Bug 52215 - Adding a mail address to an existing working group is not possible
Adding a mail address to an existing working group is not possible
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Classes / Teachers / Workgroup assignment
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v8
Assigned To: Ole Schwiegert
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-13 18:16 CEST by Christina Scheinig
Modified: 2020-11-18 10:37 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020101321000666
Bug group (optional):
Max CVSS v3 score:


Attachments
ACL patch for wg mail addresses (2.08 KB, patch)
2020-10-14 13:53 CEST, Ole Schwiegert
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2020-10-13 18:16:48 CEST
A customer reported a problem with the new mail address functionality for workgroups: Adding a mail address to an existing workgroup is not possible, there is always the message that the mail address is already assigned, but it is not

Master, Backup and school-DC are on version UCS 4.4-6 Errata 767 with  @School 4.4 v7.

The UCR variable "ucsschool/workgroups/mailaddress" was set to the example value '{ou}-{name}@school.example.com', i.e. the way the addresses should look like.
But adding a mailaddress when creating a new workgroup works without problems.
Comment 2 Daniel Tröder univentionstaff 2020-10-13 19:25:39 CEST
First of all: the feature is (currently) intended to be configured only when creating workgroups.
If it is desired to be able to change the email address of existing workgroups please open a feature request.

Regarding the customers problem: The error message is misleading. The real problem is:
----------------------------------------------------------------------------
err={'info': 'no write access to parent', 'desc': 'Insufficient access'}
----------------------------------------------------------------------------

Please describe exactly how the user tried to modify the group.
* What kind of user (roles)?
* What UDM  or UMC module?
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2020-10-14 12:38:41 CEST
I just tested it on the customer system:
a teacher on a DC slave is not able to CREATE OR MODIFY working groups with activated checkbox "Email-Adresse aktivieren". The error message shown to the user is:

"""
Ein Fehler ist aufgetreten:
Die Anfrage konnte nicht ausgeführt werden.

Fehlernachricht des Servers:

Die Gruppe konnte nicht erstellt werden (Die Mail-Adresse wird bereits verwendet.).
"""

(In reply to Daniel Tröder from comment #2)
> First of all: the feature is (currently) intended to be configured only when
> creating workgroups.

No. Even if it is, the user interface suggests something completely different.

> If it is desired to be able to change the email address of existing
> workgroups please open a feature request.

Since the user interface offers me to alter the checkbox when modifying, it's a bug in UCS@school and no missing feature!

> Regarding the customers problem: The error message is misleading. The real
> problem is:
> ----------------------------------------------------------------------------
> err={'info': 'no write access to parent', 'desc': 'Insufficient access'}
> ----------------------------------------------------------------------------
> 
> Please describe exactly how the user tried to modify the group.
> * What kind of user (roles)?
> * What UDM  or UMC module?

It looks like teachers are not allowed to create a locking object for mailPrimaryAddress. At least the following ACL is affected and not sufficient:

access to dn.regex="^cn=(groupName|sid|gid|gidNumber|mac|uidNumber),cn=temporary,cn=univention,@%@ldap/base@%@$$" attrs=
children,entry
        by set="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3Ducssc
hoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
        by * +0 break

Is there a ucs-test for this?
Which user role has been used for testing/QA?
Comment 4 Ole Schwiegert univentionstaff 2020-10-14 12:44:57 CEST
It was intended for email addresses to be altered/toggled also on existing work groups. The feature Daniel was thinking about are the shares.

During development it worked with editing existing work groups. I will investigate
Comment 5 Ole Schwiegert univentionstaff 2020-10-14 13:53:30 CEST
Created attachment 10516 [details]
ACL patch for wg mail addresses

I set up a testing environment and weirdly I got the opposite, but still obviously wrong, behavior:

Teachers could edit existing WG and add email addresses, but not activate them on WG that they were about to create.

Still I got the same error message and the reason seems to be the missing permission to create temporary mailPrimaryAddress objects.

