Bug 52986 - regression to demo_admin missing school_admin role
regression to demo_admin missing school_admin role
Product: UCS@school
Classification: Unclassified
Component: Metapackages
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v9-errata
Assigned To: Daniel Tröder
Tobias Wenzel
Depends on: 52970 53014
Blocks: 52147
  Show dependency treegraph
Reported: 2021-03-25 16:48 CET by Daniel Duchon
Modified: 2021-03-30 12:29 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021032421000906
Bug group (optional): Regression
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Duchon univentionstaff 2021-03-25 16:48:25 CET
If demo_admin is not available (because of removed or not installed demo-school), the join script failes with error_code 3 (object not found).
This is, because the fix only checks if the attribute exists but not the user itself.

The only known workarround would be to uncomment the fix. Otherwise the application is marked as not configured:
Warning: 'ucs-school-singlemaster' is not configured.
Error: Not all install files configured: 1 missing

+++ This bug was initially created as a clone of Bug #52970 +++

The create_demoportal.py script in ucs-school-metapackage does not append the school_admin schoolRole to the user, when it makes the teacher an admin.
Comment 1 Daniel Tröder univentionstaff 2021-03-25 17:13:50 CET
The change in commit
    [4.4] def08663b Bug #52970: handle no OU 'DEMOSCHOOL' and no user 'demo_admin'
was only applied to 62ucs-school-master.inst and not to 62ucs-school-singlemaster.inst.

[4.4] cc1a2cbdc Bug #52986: handle no OU DEMOSCHOOL and no user demo_admin for singlemaster
[4.4] 4df6dfc68 Bug #52986: advisory
Comment 2 Dirk Schnick univentionstaff 2021-03-25 18:15:24 CET
Are you sure? I do not have the complete details, but


# Bug #52970: add 'school_admin' role to user 'demo_admin' (missing prior to 4.4 v9)
if [ $JS_LAST_EXECUTED_VERSION -lt 11 ] ; then
        if ! univention-ldapsearch -LLL uid=demo_admin ucsschoolRole | grep -q 'school_admin:school:DEMOSCHOOL'; then
                udm users/user modify "$@" \
                        --dn "uid=demo_admin,cn=lehrer,cn=users,ou=DEMOSCHOOL,$ldap_base" \
                        --append "ucsschoolRole=school_admin:school:DEMOSCHOOL" || die               ### die <--- and this happens 

join.log (please see complete log with customer details in attached ticket initial message):

RUNNING 62ucs-school-singlemaster.inst
E: object not found


There is no check if demoschool is installed; if not, from my understanding, die must proceed as object not found is the result of the udm command.
Comment 3 Tobias Wenzel univentionstaff 2021-03-26 08:27:23 CET

I think the commit message is at least a bit misleading. 

First it is checked whether there is any demo_admin or not. If not, the joinscript continues.
If it does exist and does not have the school role of DEMOSCHOOL, the role is appended. 
If DEMOSCHOOL is not installed there is neither a demo_user nor the school role, so the joinscript continues.

I tested this by 

- removing DEMOSCHOOL
- running the joinscript with the old code which lead to

Running 62ucs-school-singlemaster.inst                     failed (exitcode: 3)

- with the new code

→ joinscript passes as expected.

changelog → OK
advisory → OK

@daniel, maybe you could confirm/ deny/ explain this
Comment 4 Daniel Duchon univentionstaff 2021-03-26 08:37:09 CET
Hmm, this is the opposite result to our test.
We removed the demo school and then ran the update to v9. Here the joinscript with exit code 3 hit the wall.

We've[1] used a single-master-setup.

[1]daniel duchon, michael grandjean
Comment 5 Michael Grandjean univentionstaff 2021-03-26 09:16:18 CET
(In reply to Dirk Schnick from comment #2)
> Are you sure? I do not have the complete details, but

AFAICS Daniel Tröder referred to Commit def08663b
-> https://github.com/univention/ucs-school/commit/def08663b90f57967730863520a1612a9da9ca5a#diff-0c2c042b0f41264509774fccba69ac629d9f12a22da28e44d96e660a5ec61ea5

This fixed the issue for multi-server on monday and thus before the release of 4.4 v9. 

However, the fix was not applied to the single-server joinscript.
This was done with Commit cc1a2cbdc yesterday: 
-> https://github.com/univention/ucs-school/commit/cc1a2cbdc1d43e1ea50ee69764065802854bc0e5#diff-e7d4d8a37b7a9768f94ee0081bd19e5e01a59c6f2bd26c875c829841bb891396

Tobias tested yesterday's fix and the result seems fine to me (didn't test myself, but comment #3 sounds reasonable and what I would expect).
Comment 6 Tobias Wenzel univentionstaff 2021-03-26 09:23:30 CET
wonderful verified
Comment 7 Daniel Tröder univentionstaff 2021-03-26 09:48:49 CET
Published as erratum to 4.4 v9.