Univention Bugzilla – Bug 43565
Self service web frontend does not function on DC slave anymore
Last modified: 2017-04-04 18:29:59 CEST
In 4.1-x it was possible to install univention-self-service on a DC slave from which the WSGI process would contact the UMC module on the DC master to reset a password. The WSGI process has been replaced with an anonymous UMC module in 4.2. The logic for contacting the DC master from a DC slave has not been integrated at the moment. +++ This bug was initially created as a clone of Bug #42267 +++ The self service will be integrated into the main menu of the UCS 4.2 portal and UMC. For this, we will also improve some usability aspects as suggested by Alex Kramer. Screenshots can be found at: https://mail.univention.de/appsuite/#!&app=io.ox/files&folder=1206&id=1206/1396
univention-self-service (2.0.4-1): r76969 | Bug #43565: proxy all requests to the UCR set self-service/backend-server Interim-version, no changelog required.
Please document all changes at the respective bugs. You changed the behavior again in r77378 for slaves. But i think the change is not enough -> reopen I think we discussed that the package univention-self-service-passwordreset-umc has to be installed on DC slaves for it to work. But if it is installed, 35univention-self-service-passwordreset-umc.inst will terminate early, and e.g. umc/self-service/passwordreset/enabled?yes and all other UCRVs are not set, which results in an error when trying to login. I tried to fix it by removing the server role check and reexecution of the joinscript, but now when logging in i get a 503 for command/passwordreset/get_contact, and the following log entries: ==> /var/log/univention/management-console-module-passwordreset.log <== 06.03.17 17:03:32.853 DEBUG_INIT 06.03.17 17:03:33.575 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'. 06.03.17 17:03:33.580 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled. 06.03.17 17:03:33.583 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 06.03.17 17:03:33.583 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64' 06.03.17 17:03:33.595 MODULE ( PROCESS ) : Die Verbindungen zum Server konnte nicht aufgebaut werden. Bitte versuchen Sie es später erneut. Fehlermeldung: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)')) ==> /var/log/univention/management-console-web-server.log <== 06.03.17 17:03:33.596 MAIN ( PROCESS ) : CPCommand (192.168.0.249:40442) response status code: 503 06.03.17 17:03:33.596 MAIN ( PROCESS ) : CPCommand (192.168.0.249:40442) response message: Die Verbindungen zum Server konnte nicht aufgebaut werden. Bitte versuchen Sie es später erneut. Fehlermeldung: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)')) 06.03.17 17:03:33.596 MAIN ( PROCESS ) : CPCommand (192.168.0.249:40442) response result: None
The restrictions in the joinscript have been reverted. I think this is okay. Everything which only needs to be done on the DC Master needs to be in a specific if-block in the joinscript but I think all current input in there is okay to run also on the DC Slave. Except the service registration? univention-self-service (2.0.6-1): r77416 | Bug #42132: revert joinscript restrictions
There is a check in uss-passwordreset-umc that has to be adapted: if ! [ "$server_role" = "domaincontroller_master" -o "$server_role" = "domaincontroller_backup" ]; then echo "ERROR: This package must be installed on a DC master or DC backup!" The package registers a portal link to /univention-self-service, which does not work. Should it be removed, as the intention is that the self-service is to be used from the menu? This error i noticed in comment2 still persists: After installing on a slave login to configure self-service produces an error: Die Verbindungen zum Server konnte nicht aufgebaut werden. Bitte versuchen Sie es später erneut. Fehlermeldung: ('Could not send request.', SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'))
(In reply to Erik Damrose from comment #4) > There is a check in uss-passwordreset-umc that has to be adapted: > > if ! [ "$server_role" = "domaincontroller_master" -o "$server_role" = > "domaincontroller_backup" ]; then > echo "ERROR: This package must be installed on a DC master or DC > backup!" OK: removed > The package registers a portal link to /univention-self-service, which does > not work. Should it be removed, as the intention is that the self-service is > to be used from the menu? They have been removed. > This error i noticed in comment2 still persists: After installing on a slave > login to configure self-service produces an error: Die Verbindungen zum > Server konnte nicht aufgebaut werden. Bitte versuchen Sie es später erneut. > Fehlermeldung: ('Could not send request.', SSLError(1, u'[SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)')) Please fix your system certificates or open a generic bug. Also some rest code from UCS 4.1 has been removed. univention-self-service (2.0.9-1): r77501 | Bug #43565: remove unused self-service things from UCS 4.1 r77500 | Bug #43565: remove unused self-service things from UCS 4.1 r77499 | Bug #43565: remove unused self-service things from UCS 4.1
(In reply to Florian Best from comment #5) > Also some rest code from UCS 4.1 has been removed. > univention-self-service (2.0.9-1): > r77501 | Bug #43565: remove unused self-service things from UCS 4.1 > r77500 | Bug #43565: remove unused self-service things from UCS 4.1 > r77499 | Bug #43565: remove unused self-service things from UCS 4.1 I added a comment to the German blog entry that mentions the "univention-self-service-modules" script. (The English blog doesn't allow comments!?) It will be here: https://www.univention.de/2015/11/self-services-fuer-passwort-reset-in-ucs-4-1/#comment-5612 It is currently awaiting moderation.
reopen: I installed univention-self-service univention-self-service-passwordreset-umc (2.0.9-8A~4.2.0.201703151133) and ran all join scripts on a slave. When trying to login as user univention to setup a mail address, i get Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 178, in _recv self.handle(msg) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 178, in _recv self.handle(msg) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 286, in handle self.__handler.init() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 209, in init self.db = TokenDB(MODULE) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/tokendb.py", line 53, in __init__ self.conn = self.open_db() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/tokendb.py", line 113, in open_db with open(DB_SECRETS_FILE) as pw_file: IOError: Die Initialisierung des Moduls ist fehlgeschlagen: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 178, in _recv self.handle(msg) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 286, in handle self.__handler.init() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 209, in init self.db = TokenDB(MODULE) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/tokendb.py", line 53, in __init__ self.conn = self.open_db() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/tokendb.py", line 113, in open_db with open(DB_SECRETS_FILE) as pw_file: IOError: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/etc/self-service-db.secret' Die Initialisierung des Moduls ist fehlgeschlagen:
univention-self-service (2.0.10-1): r77732 | Bug #43565: fix module initialization on DC Slave
Verified: password reset works on slave
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".