Univention Bugzilla – Bug 40049
password reset: on reset user has to use uid instead of mail-address (behaviour with pw change is different)
Last modified: 2015-12-09 16:48:57 CET
On PW-Reset user has to use uid instead of mail-address but on PW-Change user is able to use mail-address. This should be consistent.
Commit 65901 (YAML 65903) adds support to allow to login/request-reset with an email address instead of the username.
Please don't use the "assert" statement in productive code as this might be stripped due to optimization (python -OO).
That code is broken: 549 » » dn_part = groupdn.partition(",") 550 » » gidf = dn_part[0] 551 » » base = dn_part[-1] Use ldap.explode_dn() and ldap.filter.escape_filter_chars() instead! Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 283, in execute function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 120, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 190, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 347, in get_reset_methods blacklisted = self.is_blacklisted(username) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 460, in is_blacklisted groups_dns.extend(self.get_nested_groups(group_dn)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 496, in get_nested_groups group = self.get_udm_group(groupdn) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 562, in get_udm_group group = self.groupmod.lookup(self.config, self.lo, filter_s=gidf, base=base)[0] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1100, in lookup for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit): File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 359, in search raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter)) ldapError: Bad search filter: (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))(cn=Foo-Gruppe (BAR)))
Please remove also every use of univention.admin.config.config. This is a deprecated thing we nowhere use anymore. 523 » » » » if not self.config: 524 » » » » » self.config = univention.admin.config.config()
66046(In reply to Florian Best from comment #3) > That code is broken: > 549 » » dn_part = groupdn.partition(",") > 550 » » gidf = dn_part[0] > 551 » » base = dn_part[-1] > > Use ldap.explode_dn() and ldap.filter.escape_filter_chars() instead! > > Traceback (most recent call last): [..] > ldapError: Bad search filter: > (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping))) > (cn=Foo-Gruppe (BAR))) This code is out there on customer systems. If you find a way to break the system, please provide the data, so that it can be reproduced. r66046: str.partition() has been replaced by ldap.explode_dn() escape_filter_chars() is used where data comes from user input. The DNs in this code come from UDM. (In reply to Florian Best from comment #4) > Please remove also every use of univention.admin.config.config. This is a > deprecated thing we nowhere use anymore. No - those calls are everywhere in UDM! But it seems useless, so I remove the code.
Works now with the lates changes. I wrote a test case in svn r66129. YAML: adjusted in svn r66131.
<http://errata.software-univention.de/ucs/4.1/24.html>