Bug 51245 - disable selfservice-invitation feature by default in UCS@school
disable selfservice-invitation feature by default in UCS@school
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v6
Assigned To: Toni Röhmeyer
Daniel Tröder
:
: 50230 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-07 16:27 CEST by Daniel Tröder
Modified: 2020-08-05 17:07 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2020-05-07 16:27:20 CEST
When a user is created with a set PasswordRecoveryEmail and pwdChangeNextLogin=1 the listener module selfservice-invitation.py in cooperation with a daemon will send an invitation email to the user. This feature was developed in Bug #48446.

In UCS@school this automatism is most likely not desired. So it should be disabled by default. But it should be possible to reenable it.

Listener and (mail sending) daemon can be disabled by umc/self-service/invitation/enabled=false

* Create a UCR policy for all central domain controllers (the self service component can be installed on DC master and DC backup systems) to disable the feature by default.
* Write a help article on how to reenable it (how to change the UCR policy). The article should not be published before the code change has been published.
Comment 1 Erik Damrose univentionstaff 2020-05-07 16:40:52 CEST
What should happen if there is another UCR policy already linked to the DCs?
Comment 2 Toni Röhmeyer univentionstaff 2020-05-27 13:18:30 CEST
Solution pushed to branch troehmey/bug51245 with commit

commit 1acba97e878294440a6685ca3ad90e5606e2655a
Bug #51245: Added UCR policy


The policy is created in the join-script
"ucs-school-selfservice-support/67ucs-school-selfservice-support.inst"

Executing this script leads to a result like this for each school listed on the ldap:

DN: cn=Invitation,cn=policies,ou=DEMOSCHOOL,dc=intranet,dc=roehmeyer,dc=de
  ldapFilter: None
  name: Invitation
  registry: umc/self-service/invitation/enabled false


The corresponding how-to article:

https://help.univention.com/t/how-to-re-enable-self-service-invitation-feature/15195
Comment 3 Tobias Wenzel univentionstaff 2020-05-29 12:29:25 CEST
Help-Article

All relevant information to reable are there, but

What is the motivation? 
-> Shortly explain what you changed and when your code is executed.
-> ...if you don't want that, you can reenable the invitation-policy (-> udm policies/registry modify ...)

When the code is published, also include a version.

I liked that you linked our documentation, this provides a good entry point for further investigations.


-----------------------


Code: 


Make sure, you don't nest "", your ide might help you there, e.g.:

--dn "cn=dc${OU}-1,cn=dc,cn=computers,ou=$OU,"$ldap_base"" \


The policy-reference is set to something else: 

	udm computers/domaincontroller_slave "$@" \
		--dn "cn=dc${OU}-1,cn=dc,cn=computers,ou=$OU,"$ldap_base"" \
		--policy-reference "cn=dhcpd_ldap_base,cn=policies,ou=$ou,"$ldap_base""

Maybe you meant:

       --policy-reference "cn=Invitation,cn=policies,ou=$ou,$ldap_base"

I figure, you got this from here:
https://docs.software-univention.de/ucsschool-handbuch-4.4.html#import


I would suggest using lowercase names, e.g. send_self_service_invitation instead of Invitation.

You only considered dc slave, but you if statement includes cd masters, too.

Was there a discussion about this?
   What should happen if there is another UCR policy already linked to the DCs?
Comment 4 Toni Röhmeyer univentionstaff 2020-05-29 18:11:48 CEST
Fixed code with commit

commit 368448abf1a6bec180c4444415bfd57a8365993f
Bug #51245: fixed policy reference

on branch troehmey/bug51245.

Resulting policy reference for DC: 

univentionPolicyReference: cn=send_self_service_invitation,cn=policies,ou=DEMOSCHOOL,dc=intranet,dc=roehmeyer,dc=de


Improved help article on help.univention.com
Comment 5 Tobias Wenzel univentionstaff 2020-06-12 10:59:29 CEST
QA -> REOPEN

Remarks: 
- If you create the policy at `cn=policies,$ldap_base`, you don't need to put the code into the school for-loop
- Don't forget the quotation mark in `name="send_self_service_invitation"`
- Add a parameter --ignore-exists in the create command (and please check if the values are left as is or modified)
- If the udm commands fail we want the script to `|| die`

If a user decided to create a policy at this position with the same name, we don't modify it but leave it as is.
Policies with different names, which set the same values are ignored.


Add this information to the help-article.
Comment 6 Toni Röhmeyer univentionstaff 2020-06-12 19:00:44 CEST
Applied fixes with commits

commit 91eec97e4d94178a0a42234cdc4551e6605b2ece
Bug #51245: moved udm commands out of the loop

commit ad12dfee3652eff8e6548d19f86d20a536671399
Bug #51245: added quotation marks


The ucr value does not get modified with --ignore_exist parameter.
Comment 7 Tobias Wenzel univentionstaff 2020-06-15 16:47:50 CEST
Thanks for the code changes!

QA -> all ok -> REOPEN for merge&build
Comment 8 Tobias Wenzel univentionstaff 2020-06-15 16:48:35 CEST
QA -> forgot to REOPEN
Comment 9 Toni Röhmeyer univentionstaff 2020-06-15 20:04:53 CEST
Merged to 4.4 with the following commits:

commit 075d0b0b3020572d521d0ec398d1ddad507428f3
Bug #51245: added yaml for ucs-school-selfservice_support

commit bf9f2c4bb24d068fa517f321c022bcc46cf562d3
Bug #51245: added changelog entry

commit 1769ff9e24d6342d1475f61a7417de4dc1895e1f
Bug #51245: Merge branch 'troehmey/bug51245' into 4.4


Successful build:

Package: ucs-school-selfservice-support
Version: 3.0.0-1A~4.4.0.202006151942
Branch: ucs_4.4-0
Scope: ucs-school-4.4



Help article has been modified to include the information from comment #5
Comment 10 Tobias Wenzel univentionstaff 2020-06-18 14:20:37 CEST
QA -> all ok -> VERIFY

No merge conflicts -> ok
Changelog -> ok
yaml -> ok

[4.4] a144dfd36 Bug #51245: added url to help article in yaml
[4.4] 075d0b0b3 Bug #51245: added yaml for ucs-school-selfservice_support
[4.4] bf9f2c4bb Bug #51245: added changelog entry
[4.4] 1769ff9e2 Bug #51245: Merge branch 'troehmey/bug51245' into 4.4
Comment 11 Florian Best univentionstaff 2020-06-18 23:37:23 CEST
REOPEN:
* This bug has no target milestone set.
* This bug makes changes in UCS but is set to the product UCS@school.
* The shell quoting for eval "$(ucr shell)" is missing.
Comment 12 Florian Best univentionstaff 2020-06-19 08:03:24 CEST
(In reply to Florian Best from comment #11)
> * This bug makes changes in UCS but is set to the product UCS@school.
Oups, that's wrong, sorry. I looked only in the branch name.
Comment 13 Tobias Wenzel univentionstaff 2020-06-19 16:18:45 CEST
Thanks for the open eyes!

I added the quotation marks and the milestone.

Package: ucs-school-selfservice-support
Version: 3.0.0-2A~4.4.0.202006191616
Branch: ucs_4.4-0
Scope: ucs-school-4.4
Comment 14 Michel Smidt 2020-06-24 15:37:16 CEST
*** Bug 50230 has been marked as a duplicate of this bug. ***
Comment 15 Daniel Tröder univentionstaff 2020-07-06 10:42:09 CEST
OK: quotation marks and MS

I have edited the help page:

- udm policies/registry modify --dn "<domain_name>" ...
+ DN="cn=send_self_service_invitation,cn=policies,$(ucr get ldap/base)"
+ udm policies/registry modify --dn "$DN" ...

I have updated the package version in the advisory:

[4.4 20b829ec8] Bug #51245: update advisory
Comment 16 Daniel Tröder univentionstaff 2020-08-05 17:07:40 CEST
UCS@school 4.4 v6 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.4v6-de.html

If this error occurs again, please clone this bug.