Univention Bugzilla – Bug 52215
Adding a mail address to an existing working group is not possible
Last modified: 2020-11-18 10:37:46 CET
A customer reported a problem with the new mail address functionality for workgroups: Adding a mail address to an existing workgroup is not possible, there is always the message that the mail address is already assigned, but it is not Master, Backup and school-DC are on version UCS 4.4-6 Errata 767 with @School 4.4 v7. The UCR variable "ucsschool/workgroups/mailaddress" was set to the example value '{ou}-{name}@school.example.com', i.e. the way the addresses should look like. But adding a mailaddress when creating a new workgroup works without problems.
First of all: the feature is (currently) intended to be configured only when creating workgroups. If it is desired to be able to change the email address of existing workgroups please open a feature request. Regarding the customers problem: The error message is misleading. The real problem is: ---------------------------------------------------------------------------- err={'info': 'no write access to parent', 'desc': 'Insufficient access'} ---------------------------------------------------------------------------- Please describe exactly how the user tried to modify the group. * What kind of user (roles)? * What UDM or UMC module?
I just tested it on the customer system: a teacher on a DC slave is not able to CREATE OR MODIFY working groups with activated checkbox "Email-Adresse aktivieren". The error message shown to the user is: """ Ein Fehler ist aufgetreten: Die Anfrage konnte nicht ausgeführt werden. Fehlernachricht des Servers: Die Gruppe konnte nicht erstellt werden (Die Mail-Adresse wird bereits verwendet.). """ (In reply to Daniel Tröder from comment #2) > First of all: the feature is (currently) intended to be configured only when > creating workgroups. No. Even if it is, the user interface suggests something completely different. > If it is desired to be able to change the email address of existing > workgroups please open a feature request. Since the user interface offers me to alter the checkbox when modifying, it's a bug in UCS@school and no missing feature! > Regarding the customers problem: The error message is misleading. The real > problem is: > ---------------------------------------------------------------------------- > err={'info': 'no write access to parent', 'desc': 'Insufficient access'} > ---------------------------------------------------------------------------- > > Please describe exactly how the user tried to modify the group. > * What kind of user (roles)? > * What UDM or UMC module? It looks like teachers are not allowed to create a locking object for mailPrimaryAddress. At least the following ACL is affected and not sufficient: access to dn.regex="^cn=(groupName|sid|gid|gidNumber|mac|uidNumber),cn=temporary,cn=univention,@%@ldap/base@%@$$" attrs= children,entry by set="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3Ducssc hoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write by * +0 break Is there a ucs-test for this? Which user role has been used for testing/QA?
It was intended for email addresses to be altered/toggled also on existing work groups. The feature Daniel was thinking about are the shares. During development it worked with editing existing work groups. I will investigate
Created attachment 10516 [details] ACL patch for wg mail addresses I set up a testing environment and weirdly I got the opposite, but still obviously wrong, behavior: Teachers could edit existing WG and add email addresses, but not activate them on WG that they were about to create. Still I got the same error message and the reason seems to be the missing permission to create temporary mailPrimaryAddress objects. The attached patch expands teachers rights on the temporary ldap objects which fixes the problem for me. I do not know how this could not be found out during development or QA..
I implemented the changes on oschwieg/4.4/52215
Package: ucs-school-ldap-acls-master Version: 17.0.4-7A~4.4.0.202010150823 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Proposed change was merged to 4.4 and build.
OK: code change OK: package build and advisory OK: manual test: Workgroup with email address can now be created using a teacher account (tested on school server in a multi-server environment). FAIL: manual test: Workgroup without email address cannot be given an email address (tested on school server in a multi-server environment). Doen't work with a teacher account or with "Administrator".
Trying to modify the work group "Gym21-wg4" with user "Administrator" on school server, adding only the email address: --------------------------------------------------------------------------------- 15.10.20 09:53:29.769 ADMIN ( INFO ) : LOCK univention.admin.locking.lock scope = domain 15.10.20 09:53:29.770 LDAP ( ALL ) : add dn=cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr al=[('objectClass', ['top', 'lock']), ('cn', [u'Gym21-wg4@uni.dtr']), ('lockTime', ['1602748709'])] 15.10.20 09:53:29.770 LDAP ( INFO ) : uldap.add dn=cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr 15.10.20 09:53:29.772 LDAP ( ALL ) : add dn=cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr err={'info': 'no write access to parent', 'desc': 'Insufficient access'} 15.10.20 09:53:29.772 ADMIN ( WARN ) : cancel: release (mailPrimaryAddress): Gym21-wg4@uni.dtr 15.10.20 09:53:29.772 LDAP ( INFO ) : uldap.delete cn=Gym21-wg4@uni.dtr,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=uni,dc=dtr 15.10.20 09:53:29.772 LDAP ( INFO ) : delete 15.10.20 09:53:29.773 MODULE ( PROCESS ) : An error occurred while modifying "cn=Gym21-wg4,cn=schueler,cn=groups,ou=Gym21,dc=uni,dc=dtr": Die Mail-Adresse wird bereits verwendet. 15.10.20 09:53:29.773 MODULE ( PROCESS ) : Die Gruppe konnte nicht bearbeitet werden (Die Mail-Adresse wird bereits verwendet.).
Reason seems to be the use of the machine account in the UMC modules modify() operation.
The problem was that during development and QA the feature was not tested on a Multiserver Environment and thus the faulty behaviour with editing was not discovered. On oschwieg/4.4/52215 I implemented the changes in the ACLs to fix this problems. Please QA and REOPEN for merge&build
OK: code change (allowing school servers to handle temporary mailPrimaryAddress objects) OK: manual test: Workgroup with email address can be created and modified (adding/removing email address) using a teacher account (tested on both master and school server in a multi-server environment). Please merge, build, advisory.
Package: ucs-school-ldap-acls-master Version: 17.0.4-8A~4.4.0.202010151242 Branch: ucs_4.4-0 Scope: ucs-school-4.4
OK: build, advisory OK: install test OK: manual test
UCS@school 4.4 v8 has been released (errata update to the release). https://docs.software-univention.de/changelog-ucsschool-4.4v8-de.html If this error occurs again, please clone this bug.