The attached patch expands teachers rights on the temporary ldap objects which fixes the problem for me. I do not know how this could not be found out during development or QA..
Comment 6 Ole Schwiegert univentionstaff 2020-10-14 15:00:30 CEST
I implemented the changes on oschwieg/4.4/52215
Comment 7 Ole Schwiegert univentionstaff 2020-10-15 08:26:35 CEST
Package: ucs-school-ldap-acls-master
Version: 17.0.4-7A~4.4.0.202010150823
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Proposed change was merged to 4.4 and build.
Comment 8 Daniel Tröder univentionstaff 2020-10-15 09:52:56 CEST
OK: code change
OK: package build and advisory
OK: manual test: Workgroup with email address can now be created using a teacher account (tested on school server in a multi-server environment).
FAIL: manual test: Workgroup without email address cannot be given an email address (tested on school server in a multi-server environment). Doen't work with a teacher account or with "Administrator".
Comment 9 Daniel Tröder univentionstaff 2020-10-15 09:55:56 CEST
Trying to modify the work group "Gym21-wg4" with user "Administrator" on school server, adding only the email address:

---------------------------------------------------------------------------------
15.10.20 09:53:29.769  ADMIN       ( INFO    ) : LOCK univention.admin.locking.lock scope = domain
15.10.20 09:53:29.770  LDAP        ( ALL     ) : add dn=cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr al=[('objectClass', ['top', 'lock']), ('cn', [u'Gym21-wg4@uni.dtr']), ('lockTime', ['1602748709'])]
15.10.20 09:53:29.770  LDAP        ( INFO    ) : uldap.add dn=cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr
15.10.20 09:53:29.772  LDAP        ( ALL     ) : add dn=cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr err={'info': 'no write access to parent', 'desc': 'Insufficient access'}
15.10.20 09:53:29.772  ADMIN       ( WARN    ) : cancel: release (mailPrimaryAddress): Gym21-wg4@uni.dtr
15.10.20 09:53:29.772  LDAP        ( INFO    ) : uldap.delete cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr
15.10.20 09:53:29.772  LDAP        ( INFO    ) : delete
15.10.20 09:53:29.773  MODULE      ( PROCESS ) : An error occurred while modifying "cn=Gym21-wg4,cn=schueler,cn=groups,ou=Gym21,dc=uni,dc=dtr": Die Mail-Adresse wird bereits verwendet.
15.10.20 09:53:29.773  MODULE      ( PROCESS ) : Die Gruppe konnte nicht bearbeitet werden (Die Mail-Adresse wird bereits verwendet.).
Comment 10 Daniel Tröder univentionstaff 2020-10-15 09:57:25 CEST
Reason seems to be the use of the machine account in the UMC modules modify() operation.
Comment 11 Ole Schwiegert univentionstaff 2020-10-15 11:10:19 CEST
The problem was that during development and QA the feature was not tested on a Multiserver Environment and thus the faulty behaviour with editing was not discovered. On oschwieg/4.4/52215 I implemented the changes in the ACLs to fix this problems. Please QA and REOPEN for merge&build
Comment 12 Daniel Tröder univentionstaff 2020-10-15 12:30:20 CEST
OK: code change (allowing school servers to handle temporary mailPrimaryAddress objects)
OK: manual test: Workgroup with email address can be created and modified (adding/removing email address) using a teacher account (tested on both master and school server in a multi-server environment).

Please merge, build, advisory.
Comment 13 Ole Schwiegert univentionstaff 2020-10-15 12:47:51 CEST
Package: ucs-school-ldap-acls-master
Version: 17.0.4-8A~4.4.0.202010151242
Branch: ucs_4.4-0
Scope: ucs-school-4.4
Comment 14 Daniel Tröder univentionstaff 2020-10-15 13:00:00 CEST
OK: build, advisory
OK: install test
OK: manual test
Comment 15 Ole Schwiegert univentionstaff 2020-11-18 10:37:46 CET
UCS@school 4.4 v8 has been released (errata update to the release).

https://docs.software-univention.de/changelog-ucsschool-4.4v8-de.html

If this error occurs again, please clone this bug.