Univention Bugzilla – Bug 53631
Feature: Scheduled activation of user accounts
Last modified: 2021-11-18 16:02:39 CET
Ticket# 2021071221000421 requests this feature: User story: An administator wants to create a user account but it should only become usable later. At a definable point in time the account gets activated automatically. Technical concept: * UDM module users/user shall be adjusted to support a new property for specifying the activation date+time+timezone. * The property shall be backed by an LDAP attribute like krb5ValidStart that has suitable properties for time ordering * show property on tab account settings * only write the attribute if it has been explicitly changed by the admin * Default time zone to TZ of server * Correctly convert between UTC value and displayed localtime * If a value for krb5ValidStart greater than the current time is written, then the disabled property shall be set automatically too * If krb5ValidStart is removed, disabled-state shall remain unchanged * If disabled-state is unset, krb5ValidStart shall be unset too * The property shall be presented with a selectable timezone in UMC, e.g. by means of a dropdown, which defaults to the server TZ * For the date+time a either picker may be used or a simple text field * An activation script shall be run periodically, e.g. via cron * The activation script shall run only on the UCS primary node * The ACLs in univention-ldap shall be adjusted to allow modification of krb5ValidStart by Domain Admins * The attribute shall be eq-indexed (Ok for >= comparison, see https://www.openldap.com/lists/openldap-technical/201205/msg00027.html) * Test cases shall establish reliability * Backport from UCS 5.0 to UCS 4.4 * Documentation in the UCS manual
27cd1989cc | register UDM property accountActivationDate 7a10fa035f | Define dedicated syntax for UDM property accountActivationDate 64a0d79c4a | convert timezone from accountActivationDate ecbcf27158 | Adjust layout 1e248a07c2 | set disabled state if accountActivationDate > now 7ab97f7a6a | Fix default value c7c5078800 | Add cron based account activation fd7dc81857 | Use LDAPI to reduce slapd load 1aa92007e8 | Testcase for accountActivationDate ac3a146859 | Explain accountActivationDate in manual d26130832c | Clean up krb5ValidStart in case krb5ValidEnd has also passed 7db0c5e467 | Extend testcases 524e42bf3e | Reset accountActivationDate to default if disabled state gets changed back to 0 5fc5297a35 | Merge branch 'arequate/bug53631-ucs-issue-651-krb5ValidStart' into 5.0-0 24a96b2eb3 | debian/changelog entries ad0573df26 | Advisory update Package: univention-directory-manager-modules Version: 15.0.11-18A~5.0.0.202108190945 Branch: ucs_5.0-0 Scope: errata5.0-0 We probably also need a testcase for UCS@school to check that this new property doesn't affect teachers capability to reset passwords, but that would be for UCS 4.4 currently first. So, my next step would be to backport this to UCS 4.4-8 first.
> c7c5078800 | Add cron based account activation REOPEN: cron jobs should test if the scripts to be called exists and otherwise do nothing. Otherwise a email is send if we remove this script somewhen but the cron config files is kept.
REOPEN: sed -i s/sepcified/specified/ doc/manual/user-management-en.xml
Maybe this caused Bug #53686 - not analyzed yet.
(In reply to Florian Best from comment #4) > Maybe this caused Bug #53686 - not analyzed yet. Yes, fixed in: univention-directory-manager-modules (15.0.11-18) ab629e3bea17 | fixup! Bug #53631: Define dedicated syntax for UDM property accountActivationDate
*** Bug 53686 has been marked as a duplicate of this bug. ***
doc/manual/user-management-en.xml When saving the changes, den account is autmatically marked as deactivated ^^^ ^^
96e2cca65f Bug #53631: Advisory text update ab629e3bea fixup! Bug #53631: Define dedicated syntax for UDM property accountActivationDate 27c6bcc16b fixup! Bug #53631: Explain accountActivationDate in manual 98cfc88edb Bug #53631: Convert testcase to Python 4ea1908f9c fixup! Bug #53631: Explain accountActivationDate in manual 38f7620956 fixup! Bug #53631: Convert testcase to Python The pytest rewrite also covers Comment 2.
Users with accountActivationDate in the future are created as disabled: OK Users with accountActivationDate in the past are created as active: OK Activation status can be updated via the script /usr/share/univention-directory-manager-tools/univention-delayed-account-activation: OK Creation of users via UMC: ~OK Usability nitpick: When looking at the Activationdate, the TimeString is cut off. I'd prefer a size="Half" in syntax.py instead of "OneThird". Time zone calculations: OK Time displayed in UTC: OK Default values: OK Manual entry: OK REOPEN: The file etc/cron.d/univention-delayed-account-activation is neither installed nor registered as an ucr template file. The ucr variable "directory/manager/user/accountactivation/cron" is not registered. The cron based activation therefore doesn't work yet. Due to this, the automated test 40_udm_users_delayed_activation.py fails in UCS4 and UCS5.
Oh, I didn't commit the file: 783f1792a3 Bug #53631: Register ucr template for cron job 9a1c723274 Bug #53631: Advisory update
098bf10e43 | fixup! Bug #53631: Register ucr template for cron job 473f6c8246 | Advisory update I've also verified manually that the test case actually fails if the cron job is disabled: ucr set --force directory/manager/user/accountactivation/cron="# " pytest /usr/share/ucs-test/61_udm-users/40_udm_users_delayed_activation.py -k test_disabled_user_creation_activation
Wrong commit hashes in Comment 11, these are the correct ones: 098bf10e43 | fixup! Bug #53631: Register ucr template for cron job 473f6c8246 | Advisory update
RFC: some transactions in the listener get lost during the upgrade: Ignore it? I did not search further, maybe the appcenter code is also affected in the same way as Bug #53754. Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/faillog.py", line 38, in <module> from univention.admin.handlers.users.user import unmapLocked File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 238, in <module> syntax=univention.admin.syntax.ActivationDateTimeTimezone, AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone'
As discussed in chat, this is a generic issue that is orthogonal to the feature implemented here. You mentioned Bug #53726 as a possible generic way to fix that.
REOPENED: See Bug #53675 comment 8.
Fixed in (details at Bug #53675): univention-web.yaml 807addf458a6 | Bug #53631: fix copying user object univention-web (4.0.1-40) 807addf458a6 | Bug #53631: fix copying user object univention-management-console-module-udm.yaml 807addf458a6 | Bug #53631: fix copying user object univention-management-console-module-udm (10.0.1-16) 807addf458a6 | Bug #53631: fix copying user object univention-directory-manager-modules (15.0.11-20) 807addf458a6 | Bug #53631: fix copying user object
(In reply to Florian Best from comment #2) > > c7c5078800 | Add cron based account activation > REOPEN: cron jobs should test if the scripts to be called exists and > otherwise do nothing. Otherwise a email is send if we remove this script > somewhen but the cron config files is kept. This is not yet implemented.
Created attachment 10818 [details] TwoThirds DateBox ecbcf27158d5d30ddfc0995a2e465fbba0f54f93 adjusts size for all DateBox widgets to TwoThirds This does not look good in e.g. users/user
(In reply to Florian Best from comment #17) > (In reply to Florian Best from comment #2) > > > c7c5078800 | Add cron based account activation > > REOPEN: cron jobs should test if the scripts to be called exists and > > otherwise do nothing. Otherwise a email is send if we remove this script > > somewhen but the cron config files is kept. > > This is not yet implemented. univention-directory-manager-modules (15.0.11-20) 3bc66af384e6 | Bug #53631: add -executable condition to cronjob (In reply to Johannes Keiser from comment #18) > Created attachment 10818 [details] > TwoThirds DateBox > > ecbcf27158d5d30ddfc0995a2e465fbba0f54f93 adjusts size for all DateBox > widgets to TwoThirds > > This does not look good in e.g. users/user univention-directory-manager-modules (15.0.11-20) 022a26e0563b | Bug #53631: fix sizing of ActivationDateTimeTimezone without influencing all other properties
(In reply to Florian Best from comment #13) other tracebacks: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admin/hook.py", line 66, in import_hook_files exec(fd.read(), sys.modules[__name__].__dict__) File "<string>", line 41, in <module> File "/usr/lib/python3/dist-packages/ucsschool/lib/models/__init__.py", line 36, in <module> from .computer import * # noqa: F401, F403 File "/usr/lib/python3/dist-packages/ucsschool/lib/models/computer.py", line 51, in <module> from .base import MultipleObjectsError, RoleSupportMixin, UCSSchoolHelperAbstractClass File "/usr/lib/python3/dist-packages/ucsschool/lib/models/base.py", line 53, in <module> from .meta import UCSSchoolHelperMetaClass File "/usr/lib/python3/dist-packages/ucsschool/lib/models/meta.py", line 51, in <module> udm_modules.update() File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 148, in update _walk(root, w_root, w_files) File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 132, in _walk m = importlib.import_module('univention.admin.handlers.