Bug 44627 - integrate self-service with ucs@school
integrate self-service with ucs@school
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 4.2
Other Linux
: P5 normal (vote)
: UCS@school 4.2 v6
Assigned To: Daniel Tröder
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-17 17:31 CEST by Tobias Birkefeld
Modified: 2017-12-21 12:23 CET (History)
5 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017052221000272
Bug group (optional): Usability
Max CVSS v3 score:


Attachments
self-service-error (32.79 KB, image/png)
2017-05-18 11:31 CEST, Tobias Birkefeld
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Birkefeld univentionstaff 2017-05-17 17:31:22 CEST
In a UCS@school multi server context the following UCR variable blocks the self service module:
umc/self-service/passwordreset/whitelist/groups: Domain User

This variable is set by the 35univention-self-service-passwordreset-umc.inst join-script.

Following error occurred:

17.05.17 17:26:05.537  DEBUG_INIT
17.05.17 17:26:06.008  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled.
17.05.17 17:26:06.011  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled.
17.05.17 17:26:06.017  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'.
17.05.17 17:26:06.020  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64'
17.05.17 17:26:06.098  ADMIN       ( WARN    ) : modules update_extended_attributes: custom field for tab Password recovery: failed to set tabPosition
17.05.17 17:26:06.119  MODULE      ( PROCESS ) : Either username or password is incorrect or you are not allowed to use this service.


By unset the UCR variable the self service will work.

Workaround:
ucr unset umc/self-service/passwordreset/whitelist/groups
Comment 1 Florian Best univentionstaff 2017-05-17 17:36:35 CEST
In UCS@school the students/teacher aren't in "Domain Users" but in "Domain Users $SCHOOL".
Comment 2 Daniel Tröder univentionstaff 2017-05-18 09:00:27 CEST
Please explain what is not working (tested user account, group membership, etc).
Comment 3 Florian Best univentionstaff 2017-05-18 10:59:52 CEST
is_blacklisted() always returns True. That's used e.g. in set contact data.
Comment 4 Tobias Birkefeld univentionstaff 2017-05-18 11:30:37 CEST
(In reply to Daniel Tröder from comment #2)
> Please explain what is not working (tested user account, group membership,
> etc).

The school users are not able to edit there mail address to protect their account (see screenshot).
Comment 5 Tobias Birkefeld univentionstaff 2017-05-18 11:31:16 CEST
Created attachment 8863 [details]
self-service-error
Comment 6 Daniel Tröder univentionstaff 2017-05-18 12:05:09 CEST
Please retry with

ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL"

If that is the problem, this could be added to a ou_post_create hook.
Comment 7 Tobias Birkefeld univentionstaff 2017-05-18 12:26:48 CEST
(In reply to Daniel Tröder from comment #6)
> Please retry with
> 
> ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get
> umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL"

Perfect, that works.

> 
> If that is the problem, this could be added to a ou_post_create hook.

There should be a hook, but also an automated way during the installation of the self-service to set all "Domain Users $SCHOOL" groups of a running environment.
Comment 8 Daniel Tröder univentionstaff 2017-05-18 12:58:29 CEST
Create a new package univention-self-service-ucsschool to
* install a ou_post_create hook
* run:

for SCHOOL in $(univention-ldapsearch -LLL objectClass=ucsschoolOrganizationalUnit ou | egrep ^ou | cut -f 2 -d ' '); do
    ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL";
done

Alternatively "univention-ldapsearch -LLL '(cn=Domain Users *)' cn | ..."
Comment 9 Michael Grandjean univentionstaff 2017-05-22 11:25:35 CEST
Just had the same problem with another customer.
Comment 10 Michel Smidt 2017-05-30 20:16:08 CEST
First of all. Nice design of the new "change password" feature! Unfortunately we got the same issue during a workshop with the customer today. Though, for me it is not a "Feature Request". 
In addition I would like to add that the UCR variable must be set on the master:
ucr set umc/self-service/passwordreset/whitelist/groups="$(ucr get umc/self-service/passwordreset/whitelist/groups),Domain Users $SCHOOL"
We installed the portal + self-service on a member in the DMZ.
Comment 11 Daniel Tröder univentionstaff 2017-06-06 11:19:27 CEST
When fixed
* create SDB article
* link to SDB article in UCS@school manual
Comment 12 Daniel Tröder univentionstaff 2017-10-20 11:52:05 CEST
9a5ee260: add tool to modify UCR list values
97e48501: add join script and ou post-create hook to handle self-service whitelist
e611c61d: advisories
39cb4347: advisories

ucs-school-lib 10.0.2-9
ucs-school-selfservice-support 1.0.0-1

TODO: manual entry
Comment 13 Daniel Tröder univentionstaff 2017-10-20 14:52:25 CEST
I don't think a SDb-article makes sense. There will be the changelog, and the ProfS will tell their customers about it. I added a section to the manual:

[4.2 bad2affd] Bug #44627: add section about ucs-school-selfservice-support to manual

http://jenkins.knut.univention.de:8080/job/UCSschool%204.2/job/Manual/17/artifact/webroot/ucsschool-handbuch-4.2.pdf
Comment 14 Florian Best univentionstaff 2017-11-28 15:13:44 CET
1. I think it should run out of the box. Now school admins need to install a package manually.
→ We should either install the package always or make it a recommends of univention-self-service.

2. If you remove a school the UCR variable is not cleaned up.
Comment 15 Daniel Tröder univentionstaff 2017-11-29 08:49:23 CET
(In reply to Florian Best from comment #14)
> 1. I think it should run out of the box. Now school admins need to install a
> package manually.
It needs to only be installed once on the DC master.

> → We should either install the package always or
I don't think we should maintain UCRVs for a package that is not installed.

> make it a recommends of univention-self-service.
I'm not sure about the Debian policy regarding this. Recommending a package from a different, possibly not installed repository, may mess up dependency calculation.

IMHO it is OK to expect the administrator of a UCS@school DC master to read the manual, and install the package on the DC master. If he doesn't and later complains about it, all that needs to be done to fix the situation is to install the package.

> 2. If you remove a school the UCR variable is not cleaned up.
Yes, but there is no support for a ou_remove_post.d hook. I removed one OU with the LDAP browser and one from the "Schools" UMC-wizard and in neither case the hook I installed was invoked. The ucs-school-import package also does not install such a directory in /usr/share/ucs-school-import/hooks/.

The unnecessary entry in the UCR does not obstruct the function.
Comment 16 Sönke Schwardt-Krummrich univentionstaff 2017-11-29 17:38:33 CET
Improvement for commit 7a5414df953ef320a7debb3240e7cb1f022220a5:
https://git.knut.univention.de/univention/ucsschool/commit/7a5414df953ef320a7debb3240e7cb1f022220a5

(In reply to Daniel Tröder from comment #15)
> (In reply to Florian Best from comment #14)
> > 1. I think it should run out of the box. Now school admins need to install a
> > package manually.
> It needs to only be installed once on the DC master.
> 
> > → We should either install the package always or
> I don't think we should maintain UCRVs for a package that is not installed.

I think, it's ok for now to not install the package automatically.

> > make it a recommends of univention-self-service.
> I'm not sure about the Debian policy regarding this. Recommending a package
> from a different, possibly not installed repository, may mess up dependency
> calculation.

apt-get has no problems with missing "Recommends" packages. At most points we urge apt-get to install recommended packages automatically, but not at all AFAIR.
 
> IMHO it is OK to expect the administrator of a UCS@school DC master to read
> the manual, and install the package on the DC master. If he doesn't and
> later complains about it, all that needs to be done to fix the situation is
> to install the package.

Yes, I think this is currently sufficient.
 
> > 2. If you remove a school the UCR variable is not cleaned up.
> Yes, but there is no support for a ou_remove_post.d hook. I removed one OU
> with the LDAP browser and one from the "Schools" UMC-wizard and in neither
> case the hook I installed was invoked. The ucs-school-import package also
> does not install such a directory in /usr/share/ucs-school-import/hooks/.
> 
> The unnecessary entry in the UCR does not obstruct the function.

I think, this is ok for now.
Comment 17 Florian Best univentionstaff 2017-11-30 16:57:35 CET
If Sönke says so, VERIFIED.
Comment 18 Sönke Schwardt-Krummrich univentionstaff 2017-12-21 12:23:03 CET
UCS@school 4.2 v6 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.2v6-de.html

If this error occurs again, please clone this bug.