Bug 40049 - password reset: on reset user has to use uid instead of mail-address (behaviour with pw change is different)
password reset: on reset user has to use uid instead of mail-address (behavio...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Daniel Tröder
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-20 11:18 CET by Jens Thorp-Hansen
Modified: 2015-12-09 16:48 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Thorp-Hansen univentionstaff 2015-11-20 11:18:08 CET
On PW-Reset user has to use uid instead of mail-address but on PW-Change user is able to use mail-address. This should be consistent.
Comment 1 Daniel Tröder univentionstaff 2015-11-25 15:07:34 CET
Commit 65901 (YAML 65903) adds support to allow to login/request-reset with an email address instead of the username.
Comment 2 Florian Best univentionstaff 2015-12-01 15:45:23 CET
Please don't use the "assert" statement in productive code as this might be stripped due to optimization (python -OO).
Comment 3 Florian Best univentionstaff 2015-12-01 18:32:57 CET
That code is broken:
549 »   »   dn_part = groupdn.partition(",")
550 »   »   gidf = dn_part[0]
551 »   »   base = dn_part[-1]

Use ldap.explode_dn() and ldap.filter.escape_filter_chars() instead!

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 283, in execute
    function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 120, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 190, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 347, in get_reset_methods
    blacklisted = self.is_blacklisted(username)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 460, in is_blacklisted
    groups_dns.extend(self.get_nested_groups(group_dn))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 496, in get_nested_groups
    group = self.get_udm_group(groupdn)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 562, in get_udm_group
    group = self.groupmod.lookup(self.config, self.lo, filter_s=gidf, base=base)[0]
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1100, in lookup
    for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit):
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 359, in search
    raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter))
ldapError: Bad search filter: (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))(cn=Foo-Gruppe  (BAR)))
Comment 4 Florian Best univentionstaff 2015-12-01 18:34:53 CET
Please remove also every use of univention.admin.config.config. This is a deprecated thing we nowhere use anymore.
523 »   »   »   »   if not self.config:
524 »   »   »   »   »   self.config = univention.admin.config.config()
Comment 5 Daniel Tröder univentionstaff 2015-12-02 10:15:09 CET
66046(In reply to Florian Best from comment #3)
> That code is broken:
> 549 »   »   dn_part = groupdn.partition(",")
> 550 »   »   gidf = dn_part[0]
> 551 »   »   base = dn_part[-1]
> 
> Use ldap.explode_dn() and ldap.filter.escape_filter_chars() instead!
> 
> Traceback (most recent call last):
[..]
> ldapError: Bad search filter:
> (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))
> (cn=Foo-Gruppe  (BAR)))

This code is out there on customer systems. If you find a way to break the system, please provide the data, so that it can be reproduced.

r66046: str.partition() has been replaced by ldap.explode_dn()

escape_filter_chars() is used where data comes from user input. The DNs in this code come from UDM.

(In reply to Florian Best from comment #4)
> Please remove also every use of univention.admin.config.config. This is a
> deprecated thing we nowhere use anymore.
No - those calls are everywhere in UDM!
But it seems useless, so I remove the code.
Comment 6 Florian Best univentionstaff 2015-12-07 17:58:03 CET
Works now with the lates changes. I wrote a test case in svn r66129.
YAML: adjusted in svn r66131.
Comment 7 Janek Walkenhorst univentionstaff 2015-12-09 16:48:57 CET
<http://errata.software-univention.de/ucs/4.1/24.html>