%s' % (modulepackage,)) # type: Any File "/usr/lib/python3.7/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "/usr/lib/python3/dist-packages/univention/admin/handlers/container/dc.py", line 43, in <module> import univention.admin.handlers.users.user File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 237, in <module> syntax=univention.admin.syntax.ActivationDateTimeTimezone, AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone' Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/ucs-school-user-logonscript.py", line 51, in <module> univention.admin.modules.update() File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 148, in update _walk(root, w_root, w_files) File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 132, in _walk m = importlib.import_module('univention.admin.handlers.%s' % (modulepackage,)) # type: Any File "/usr/lib/python3.7/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1006, in _gcd_import File "<frozen importlib._bootstrap>", line 983, in _find_and_load File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 677, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 728, in exec_module File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed File "/usr/lib/python3/dist-packages/univention/admin/handlers/container/dc.py", line 43, in <module> import univention.admin.handlers.users.user File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 237, in <module> syntax=univention.admin.syntax.ActivationDateTimeTimezone, AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone' Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/pupilgroups.py", line 41, in <module> from ucsschool.lib.models.school import School File "/usr/lib/python3/dist-packages/ucsschool/lib/models/__init__.py", line 36, in <module> from .computer import * # noqa: F401, F403 File "/usr/lib/python3/dist-packages/ucsschool/lib/models/computer.py", line 51, in <module> from .base import MultipleObjectsError, RoleSupportMixin, UCSSchoolHelperAbstractClass File "/usr/lib/python3/dist-packages/ucsschool/lib/models/base.py", line 53, in <module> from .meta import UCSSchoolHelperMetaClass File "/usr/lib/python3/dist-packages/ucsschool/lib/models/meta.py", line 51, in <module> udm_modules.update() File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 148, in update _walk(root, w_root, w_files) File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 132, in _walk m = importlib.import_module('univention.admin.handlers.%s' % (modulepackage,)) # type: Any File "/usr/lib/python3.7/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "/usr/lib/python3/dist-packages/univention/admin/handlers/container/dc.py", line 43, in <module> import univention.admin.handlers.users.user File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 237, in <module> syntax=univention.admin.syntax.ActivationDateTimeTimezone, AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone'
I fixed these errors as well (with the wrong bug number): univention-directory-manager-modules (15.0.11-20) d13c48d3cfe9 | Bug #53754: fix errors due to missing syntax classes during errata upgrades
Reopen: When selecting only a date and a time in UMC while leaving the timezone field empty, a traceback is shown when saving the user object. (The traceback is slighty different depending on which field is left empty. We could show a helpful message instead, or is it possible to mark all 3 fields as required and prevent the save operation, highlighting the missing fields? Interner Server-Fehler in "udm/put (users/user)". Request: udm/put (users/user) File "/usr/lib/python3/dist-packages/notifier/threads.py", line 80, in _run result = self._function() File "/usr/lib/python3/dist-packages/notifier/__init__.py", line 105, in __call__ return self._function(*tmp, **self._kwargs) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/__init__.py", line 442, in _thread module.modify(properties) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 649, in modify obj.modify() File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1477, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 633, in modify self._ldap_pre_ready() File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1696, in _ldap_pre_ready if self['accountActivationDate'] and self['accountActivationDate'][0] and datetime.now(tz=pytz.utc) < datetime_from_local_datetimetimezone_tuple(self['accountActivationDate']): File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1224, in datetime_from_local_datetimetimezone_tuple return pytz.timezone(tz).localize(naive_dt) File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 161, in timezone raise UnknownTimeZoneError(None) pytz.exceptions.UnknownTimeZoneError: None Reopen: The requirements state > Technical concept: > * Default time zone to TZ of server > * The property shall be presented with a selectable timezone in UMC, e.g. by means of a dropdown, which defaults to the server TZ The timezone field is empty by default RFC: The administrator can select the timezone when setting the activation date. This information is not saved internally, so upon reopening the user, the activation date is presented in UTC. This might be confusing, as administrators have to convert the time manually to find out when the account is going to be activated. Is this okay?
