Univention Bugzilla – Bug 51469
Self Service not usable for Users after update 4.3-5 errata:0 to 4.4-4 errata:587
Last modified: 2020-07-15 16:21:10 CEST
Self-Service is installed on master. Customer reports after update the service is not working. They receives error message: An error occurred You are not authorized to perform this action. Server error message: No contact information is stored for this user. Resetting the password is not possible. UCR univentionPasswordSelfServiceEmail is set to an extrenal email address univention-app info UCS: 4.4-4 errata620 Installed: letsencrypt=1.2.2-8 self-service=4.0 self-service-backend=4.0 ucsschool=4.4 v5 Upgradable: Update was done (as far as I can see in config-registry.replog): set version/patchlevel=0 old:5 set version/version=4.4 old:4.3 set version/erratalevel=243 old:0 ... set version/erratalevel=617 old:587 (@end of update the day) Found this in config-registry.replog (but not sure if this points to the reason): 2020-06-02 11:33:56: unset 'umc/self-service/passwordreset/enabled' old:yes root@master:# ucr search --brief self-service/password |grep end/enabled umc/self-service/passwordchange/frontend/enabled: <empty> umc/self-service/passwordreset/backend/enabled: <empty> umc/self-service/passwordreset/frontend/enabled: <empty> Further information in Ticket. If anything is missing request it.
Does the error still occured once a the user object has been changed by an administrative account? I suspect this is an LDAP ACL issue, where the update introduced additional LDAP Attributes or Object Classes which will be filled with new defaults by UDM, but a normal user has no access rights for these during self service.
As far as I read the ticket history yes. Reporting customer has a domain admin account and a normal teacher account. He used his domain admin account to change his teacher account but still gets the error. All in all it would be a bug, if administrator activity is needed after an update for all users. ;) I logged into UMC and opened the affect teacher account; there was no popup that default values were added.
To prevent Misunderstandings; there are several accounts effected, but one is reported in the ticket. My last entry was not clearly in this context.
Does this only happen in the one customer environment, or can this be reproduced in another UCS domain?
Hmmm I used my History test VM and could not reproduce the behavior. But it is not a school enviroment and a standalone UCS master. I have no information about other customers complaining this.
Customer reports: the problem with the teacher passwords seems to have even increased, because the members of the group Admins can now also not reset teacher passwords. We tried this with two school-admin accounts that were able to change all teacher passwords of their schools until Whitsun, because they are in the respective admin group of their schools. In logfile management-console-module-passwordreset.log I see a lot of tracebacks: univention.lib.umc.ConnectionError: ('Could not send request.', CertificateError("hostname 'master.anonymized-local-name.intranet' doesn't match 'anonymized-hostname.anonymized-public-domain-name.de'",)) This started with update from 4.3-5 680 to 4.4-0, as far as I can see from the logfiles. Hint: letsencrypt is installed, in use and was updated in the same time. All UCS with the exception of 06/07: version/erratalevel: 648 version/patchlevel: 4 version/releasename: Blumenthal version/version: 4.4 06/07: version/erratalevel: 680 version/patchlevel: 5 version/releasename: Neustadt version/version: 4.3 It seems that the last errata were counterproductive (in this case and enviroment) We changed some things in self service to fix errorcode 20 problem. Please check possible interactions.
I suspect the certificate error to be the cause of the issues, as we cannot reproduce it in our internal environment yet. The bug state of NEEDMOREINFO is correct, we need to know if it works as expected, after sorting out the cert issue.
Cause for today reported problem is found. No Bug. Please ignore. Cause is, that the teacher user are member of school admin group but don't have the Option school-admin. So they see the app, but they are not allowed to use it. The attached traceback is also not part of the bug. So please ignore my statement today.
(In reply to Dirk Schnick from comment #9) > Cause for today reported problem is found. No Bug. Please ignore. > Cause is, that the teacher user are member of school admin group but don't > have the Option school-admin. So they see the app, but they are not allowed > to use it. > > The attached traceback is also not part of the bug. So please ignore my > statement today. I can't follow the thread anymore ;-) Can you make an updated summary what part of the bug report is still valid?
Still relevant is everything up to comment 5. The new reported problem has nothing to do with that bug. Problem/misbehavior was already checked with Erik, what is happening in the customer environment, should not happen. He needs to add debug code, what requires restart of management-console-web-server. We won't be able to do that until holidays. That's the actual status. ;)
It's not a bug; it's a feature, but the problem was based on an existing bug https://forge.univention.org/bugzilla/show_bug.cgi?id=50893 Will set this bug to resolved, it can be closed. *** This bug has been marked as a duplicate of bug 50893 ***
Verified duplicate, as Dirk and i fixed the issue in the customer environment