "uid=user3,cn=users,$ldap_base" \ --set description="user3@jabber.org" → REOPEN: send_sms.py → contains raise NotImplementedError("Text message sending not yet implemented") → maybe we should remove send_sms.py and provide a description for integrating external commands? → REOPEN: send_sms.py → uses umc/self-service/passwordreset/email/token_length instead of umc/self-service/passwordreset/sms/token_length → ENHANCEMENT: optionally the path of email_body.txt should be definable via UCR
Side note: My tests if the web interface have been performed with chromium 46 and firefox 42. → REOPEN: *.inst + *.uinst 1) $ldap_base is not escaped/quoted → will fail if whitespace in LDAP base DN 2) wrong argument order for nearly all udm calls →→→ incorrect: udm container/cn "$@" modify →→→ correct is: udm container/cn modify "$@" → REOPEN: 65univention-self-service-passwordreset-umc.uinst 1) do NOT unregister LDAP schema; during the update slapcat+slapadd is performed and this will fail if there are still attributes in LDAP using this deregistered LDAP schema → NOTE: debian/univention-self-service-passwordreset-umc.postinst 1) "if ! grep -q relayhost /etc/postfix/main.cf; then" and following lines: → this message is never seen by the user if installed via App Center 2) message improvements: echo "Please check the configuration of the local mail system. It must be configured" echo "to deliver mails to external systems directly or via a relay host." echo "Please consult the UCS documentation for configuration of a mail relay host:" 3) Quoting variables with filenames is always a good idea. They may contain whitespaces, e.g.: touch $DB_SECRET_FILE → REOPEN: debian/univention-self-service-passwordreset-umc.postinst 1) umc/self-service/passwordreset/external/enabled=no is set the hard way → during updated the external command will be disabled automatically 2) The postgres DB setup should be moved to the join script. If the DB setup fails, because postgres was down, the joinscript should fail and the user is able to reexcute it. Currently, if postgres is unavailable, the DB setup will not take place. → REOPEN: univention-self-service.postinst 1) ldap/master may be undefined during package installation because the system has not joined into domain yet. Please set UCR variable "self-service/backend-server" in join script (and restart services if required). → REOPEN: univention-self-service.postrm 1) are the UCR variables unset intentionally? During package update, *.postrm is also called: dpkg script execution order and script arguments during upgrade from package version 1 to version 2: prerm-1 upgrade 2 preinst-2 upgrade 1 ==> unpacking version2 ==> removing files of version1 that are not part of version2 and no conffile postrm-1 upgrade 2 postinst-2 configure 1 2) why is apache restarted in postrm? is the restart in univention-self-service.prerm not sufficient? → REOPEN: umc/python/passwordreset/__init__.py 1) Why is the list of blacklisted groups and users always extended by a hard coded list of users/groups? This way, the admin is never able to allow password recovery for a user that is member of one of these groups, even if he sets the UCR variable for blacklisted groups/users manually. GRP_BLACKLIST = ["Domain Admins", "Windows Hosts", "DC Backup Hosts", "DC Slave", "Hosts", "Computers", "Backup Join", "Slave Join", "World Authority", "Null Authority", "Nobody", "Enterprise Domain Controllers", "Remote Interactive Logon", "SChannel Authentication", "Digest Authentication", "Terminal Server User", "NTLM Authentication", "Other Organization", "This Organization", "Anonymous Logon", "Network Service", "Creator Group", "Creator Owner", "Local Service", "Owner Rights", "Interactive", "Restricted", "Network", "Service", "System", "Batch", "Proxy", "IUSR", "Self", "Performance Log Users", "DnsUpdateProxy", "Cryptographic Operators", "Schema Admins", "Backup Operators", "Administrators", "Domain Computers", "Windows Authorization Access Group", "IIS_IUSRS", "RAS and IAS Servers", "Network Configuration Operators", "Account Operators", "Distributed COM Users", "Read-Only