Self-service: Can not modify mailPrimaryAddress -> Error 400 - Bad Request

systemofapwne · February 23, 2022, 2:43pm

Hello. I want to have the ability to allow users to changer their “mailPrimaryAddress” instead of “e-mail” via self-service.
I know about the pros and cons by using mailPrimaryAddress instead of e-mail as UDM attribute, but since I am using UCS only as directory server this is fine for me.

My UCR settings look like this:

self-service/ldap_attributes: jpegPhoto,mailPrimaryAddress,mail,telephoneNumber,st,homePostalAddress
self-service/udm_attributes: jpegPhoto,mailPrimaryAddress,phone,homePostalAddress

I have also disabled the filter for mailPrimaryAddress, which enforced the mail-domain to match a managed domain of the domain controler before

ucr set directory/manager/web/modules/users/user/properties/mailPrimaryAddress/syntax=string
service univention-management-console-server restart

While I am now able to set an arbitrary mailPrimaryAddress via the user manager, I can not change my mail via the self-service plugin.

Whenever I enter a new mail in self-service, I get “Error 400 - Bad Request” in my browser.

The logs show this
/var/log/univention/management-console-web-server.log

23.02.22 15:37:57.707  MAIN        ( PROCESS ) : CPCommand (192.168.0.4:34176) response status code: 400
23.02.22 15:37:57.707  MAIN        ( PROCESS ) : CPCommand (192.168.0.4:34176) response reason : None
23.02.22 15:37:57.707  MAIN        ( PROCESS ) : CPCommand (192.168.0.4:34176) response message: Die Attribute konnten nicht gespeichert werden: Zugriff verweigert. Konnte die Sperrzeit von u'cn=new@mail.com,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=XXX,dc=XXX,dc=XXX' nicht modifizieren.
23.02.22 15:37:57.707  MAIN        ( PROCESS ) : CPCommand (192.168.0.4:34176) response result: None
23.02.22 15:37:57.707  MAIN        ( PROCESS ) : CPCommand (192.168.0.4:34176) response error: {'traceback': None, 'command': 'set_user_attributes'}

/var/log/univention/management-console-module-passwordreset.log

3.02.22 15:39:09.499  MODULE      ( PROCESS ) : Loading python module.
23.02.22 15:39:09.792  MODULE      ( PROCESS ) : Imported python module.
23.02.22 15:39:09.792  MODULE      ( PROCESS ) : Module instance created.
23.02.22 15:39:09.792  MODULE      ( PROCESS ) : Module socket initialized.
23.02.22 15:39:09.809  MODULE      ( PROCESS ) : Setting user LDAP DN None
23.02.22 15:39:09.809  MODULE      ( PROCESS ) : Setting auth type to None
23.02.22 15:39:09.809  MODULE      ( PROCESS ) : Initializing module.
23.02.22 15:39:09.818  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'VerifyEmail' for sending method 'verify_email'.
23.02.22 15:39:09.825  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'.
23.02.22 15:39:09.832  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled.
23.02.22 15:39:09.836  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled.
23.02.22 15:39:09.836  MODULE      ( PROCESS ) : get_plugins(): plugin class 'VerifyEmail' for sending method 'verify_email': udm_property: 'PasswordRecoveryEmailVerified' token_length: '64'
23.02.22 15:39:09.836  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64'
23.02.22 15:39:09.945  MODULE      ( ERROR   ) : set_user_attributes(): modifying the user failed: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/passwordreset/__init__.py", line 508, in set_user_attributes
    user.modify()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1480, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 633, in modify
    self._ldap_pre_ready()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1695, in _ldap_pre_ready
    self.request_lock('mailPrimaryAddress', self['mailPrimaryAddress'])
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1691, in request_lock
    value = univention.admin.allocators.request(self.lo, self.position, name, value)
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 209, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 198, in acquireUnique
    univention.admin.locking.lock(lo, position, type, value.encode('utf-8'), scope=scope)
  File "/usr/lib/python2.7/dist-packages/univention/admin/locking.py", line 102, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Konnte die Sperrzeit von u'cn=new@mail.com,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=XXX,dc=XXX,dc=XXX' nicht modifizieren.

23.02.22 15:39:09.946  MODULE      ( PROCESS ) : Die Attribute konnten nicht gespeichert werden: Zugriff verweigert. Konnte die Sperrzeit von u'cn=new@mail.com,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=XXX,dc=XXX,dc=XXX' nicht modifizieren.

I have basically no idea, why it fails. Deleting and recreating the LDAP entry in univention/temporary did not resolve this. What am I doing wrong?

kuste · February 24, 2022, 12:38pm

Changing the primary email as well as the user name influences deeper internal processes. I guess that’s why a user can’t change his primary email at on discretion.

systemofapwne · February 24, 2022, 9:30pm

This might be very true, especially if one uses services like the UCS mail-stack.
But there do exist valid cases, where changing the mailPrimaryAddress is legitimate. Especially when using UCS solely as a directory server, the impact of changing the mailPrimaryAddress are negligible.

I just wonder, what exactly is failing. So far I do understand, that when trying to update mailPrimaryAddress on the user via Self-Service, a temporary object is getting created at cn=new@mail.com,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=XXX.
However the lock on this ldap entry fails. For me, it is not clear, why it is created there and not at the user-object where one wants to change that attribute in the first place.
The error is throw here.
I will try to investigate, how the user-object is working internally and how it ends up to use the temporary objects instead.
Anyhow, help is wanted

kuste · February 24, 2022, 10:01pm

It seems the problem is the missing permission on the given DN for the user.
You can try to give write permission to self for cn=temporary,cn=univention,dc=XXX,dc=XXX,dc=XXX’

systemofapwne · February 24, 2022, 10:28pm

Indeed this could be the reason. thank you.
May you guide me towards a certain direction on how to achieve this? I guess, setting a policy for that DN?

kuste · February 25, 2022, 10:50am

This is way to much for my LDAP skills to give you helpful advice, but maybe you will get some hints here:
https://www.openldap.org/doc/admin24/access-control.html
https://linux.die.net/man/5/slapd.access