Problem: "Edit Portal" Is Gone & Portal Tiles Aren't Visible Anymore

Knowledge Base Community
, , , ,
1

Problem

On our primary server, a portal server is running with numerous entries that have group restrictions. It was noticed that tiles for users with appropriate group membership were no longer being displayed.

An attempt was made to rebuild the cache using the steps outlined in this article, along with executing univention-portal update, but both efforts were unsuccessful.

No users can see the tiles assigned to their groups. Additionally, as a domain admin, the “Edit Portal” entry in the burger menu is missing. A menu entry restricted to domain admins was created, but the problem persisted. The menu entry appears only when no group restrictions are set.

The service has already been restarted, and the following commands were executed without resolving the issue:

univention-directory-listener-ctrl resync portal_groups
univention-directory-listener-ctrl resync portal_server

This issue is not related to any recent updates.

Investigation

We examined the structure of the group cache using the following python commands:

>>> from univention.ldap_cache.frontend import users_groups
>>> ug = users_groups()

This resulted in a RecursionError, indicating that a recursive call was made repeatedly until the limit was exceeded:

RecursionError: maximum recursion depth exceeded while decoding a JSON array from a unicode string

Since we were building a group cache at the time, we suspected a cyclical dependency involving nested groups—groups containing themselves.

To identify the problematic object, we ran:

udm groups/group list | grep -E "(DN|nestedGroup|memberOf):"

This revealed an issue with the following group:

DN: cn=schule04-Lehrer,cn=schueler,cn=groups,ou=schule04,dc=schule,dc=domain,dc=de
memberOf: cn=schule04-Lehrer,cn=schueler,cn=groups,ou=schule04,dc=schule,dc=domain,dc=de
nestedGroup: cn=schule04-Lehrer,cn=schueler,cn=groups,ou=schule04,dc=schule,dc=domain,dc=de

This group contained itself as a member, creating an infinite loop during group resolution. Normally, UDM should prevent this with an error message, but for unknown reasons, this entry existed in the system.

Solution

To resolve the issue, we removed the memberOf reference using the following steps:

  1. Temporarily disable circular dependency checks:
ucr set directory/manager/web/modules/groups/group/checks/circular_dependency=no
  1. Remove the memberOf reference:
udm groups/group modify --remove memberOf="cn=schule04-Lehrer,cn=schueler,cn=groups,ou=schule04,dc=schule,dc=domain,dc=de" --dn cn=schule04-Lehrer,cn=schueler,cn=groups,ou=schule04,dc=schule,dc=domain,dc=de
  1. Re-enable circular dependency checks:
ucr set directory/manager/web/modules/groups/group/checks/circular_dependency=yes

After performing these steps, the group cache was rebuilt successfully, and the tiles displayed correctly for users based on their group memberships.

3

This topic was automatically closed after 24 hours. New replies are no longer allowed.