Problem: API Import with INTERNAL SERVER ERROR

Problem

When requesting an import, the server immediately refuses with the message:
The UCS@school Import API HTTP Server is not available: Received status_code=500 with reason='INTERNAL SERVER ERROR' for requests.get(**files=None,url=u'https://master.schule.de/api/v1/imports/users/', auth=('l01-ge75', u'*********'), headers={u'Accept': u'application/json'}, params={'ordering': 'date_created','limit': 20, 'dryrun': False}, data=None).

Solution

Root Cause

Option 1

Password of the unprivileged user was not synchronized with /etc/ucsschool-import/ldap_unprivileged.secret

Step 1

Increase loglevel:

ucr set ucsschool/import/http_api/django_debug=yes 
ucr set ucsschool/import/http_api/wsgi_server_loglevel=debug

Now you should check the following log files:

  • /var/log/univention/ucs-school-import-error.log
  • /var/log/univention/ucs-school-import/gunicorn_error.log
  • /var/log/univention/ucs-school-import/LAST-FAIL

Step 2

Access attempt with the user “myteacher” and the password “univention”; output ends in error.html
curl -H "Content-Type: application/json" -u "myteacher:univention" "https://$(hostname -f)/api/v1/roles/" >error.html

Above attempt logged “Authentication Failure”.

Step 3

Comparison of the passwords:

 cat /etc/ucsschool-import/ldap_unprivileged.secret
 ldapsearch -x -W -D uid=<username>,cn=users,$(ucr get ldap/base) # use username and password from the previous command
# Pattern: <username>:<ldap_base>:<password>

Step 4

Reset the password by re-joining the module:
univention-run-join-scripts --run-scripts --force 35ucs-school-import.inst

If the file (/etc/ucsschool-import/ldap_unprivileged.secret) is not too old, the above should work.

Finally, restart the services, see “For all options” at the end of the article.

Option 2

Modify user (only if system is a DC master):
udm users/ldap modify --dn "uid=importhttpapi,cn=users,$(ucr get ldap/base)" --set password=eno2eh5d1SXjmj7BIhWj1nzHvYcThfU3tseynhhaoBst --set overridePWHistory=1

Modify user (only if system is a DC backup):
udm users/ldap modify --dn "uid=importhttpapi-$(ucr get hostname),cn=users,$(ucr get ldap/base)" --set password=eno2eh5d1SXjmj7BIhWj1nzHvYcThfU3tseynhhaoBst --set overridePWHistory=1

Finally, restart the services, see “For all options” at the end ot the article.

Option 3

Change the file (/etc/ucsschool-import/ldap_unprivileged.secret) manually, then run the join script again.

For all options

Restart all services:

systemctl restart ucs-school-import-http-api.service
systemctl restart ucs-school-import-celery-worker.service
systemctl restart rabbitmq-server

Additionally, a high log level is a security risk due to plaintext passwords:

ucr unset ucsschool/import/http_api/django_debug ucsschool/import/http_api/wsgi_server_loglevel
systemctl restart ucs-school-import-http-api.service
1 Like
Mastodon