Reopen: The default for UCR directory/manager/user/accountactivation/cron is empty so the cronjob does not run by default.
(In reply to Erik Damrose from comment #22) > Reopen: When selecting only a date and a time in UMC while leaving the > timezone field empty, a traceback is shown when saving the user object. (The > traceback is slighty different depending on which field is left empty. We > could show a helpful message instead, or is it possible to mark all 3 fields > as required and prevent the save operation, highlighting the missing fields? > > Interner Server-Fehler in "udm/put (users/user)". > Request: udm/put (users/user) > > File "/usr/lib/python3/dist-packages/notifier/threads.py", line 80, in _run > result = self._function() > File "/usr/lib/python3/dist-packages/notifier/__init__.py", line 105, in > __call__ > return self._function(*tmp, **self._kwargs) > File > "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/ > __init__.py", line 442, in _thread > module.modify(properties) > File > "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/ > udm_ldap.py", line 649, in modify > obj.modify() > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", > line 1477, in modify > return super(object, self).modify(*args, **kwargs) > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line > 633, in modify > self._ldap_pre_ready() > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", > line 1696, in _ldap_pre_ready > if self['accountActivationDate'] and self['accountActivationDate'][0] > and datetime.now(tz=pytz.utc) < > datetime_from_local_datetimetimezone_tuple(self['accountActivationDate']): > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", > line 1224, in datetime_from_local_datetimetimezone_tuple > return pytz.timezone(tz).localize(naive_dt) > File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 161, in > timezone > raise UnknownTimeZoneError(None) > pytz.exceptions.UnknownTimeZoneError: None I removed the possibility to set an empty value for the timezone. So this can't happen anymore. Also I raised the constraints so that all values must be non-empty to be set, which fixes all combinations. We can't do anything more flexible with the current Javascript. a2d64bbff373 | Bug #53631: only set accountActivationDate if all fields are specified > Reopen: The requirements state > > > Technical concept: > > * Default time zone to TZ of server > > * The property shall be presented with a selectable timezone in UMC, e.g. by means of a dropdown, which defaults to the server TZ > > The timezone field is empty by default OK, I set the default to the local timezone. 11a1ae31d2b1 | Bug #53631: set local timezone as default value of accountActivationDate > RFC: The administrator can select the timezone when setting the activation > date. This information is not saved internally, so upon reopening the user, > the activation date is presented in UTC. This might be confusing, as > administrators have to convert the time manually to find out when the > account is going to be activated. Is this okay? hmm… I don't know what Arvid thought about this. In general I dislike transforming values to local time in that layer. (We also had problems due to this in the past because our Jenkins Tests run in different timezones than we live). But yes, it looks inconsistent now. I will think about it. (In reply to Erik Damrose from comment #23) > Reopen: The default for UCR directory/manager/user/accountactivation/cron is > empty so the cronjob does not run by default. I set the cronjob to be activated every 15 minutes by default. a6b046812201 | Bug #53631: enable crontab every 15 minutes 11a1ae31d2b1 | Bug #53631: set local timezone as default value of accountActivationDate
Also fix the test case regarding default value and disabled cronjob on non-master systems as specified by comment 0. 0dd66cfb2e16 | fixup! fixup! Bug #53631: enable crontab every 15 minutes 6810f3ed556c | fixup! Bug #53631: enable crontab every 15 minutes As discussed, for now we don't transform UTC into local time in unmap(). If we do this, we should do it only in the Javascript widget.
The remaining open points were addressed. Automatic and manual tests as described in comment 9 successful Verified
<https://errata.software-univention.de/#/?erratum=5.0x100> <https://errata.software-univention.de/#/?erratum=5.0x90> <https://errata.software-univention.de/#/?erratum=5.0x99>