Univention Bugzilla – Bug 56913
Teachers cannot reset password of students when automatic user lockout is configured
Last modified: 2023-12-14 12:14:26 CET
UMC shows "permission denied" when a teacher tries to reset the password of a student. In the environment is automatic user lockout configured and therefore the ppolicy overlay is active. The management-console-module-schoolusers.log (debug-level 4) shows this: 13.12.23 18:45:52.540 LDAP ( ALL ) : mod dn=uid=hschueler1,cn=schueler,cn=users,ou=billy,dc=musterschule1,dc=intranet ml=[('pwdAccountLockedTime', b'20231213174444Z', b''), ('krb5KDCFlags', [b'126'], b'126'), ('userPassword', b'{crypt}$6$uzZ72UlIT1pqL2rY$9JIa9.8TMVrdqeOVAydIPAiUiv8YEmHLUINTbUy29QJtAoWGlBk.0EoKEURNPUleWxWAbyGMMaiqfTBBCAznS0', b'{crypt}$6$ddCuawoWN2CIyP5C$i3uQqBy0y6gIol09n93sg8V5vG5f8EO7C1AQ6qW0sin1MTrQ6.H6e2uwFpAae01gpi4q.qEncZ3b0YQWp6Dm4/'), ('krb5Key', [b'0Z\xa1+0)\xa0\x03\x02\x01\x12\xa1"\x04 V\x1b\xea=\x92\xfes\xa1\x94\xf4\xad\xf5\xda\x17=\x7f\xe1\'\'\x9a\xcd,\x96\xdb_gQ\x8b\xfd\xb7\x8bd\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0R\xa1#0!\xa0\x03\x02\x01\x10\xa1\x1a\x04\x18\xbc@O\x02\xc4\xe5IF\x80\xfb\x15I2\xf2\xd6\x89\x9b\x19\xfebW\xb5\xfbT\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0J\xa1\x1b0\x19\xa0\x03\x02\x01\x17\xa1\x12\x04\x10\xca\xa1#\x9dD\xda~\xdf\x92k\xce9\xf5\xc6]\x0f\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0J\xa1\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10aD\x12>\xb9\xa9JA\x85\r\xe9\xa0\n\xaf\xc8D\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0B\xa1\x130\x11\xa0\x03\x02\x01\x03\xa1\n\x04\x08\x86R;\xe3[d\xec>\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0B\xa1\x130\x11\xa0\x03\x02\x01\x02\xa1\n\x04\x08\x86R;\xe3[d\xec>\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0B\xa1\x130\x11\xa0\x03\x02\x01\x01\xa1\n\x04\x08\x86R;\xe3[d\xec>\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1'], [b'0Z\xa1+0)\xa0\x03\x02\x01\x12\xa1"\x04 V\x1b\xea=\x92\xfes\xa1\x94\xf4\xad\xf5\xda\x17=\x7f\xe1\'\'\x9a\xcd,\x96\xdb_gQ\x8b\xfd\xb7\x8bd\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0J\xa1\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10aD\x12>\xb9\xa9JA\x85\r\xe9\xa0\n\xaf\xc8D\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0J\xa1\x1b0\x19\xa0\x03\x02\x01\x17\xa1\x12\x04\x10\xca\xa1#\x9dD\xda~\xdf\x92k\xce9\xf5\xc6]\x0f\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0B\xa1\x130\x11\xa0\x03\x02\x01\x01\xa1\n\x04\x08\x86R;\xe3[d\xec>\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0B\xa1\x130\x11\xa0\x03\x02\x01\x03\xa1\n\x04\x08\x86R;\xe3[d\xec>\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0B\xa1\x130\x11\xa0\x03\x02\x01\x02\xa1\n\x04\x08\x86R;\xe3[d\xec>\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1', b'0R\xa1#0!\xa0\x03\x02\x01\x10\xa1\x1a\x04\x18\xbc@O\x02\xc4\xe5IF\x80\xfb\x15I2\xf2\xd6\x89\x9b\x19\xfebW\xb5\xfbT\xa2+0)\xa0\x03\x02\x01\x03\xa1"\x04 MUSTERSCHULE1.INTRANEThschueler1']), ('krb5KeyVersionNumber', [b'9'], b'10'), ('sambaNTPassword', b'CAA1239D44DA7EDF926BCE39F5C65D0F', b'CAA1239D44DA7EDF926BCE39F5C65D0F'), ('sambaLMPassword', b'', b''), ('shadowMax', b'1', b''), ('sambaPwdLastSet', b'0', b'1702489552'), ('krb5PasswordEnd', b'20231213000000Z', b''), ('sambaBadPasswordCount', b'0', b'0'), ('sambaBadPasswordTime', b'133469630840000000', b'0'), ('sambaAcctFlags', b'[UL ]', b'[U ]')] 13.12.23 18:45:52.540 LDAP ( ALL ) : uldap.modify uid=hschueler1,cn=schueler,cn=users,ou=billy,dc=musterschule1,dc=intranet 13.12.23 18:45:52.543 LDAP ( ALL ) : mod dn=uid=hschueler1,cn=schueler,cn=users,ou=billy,dc=musterschule1,dc=intranet err={'desc': 'Insufficient access'} 13.12.23 18:45:52.543 MODULE ( PROCESS ) : dn='uid=hschueler1,cn=schueler,cn=users,ou=billy,dc=musterschule1,dc=intranet' 13.12.23 18:45:52.543 MODULE ( PROCESS ) : exception=<class 'univention.admin.uexceptions.permissionDenied'> 13.12.23 18:45:52.543 MODULE ( PROCESS ) : permission denied Behavior was reproducible with: UCS: 5.0-5 errata884 Installed: self-service=5.0 self-service-backend=5.0 ucsschool=5.0 v4 4.4/openid-connect-provider=2.2-konnect-0.33.11-2 4.4/ucsschool-apis=1.1.0 4.4/ucsschool-kelvin-rest-api=1.9.0 Upgradable: