Univention Bugzilla – Bug 44627
integrate self-service with ucs@school
Last modified: 2017-12-21 12:23:03 CET
In a UCS@school multi server context the following UCR variable blocks the self service module: umc/self-service/passwordreset/whitelist/groups: Domain User This variable is set by the 35univention-self-service-passwordreset-umc.inst join-script. Following error occurred: 17.05.17 17:26:05.537 DEBUG_INIT 17.05.17 17:26:06.008 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled. 17.05.17 17:26:06.011 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 17.05.17 17:26:06.017 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'. 17.05.17 17:26:06.020 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64' 17.05.17 17:26:06.098 ADMIN ( WARN ) : modules update_extended_attributes: custom field for tab Password recovery: failed to set tabPosition 17.05.17 17:26:06.119 MODULE ( PROCESS ) : Either username or password is incorrect or you are not allowed to use this service. By unset the UCR variable the self service will work. Workaround: ucr unset umc/self-service/passwordreset/whitelist/groups
In UCS@school the students/teacher aren't in "Domain Users" but in "Domain Users $SCHOOL".
Please explain what is not working (tested user account, group membership, etc).
is_blacklisted() always returns True. That's used e.g. in set contact data.
(In reply to Daniel Tröder from comment #2) > Please explain what is not working (tested user account, group membership, > etc). The school users are not able to edit there mail address to protect their account (see screenshot).
Created attachment 8863 [details] self-service-error
Please retry with ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL" If that is the problem, this could be added to a ou_post_create hook.
(In reply to Daniel Tröder from comment #6) > Please retry with > > ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get > umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL" Perfect, that works. > > If that is the problem, this could be added to a ou_post_create hook. There should be a hook, but also an automated way during the installation of the self-service to set all "Domain Users $SCHOOL" groups of a running environment.
Create a new package univention-self-service-ucsschool to * install a ou_post_create hook * run: for SCHOOL in $(univention-ldapsearch -LLL objectClass=ucsschoolOrganizationalUnit ou | egrep ^ou | cut -f 2 -d ' '); do ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL"; done Alternatively "univention-ldapsearch -LLL '(cn=Domain Users *)' cn | ..."
Just had the same problem with another customer.
First of all. Nice design of the new "change password" feature! Unfortunately we got the same issue during a workshop with the customer today. Though, for me it is not a "Feature Request". In addition I would like to add that the UCR variable must be set on the master: ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL" We installed the portal + self-service on a member in the DMZ.
When fixed * create SDB article * link to SDB article in UCS@school manual
9a5ee260: add tool to modify UCR list values 97e48501: add join script and ou post-create hook to handle self-service whitelist e611c61d: advisories 39cb4347: advisories ucs-school-lib 10.0.2-9 ucs-school-selfservice-support 1.0.0-1 TODO: manual entry
I don't think a SDb-article makes sense. There will be the changelog, and the ProfS will tell their customers about it. I added a section to the manual: [4.2 bad2affd] Bug #44627: add section about ucs-school-selfservice-support to manual http://jenkins.knut.univention.de:8080/job/UCSschool%204.2/job/Manual/17/artifact/webroot/ucsschool-handbuch-4.2.pdf
1. I think it should run out of the box. Now school admins need to install a package manually. → We should either install the package always or make it a recommends of univention-self-service. 2. If you remove a school the UCR variable is not cleaned up.
(In reply to Florian Best from comment #14) > 1. I think it should run out of the box. Now school admins need to install a > package manually. It needs to only be installed once on the DC master. > → We should either install the package always or I don't think we should maintain UCRVs for a package that is not installed. > make it a recommends of univention-self-service. I'm not sure about the Debian policy regarding this. Recommending a package from a different, possibly not installed repository, may mess up dependency calculation. IMHO it is OK to expect the administrator of a UCS@school DC master to read the manual, and install the package on the DC master. If he doesn't and later complains about it, all that needs to be done to fix the situation is to install the package. > 2. If you remove a school the UCR variable is not cleaned up. Yes, but there is no support for a ou_remove_post.d hook. I removed one OU with the LDAP browser and one from the "Schools" UMC-wizard and in neither case the hook I installed was invoked. The ucs-school-import package also does not install such a directory in /usr/share/ucs-school-import/hooks/. The unnecessary entry in the UCR does not obstruct the function.
Improvement for commit 7a5414df953ef320a7debb3240e7cb1f022220a5: https://git.knut.univention.de/univention/ucsschool/commit/7a5414df953ef320a7debb3240e7cb1f022220a5 (In reply to Daniel Tröder from comment #15) > (In reply to Florian Best from comment #14) > > 1. I think it should run out of the box. Now school admins need to install a > > package manually. > It needs to only be installed once on the DC master. > > > → We should either install the package always or > I don't think we should maintain UCRVs for a package that is not installed. I think, it's ok for now to not install the package automatically. > > make it a recommends of univention-self-service. > I'm not sure about the Debian policy regarding this. Recommending a package > from a different, possibly not installed repository, may mess up dependency > calculation. apt-get has no problems with missing "Recommends" packages. At most points we urge apt-get to install recommended packages automatically, but not at all AFAIR. > IMHO it is OK to expect the administrator of a UCS@school DC master to read > the manual, and install the package on the DC master. If he doesn't and > later complains about it, all that needs to be done to fix the situation is > to install the package. Yes, I think this is currently sufficient. > > 2. If you remove a school the UCR variable is not cleaned up. > Yes, but there is no support for a ou_remove_post.d hook. I removed one OU > with the LDAP browser and one from the "Schools" UMC-wizard and in neither > case the hook I installed was invoked. The ucs-school-import package also > does not install such a directory in /usr/share/ucs-school-import/hooks/. > > The unnecessary entry in the UCR does not obstruct the function. I think, this is ok for now.
If Sönke says so, VERIFIED.
UCS@school 4.2 v6 has been released. http://docs.software-univention.de/changelog-ucsschool-4.2v6-de.html If this error occurs again, please clone this bug.