Domain Controllers", "Terminal Server License Servers", "Replicator", "Allowed RODC Password Replication Group", "Denied RODC Password Replication Group", "Enterprise Admins", "Group Policy Creator Owners", "Server Operators", "Domain Controllers", "DnsAdmins", "Cert Publishers", "Incoming Forest Trust Builders", "Event Log Readers", "Pre-Windows 2000 Compatible Access", "Remote Desktop Users", "Performance Monitor Users", "Certificate Service DCOM Access", "Enterprise Read-Only Domain Controllers"] 2) Sidenote for chars = string.ascii_letters.replace("l", "").replace("I", "").replace("O", "") + string.digits If "l", "I" and "O" are removed. "0" and "1" should also be removed, to avoid user confusion if the user uses "ugly" fonts. → REOPEN: js/ucs/de.po 1) already mentioned earlier, but for completeness: found missing translation: #: setcontactinformation.js:134 msgid "Mobile" msgstr ""
→ REOPEN: Either the blacklist is not working or I my configuration was wrong: root@master73:~# id anton2 uid=2023(anton2) gid=5023(Domain Users gsmitte) Gruppen=5023(Domain Users gsmitte),5020(schueler-gsmitte),5090(gsmitte-1B) root@master73:~# ucr set umc/self-service/passwordreset/blacklist/groups=\ 'Administrators,Domain Admins,gsmitte-1B' Setting umc/self-service/passwordreset/blacklist/groups root@master73:~# invoke-rc.d apache2 restart Restarting web server: apache2 ... waiting . root@master73:~# Afterwards I tried to get a token for "anton2" and to reset the user's password. Both steps were successful.
Created attachment 7297 [details] bug_37890.diff The attached patch addresses the following issues: * Fix quoting in join scripts * Use the right order for UDM arguments * Don't unregister the LDAP schema while removing the package * Move UCR commands from the postinst to the join script * send_sms.py: use ../sms/token_length instead of ../email/token_length * Remove GRP_BLACKLIST and USER_BLACKLIST * Use custom_groupname * Move self-service/backend-server from postinst to join script * js/ucs/de.po: Added translation for Mobile * Unset UCR variables only on remove in postrm script
(In reply to Sönke Schwardt-Krummrich from comment #26) > The token email contains the following URLs, but neither of them is correct: > > https://master73.nstx.local/self-service/passwordreset/ > → 404 not found > https://master73.nstx.local/self-service/passwordreset/token/TAQyK6EQsBp70n… > → 404 not found fixed in r65524 (In reply to Sönke Schwardt-Krummrich from comment #27) > Being just curious... why is there a "umc/" prefix to most of the UCR > variables? > > self-service/backend-server: master73.nstx.local > self-service/passwordchange/web/enabled: yes > self-service/passwordreset/web/enabled: yes > self-service/web/enabled: yes > umc/self-service/passwordreset/blacklist/groups: Administrators,Domain Admins > umc/self-service/passwordreset/blacklist/users: <empty> > umc/self-service/passwordreset/email/enabled: yes > umc/self-service/passwordreset/email/server: localhost > umc/self-service/passwordreset/email/token_length: <empty> > umc/self-service/passwordreset/enabled: yes > umc/self-service/passwordreset/external/command: <empty> > umc/self-service/passwordreset/external/enabled: no > umc/self-service/passwordreset/external/method: <empty> > umc/self-service/passwordreset/external/token_length: <empty> > umc/self-service/passwordreset/sms/enabled: no > umc/self-service/passwordreset/sms/server: <empty> > umc/self-service/passwordreset/sms/token_length: <empty> > umc/self-service/passwordreset/whitelist/groups: Domain Users > umc/self-service/passwordreset/whitelist/users: <empty> Historically the packages were to be installed separately on frontend and backend servers. UCRs that refer to configuration that is meant to be configured on the frontends start with 'self-service', UCRs that must be configured on backends and are used by a UMC module start with 'umc'. As the packages are now to be installed on dc master/backup only, the distinction is no longer useful and could be removed. → Please decide on the naming and I will make the necessary changes. (In reply to