Problem
A user wants to change the country via the self-service but upon clicking on “save” nothing happens. This is related to the following two bugs:
https://forge.univention.org/bugzilla/show_bug.cgi?id=57397
https://forge.univention.org/bugzilla/show_bug.cgi?id=57398
Investigation
There are tracebacks in /var/log/univention/management-console-module-passwordreset.log
21.06.24 10:52:52.399 MODULE ( ERROR ) : set_user_attributes(): modifying the user failed: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 792, in modify
return self.lo.modify(dn, changes, serverctrls=serverctrls, response=response, rename_callback=rename_callback)
File "/usr/lib/python3/dist-packages/univention/uldap.py", line 220, in _decorated
return func(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/univention/uldap.py", line 816, in modify
self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
File "/usr/lib/python3/dist-packages/univention/uldap.py", line 220, in _decorated
return func(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/univention/uldap.py", line 875, in modify_ext_s
_rtype, _rdata, _rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1253, in modify_ext_s
return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
return func(self,*args,**kwargs)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 602, in modify_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access'}
Insufficient access is the key error message that we’ll come back to soon enough.
First check if the country gets saved to the ldap attribute st or c. You can do that by looking at the ucr variable directory/manager/web/modules/users/user/map-country-to-st
root@primary:~# ucr search directory/manager/web/modules/users/user/map-country-to-st
directory/manager/web/modules/users/user/map-country-to-st: false
This variable configures whether the user property "country" is mapped to the LDAP-Attribute "c" (correct) or "st" (wrong).
In this case the variable get saved to the ldap attribute c. Ok, so now make sure that the self-service is allowed to modify that ldap attribute. You can do that by checking the following ucr variable:
root@primary:~# ucr search self-service/ldap_attributes
self-service/ldap_attributes: jpegPhoto,mail,telephoneNumber,roomNumber,departmentNumber,st,homePhone,mobile,homePostalAddress
A comma separated list of LDAP attributes that a user must be able to modify when using the self-service. This variable only has to be configured on the Primary Directory Node. On a Primary Directory Node, a UCR module will generate and activate an ACL definition file.
You can see that st is modifieable via self-service but not c.
Solution
You need to add c to the ucr variable (see bug 57397):
ucr set self-service/ldap_attributes='jpegPhoto,mail,telephoneNumber,roomNumber,departmentNumber,st,homePhone,mobile,homePostalAddress,c'
Note: Please be aware not to simply copy and paste the line above, but instead make sure to modify your current values by simply adding the missing "c"
Solution #2
If users still cannot edit their country via self-service, make sure that there is a value present and the c or st is not empty (see bug 57398). So simply change the empy value to some country via an administrator.