We installed UCS 4.3-3 and configured groups on portal entries.
My user account is a member of group “Domain Users” as a univention-ldapsearch uid=XXX memberof shows.
memberof is also active:
In the logfile /var/log/univention/management-console-web-server.log I found the following error message:
13.03.19 12:41:23.805 MAIN ( ERROR ) : Could not get groups for u'Administrator': Traceback (most recent call last):
File "/usr/sbin/univention-management-console-web-server", line 380, in get_user_groups
user_dn = lo.searchDn(ldap.filter.filter_format('(&(uid=%s)(objectClass=person))', (self.username,)))[0]
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 750, in searchDn
raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access
@Christian_Voelker,
This is a productive system and I don’t want to run a release upgrade there right now. As far as I know privacyIDEA has a major version change in UCS 4.4.
The customer I am working for on this project has a subscription. So we will contact via support.
We would prefer a backport of the bugfix to UCS 4.3
@scheinig, yes I also did a service restart.
BR,
Jörn
From @scheinig via support ticket I got the information that this might be caused by the regular server password change. The interval can be checked via ucr get server/password/interval which is 21 days by default.
Until Univention releases a fix, you can simply drop in your own hook script for server password changes in /usr/lib/univention-server/server_password_change.d. Create a file, e.g. zz-fix-web-console-server, make it executable and use the following content (untested):
#/bin/sh
if [ "$1" = "postchange" ] ; then
systemctl restart univention-management-console-server.service
systemctl restart univention-management-console-web-server.service
fi
Univention’s fix will most likely be nothing more than such a hook script. It’s safe to have your own script in there even if the official fix has been applied.