Sönke Schwardt-Krummrich from comment #28) > → Apache web service is disabled via UCR → OK (test cmds follow) > > [..] > > → please note, that the web page is still accessible but will fail upon > first > button click Was "fixed" in r65486 / 1.0.2-8 by adding a script to en/disable modules. It sets the corresponding ucs/web/overview/entries/... additionally to self-service/*/web/enabled. The script should be advertised for that purpose (App-README_POST (r65523) and blog post: Bug #39461). > → OK: ucr set umc/self-service/passwordreset/email/token_length=10 > → REOPEN: umc/self-service/passwordreset/external/ldap_attribute is > irritating because its not the LDAP attribute that has to be specified but > the UDM users/user property name (e.g. "PasswordRecoveryMobile" for the > extended attribute). Canged in r65526: ldap_attribute → udm_property > A description is also missing That was on purpose, as discussed a while ago. The functionality of set_contact_data() is not generalized enough to allow for arbitrary data to be saved. While changing that isn't really difficult, it is not necessary in the first release. > → REOPEN: a UCR variable should provide the ability to redefine the default > label for the "external" method. Currently the german UI provides "Extern" > and "E-Mail". I think it's important to redefine "Extern" via UCR to > something else like e.g. "Jabber". → add > umc/self-service/passwordreset/external/method_label Added UCRV umc/self-service/passwordreset/external/method_label with default _("External") in r65527. > → REOPEN: minor bug: in send_with_external.py the class name is called > "SendWithExernal" (→ missing "t") → r65528 > → REOPEN: send_with_external.py → the environment variables should be > something more unique like "selfservice_username", "selfservice_address", > "selfservice_token". → r65528 > → REOPEN: send_sms.py > → contains raise NotImplementedError("Text message sending not yet > implemented") The method is disabled by default, as it hadn't been decided how to proceed with it. It would be simple to make it more usefull. I could tomorrow completing the example with sipgate as provider. It's very easy, I have done this before: https://github.com/dansan/sms_notify_if_host_down/blob/master/notify_sms/sipgate_sms.py > → maybe we should remove send_sms.py and provide a description for > integrating external commands? IMHO that is what the external method is for, and should be part of the blog post (and sdb?). The idea of the sms-example was to show admins a way to create a method directly in python in the framework. The advantages are: auto-discovery of new modules, use of the logging system, add more than 1 method, and for us, that we can modify the BaseClass and add more functionality if our customers need it. > → REOPEN: send_sms.py > → uses umc/self-service/passwordreset/email/token_length instead of > umc/self-service/passwordreset/sms/token_length → r65529 > → ENHANCEMENT: optionally the path of email_body.txt should be definable via > UCR → r65529 Maybe the current example text file should be moved, so users can be pointed to it, for reference (current location is /usr/share/pyshared/univention/management/console/modules/passwordreset/sending/email_body.txt).
r65533 adds support for sending text messages with Sipgate.
(In reply to Sönke Schwardt-Krummrich from comment #30) > → REOPEN: Either the blacklist is not working or I my configuration was > wrong: > > root@master73:~# id anton2 > uid=2023(anton2) gid=5023(Domain Users gsmitte) Gruppen=5023(Domain Users > gsmitte),5020(schueler-gsmitte),5090(gsmitte-1B) > root@master73:~# ucr set umc/self-service/passwordreset/blacklist/groups=\ > 'Administrators,Domain > Admins,gsmitte-1B' > Setting umc/self-service/passwordreset/blacklist/groups > root@master73:~# invoke-rc.d apache2 restart > Restarting web server: apache2 ... waiting . > root@master73:~# > > Afterwards I tried to get a token for "anton2" and to reset the user's > password. Both steps were successful. * fixed in r65545 (typo). * Mobile numbers are now more securely handled, when sending a text message.
