Created attachment 11221 [details] Traceback # UCS: 5.0-8 errata1060 # /usr/share/univention-directory-manager-tools/udm-remap-country-from-st-to-c was executed via the UMC during a system diagnosis # Problem When a user tries to change the country via the self-service a traceback appears in /var/log/univention/management-console-module-passwordreset.log (see attachment). # Investigation The country was unset and the user tried to modify/add it via the self-service. When the country is set to a value beforehand by an administrator (udm users/user modify --dn ... --set country=DE), then the user is able to change the value via the self-service.
Workaround should be: ucr set self-service/ldap_attributes="c,$(ucr get self-service/ldap_attributes)"
For searchability: MODULE ( ERROR ) : set_user_attributes(): modifying the user failed: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 792, in modify return self.lo.modify(dn, changes, serverctrls=serverctrls, response=response, rename_callback=rename_callback) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 220, in _decorated return func(self, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 816, in modify self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 220, in _decorated return func(self, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 875, in modify_ext_s _rtype, _rdata, _rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1253, in modify_ext_s return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 602, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/management/console/modules/passwordreset/__init__.py", line 581, in set_user_attributes user.modify() File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1288, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 692, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response, serverctrls=serverctrls) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1412, in _modify self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response, rename_callback=wouldRename.on_rename) File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 798, in modify raise univention.admin.uexceptions.permissionDenied() univention.admin.uexceptions.permissionDenied: Zugriff verweigert.
This is not about allowing to change the attribute "c" by self. The problem are users, which don't have the objectClass "univentionPerson". When setting a value for "c" UDM adds the objectClass "univentionPerson" to the modlist (as LDAP add operation): > users/user.py: ml.append(('objectClass', b'', b'univentionPerson') And our LDAP ACLs allow to do this: > management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/63univention-ldap-server_acl-master-password:print('access to filter="objectClass=person" attrs=objectClass value=univentionPerson') > management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/63univention-ldap-server_acl-master-password-print(' by self %s' % usr) But UDM transforms that ldap ADD operation to an LDAP replace operation: > 1325 def _ldap_object_classes_add(self, al: list[tuple[str, Any]]) -> list[tuple[str, Any]]: … 1354 al.append(('objectClass', [x.encode('UTF-8') for x in ocs])) Which is then denied by the LDAP server - even if it only contains the allowed object class and the currently set object classes. So we have to rewrite this, that it still performs only an LDAP add operation. Workaround: change all users and set any "c", or "birthdate" via CLI, which then sets the objectClass to the users.