Univention Bugzilla – Bug 48447
Self service manage contact data - backend
Last modified: 2019-03-12 13:40:27 CET
Users should be able to manage their own contact data and update their picture. Admins should be able to define which attributes the users can manage. This bug convers the backend implementation which includes managing the attribute list, and ACLs.
f98c8e0d univention-self-service branch: ucs44/selfservice package build by branchtest Added listener selfservice-userattributes.py to create and modify LDAP ACLs for user attributes. The ACLs are based on a UCR policy in cn=univention. Registration is done with the ucs_registerLDAPExtension lib function.
04.02.19 12:28:52.206 LISTENER ( PROCESS ) : updating 'cn=domain,cn=portal,cn=univention,dc=four,dc=three' command m 04.02.19 12:28:52.295 LISTENER ( PROCESS ) : updating 'cn=self-service-userattributes,cn=univention,dc=four,dc=three' command a 04.02.19 12:28:52.316 LISTENER ( ERROR ) : Error registering updated LDAP ACL! usage: univention-self-service-register-acl ACL_FILENAME ACL_VERSION 04.02.19 12:28:53.937 LISTENER ( WARN ) : received signal 15 23910 Restarting slapd (via systemctl): slapd.service. 04.02.19 12:29:30.394 DEBUG_INIT
univention-self-service/univention-self-service-invitation| line 75 error | undefined name 'prog'
FYI: you can replace the old PEP366 workaround in listeners with the following (see also Bug #42806): -__package__ = '' # workaround for PEP 366 +from __future__ import absolute_import
91e7ae85 increase joinscript version fix call of register script in listener cleanup u-self-service-invitation script
Looks good, maybe we could add a test for the LDAP ACL's
5472a050 Added test 05_modify_userattributes_and_ldap_acl
(In reply to Erik Damrose from comment #7) > 5472a050 Added test 05_modify_userattributes_and_ldap_acl OK works, i switch qa/assignee for the "merge" process
switch again, frontend wants some changes no UCR policy, just one UCR variable selfservice/userattributes with a space separated list of UDM attributes
660c533 Use dedicated UCR variable to configure LDAP ACLs Test was adapted as well, it now tests if it is possible to modify an allowed attribute and if it is impossible to configure another attribute
(In reply to Erik Damrose from comment #10) > 660c533 Use dedicated UCR variable to configure LDAP ACLs > Test was adapted as well, it now tests if it is possible to modify an > allowed attribute and if it is impossible to configure another attribute please merge to 4.4-0 branch
Sorry i did not see that you already merged the changes. [4.4-0 59f49fe] Bug #48447 Merge branch 'ucs44/selfservice' into 4.4-0 [4.4-0 edf2ce5] Bug #48447: Use dedicated UCR variable to configure LDAP ACLs Package: univention-self-service Version: 4.0.1-4A~4.4.0.201902121426 Branch: ucs_4.4-0
FAIL - changelog entry missing OK - univention-self-service OK - test ucr set self-service/ldap_attributes='l' adds access to filter="univentionObjectType=users/user" attrs=l by self write by * none break to slapd.conf
(In reply to Felix Botner from comment #13) > FAIL - changelog entry missing > > OK - univention-self-service > OK - test > > ucr set self-service/ldap_attributes='l' > > adds > > access to filter="univentionObjectType=users/user" attrs=l > by self write > by * none break > > to slapd.conf Please don't use "none" ! Use +0 instead. Otherwise other ldap ACLs which set write permissions prior to that line are not evaluated anymore.
(In reply to Florian Best from comment #14) > Please don't use "none" ! > Use +0 instead. Otherwise other ldap ACLs which set write permissions prior > to that line are not evaluated anymore. Thanks, i adapted the ACL definition 04e7dbc1 Fix ACL, changelog Package: univention-self-service Version: 4.0.1-5A~4.4.0.201902131459 Branch: ucs_4.4-0
OK
The implementation doesn't consider that mailPrimaryAddress or uid needs also ACLs for the temporary objects. There is also an error in the error handling: IOError has no member "output". Patch in branch fbest/48447-typo-in-error-handling: https://git.knut.univention.de/univention/ucs/commit/65f142b1c93993419275a6012cf8ffffa6693829 The implementation allows things like: ucr set self-service/ldap_attributes='@extensibleObject by * write stop'
(In reply to Florian Best from comment #17) > The implementation doesn't consider that mailPrimaryAddress or uid needs > also ACLs for the temporary objects. The first version of managing user data covers attributes from the user contact tab. We do not block or forbid to configure other attributes, but that is not supported. > There is also an error in the error handling: IOError has no member "output". > Patch in branch fbest/48447-typo-in-error-handling: > https://git.knut.univention.de/univention/ucs/commit/ > 65f142b1c93993419275a6012cf8ffffa6693829 Thanks, i incorporated the IOError fix. > The implementation allows things like: > ucr set self-service/ldap_attributes='@extensibleObject by * write stop' Only admins can set this, and with admin level of access one already has domain wide control anyway. Initially the configuration of access control was a bit more clever, but we scaled that back for the first implementation.
UCS 4.4 has been released: https://docs.software-univention.de/release-notes-4.4-0-en.html https://docs.software-univention.de/release-notes-4.4-0-de.html If this error occurs again, please use "Clone This Bug".