Wrong command order within postinst (see below). As far as I can see, univention-self-service.postinst should call the join script as last action. Especially the user has to be created before the joinscript is called/apache is restarted. univention-self-service (1.0.2-16.32.201511161217) wird eingerichtet ... File: /usr/share/univention-self-service/www/languages.json File: /etc/apache2/sites-available/univention-self-service Calling joinscript 34univention-self-service.inst ... 2015-11-12 05:20:19.328706807+01:00 (in joinscript_init) Object exists: cn=services,cn=univention,dc=nstx,dc=local Object created: cn=univention-self-service,cn=services,cn=univention,dc=nstx,dc=local Object modified: cn=master70,cn=dc,cn=computers,dc=nstx,dc=local Object created: cn=selfservice-umc-servers,cn=UMC,cn=policies,dc=nstx,dc=local Object modified: cn=selfservice-umc-servers,cn=UMC,cn=policies,dc=nstx,dc=local Object modified: cn=dc,cn=computers,dc=nstx,dc=local Object modified: cn=memberserver,cn=computers,dc=nstx,dc=local Create self-service/backend-server Create self-service/web/enabled Module: ox-config File: /etc/apache2/sites-available/univention-self-service Module wsgi already enabled Enabling site univention-self-service. To activate the new configuration, you need to run: service apache2 reload apache2: bad user name self-service Action 'configtest' failed. The Apache error log may have more information. failed! invoke-rc.d: initscript apache2, action "restart" failed. apache2: bad user name self-service Action 'configtest' failed. The Apache error log may have more information. failed! invoke-rc.d: initscript apache2, action "restart" failed. 2015-11-12 05:20:25.940802872+01:00 (in joinscript_save_current_version) Joinscript 34univention-self-service.inst finished with exitcode 0 Fresh installation... Lege Systembenutzer »self-service« (UID 127) an ... Lege neue Gruppe »self-service« (GID 130) an ... Lege neuen Benutzer »self-service« (UID 127) mit Gruppe »self-service« an ... Erstelle Home-Verzeichnis »/home/self-service« nicht. Create self-service/passwordreset/web/enabled Create ucs/web/overview/entries/service/passwordreset/description Create ucs/web/overview/entries/service/passwordreset/description/de Create ucs/web/overview/entries/service/passwordreset/label
r65572: fix postinst, remove dependency for specific version of PostgreSQL r65575: add description for UCRV umc/self-service/passwordreset/external/udm_property (formerly known as .../ldap_attribute)
Ok, Self Service contains no show blocker: - tested sending mails - with default body - with custom mail body - tested sending SMS (see below for example) - tested sending via external (fails → no blocker, bug 39979) - join scripts are ok - unjoin scripts are not executed before deinstallation (→ bug 39980, no blocker) → VERIFIED Sending SMS via service sms77.de: # univention-install -y curl # echo "myuser:mySMS77APIkey" > /etc/send_sms.secret # chmod 0600 /etc/send_sms.secret # chown root:root /etc/send_sms.secret # cat > /usr/bin/send_sms << EOF #!/bin/sh exec curl https://gateway.sms77.de \ -d "u=${sms_username}" \ -d "p=${sms_password}" \ -d "to=${selfservice_address}" \ -d "type=direct" \ -d "text=Hi ${selfservice_username}, your password reset token is '${selfservice_token}'. Greetings, your admin" \ -d "from=0000" EOF # chown root:root /usr/bin/send_sms # chmod 700 /usr/bin/send_sms # ucr set umc/self-service/passwordreset/sms/enabled=yes \ umc/self-service/passwordreset/sms/command=/usr/bin/send_sms \ umc/self-service/passwordreset/sms/country_code=49 \ umc/self-service/passwordreset/sms/password_file=/etc/send_sms.secret # Sending mail with custom mail body: # ucr set umc/self-service/passwordreset/email/text_file=/etc/send_mail # cat > /etc/send_mail << EOF Hi {username}, your token is {token}. Please visit {link} or click here: {tokenlink} Greetings, your admin EOF #
Redirection after password change works as expected. Tested with relative URLs: https://10.200.18.70/univention-self-service/?lang=de-DE&url=/umc/#passwordchange and absolute URLs (external blocked URL): https://10.200.18.70/univention-self-service/?url=http://www.univention.de/#passwordchange
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".