Univention Bugzilla – Bug 50670
UMC actions that require credentials ask for password more than once in SAML sessions
Last modified: 2020-09-23 17:42:10 CEST
For example the App Center requires a password for sync/ldap and invoke and asks twice.
Seems to be a mere typo in the session handling. Apparently, the password attribute is named "_password". In my tests, it worked.
(Accidentally committed the fix below Bug #50498)
The change looks useless as Base.password is a @property which sets self._password. If this really works, please describe why.
Right. It worked in our tests. We stopped the module process and somehow the very first tools.umcpCommand did not show the password dialog (although this very bug states it should have). So we thought we fixed it. But it looks like it downgraded to SAML right after the initialization. So the second call already wanted the new password. Anyway, I think I got it right now. In protocol/session.py, there is a comment # only set the credentials in 1. a new session 2. if password changed or 3. if logged in via plain authentication But the if clause uses if ... or result.credentials['auth_type']: # reset credentials to what we get from umc-web-server (?) Unfortunately, "result.credentials['auth_type']" is the opposite of "3. if logged in via plain authentication". (It is None in this case) So I changed it to "if ... is None"
Okay, this looks better.
Code: OK YAML: OK Fix: OK -> Verified
Automatic test did not pass. Seems we overlooked something? At least the test needs to be fixed, but it may be that there is something else wrong.
Fixed in univention-management-console-web-server univention-management-console 11.0.4-52A~4.4.0.202001290956 At some point in UMC, the "Processor" dies, and with it the username/password information for new UMC modules. When a new UMC module is to be started, a new Processor is added and new credentials are requested by the client. The client is UMC-Webserver in this case. And it used to provide the SAML session again. Even if it was upgraded before. We fixed the behaviour and added a test: 82_saml/32_umc_upgrade_session It tests with the SAML test lib. For reasons yet unknown, a second, Selenium based test did not give proper results.
Now i get Your session has expired, please login again. The current session timed out. Please login again. => redirect to the umc login page after nearly every app installation. This happened before too, but not as regular as with this change.
(In reply to Felix Botner from comment #9) > Now i get > > Your session has expired, please login again. > The current session timed out. Please login again. > > => redirect to the umc login page > > after nearly every app installation. > > > This happened before too, but not as regular as with this change. You ran into bug 50804. Basically installing an app on a dc master causes all saml sessions to be invalidated.
as disscused, resolved
OK - no extra password dialog after umc restart OK - yaml
<http://errata.software-univention.de/ucs/4.4/442.html>