Setting Self-Service Contact Information fails

Hello,

when trying to set the contact information for the self-service I get the following error message:

The management-console-module-passwordreset.log shows following errors:

08.11.21 11:24:00.172  ADMIN       ( WARN    ) : The attribute 'univentionPasswordRecoveryEmailVerified' is not allowed by any object class.
08.11.21 11:24:00.173  MODULE      ( ERROR   ) : set_contact_data(): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/passwordreset/__init__.py", line 1017, in set_contact_data
    user.modify()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1467, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1353, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response, rename_callback=wouldRename.on_rename)
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 902, in modify
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Undefined attribute type: univentionPasswordSelfServiceEmail: attribute type undefined

08.11.21 11:24:00.174  MODULE      ( PROCESS ) : Changing contact data failed.

UCS: 4.4-8 errata1069
self-service=4.0
self-service-backend=4.0

I hope somebody can help me with that.

Regards,
Marcel

It seems that there’s a missing LDAP extension, but how can we add/install it?

@scheinig Sorry that I tag you directly, but the forum seems very inactive currently

All the best,
René

Hello René,

this is not a school environment, is it?
In a school environment the ucs-school-selfservice-support Package has to be installed on the master.

Does this extended attribute exist?
udm settings/extended_attribute list --filter cn=UniventionPasswordSelfServiceEmail

Can you post the output?

Best
Christina

Hi Christina,

thanks for reaching out

No it’s not a school environment, it’s a relative new single server UCS installation.

Here’s the requested output:

root@dc1:~# udm settings/extended_attribute list --filter cn=UniventionPasswordSelfServiceEmail
cn=UniventionPasswordSelfServiceEmail
DN: cn=UniventionPasswordSelfServiceEmail,cn=custom attributes,cn=univention,dc=ldap,dc=domain,dc=com
  CLIName: PasswordRecoveryEmail
  copyable: None
  default: None
  deleteObjectClass: 0
  disableUDMWeb: None
  doNotSearch: 0
  fullWidth: 1
  groupName: None
  groupPosition: None
  hook: None
  ldapMapping: univentionPasswordSelfServiceEmail
  longDescription: During the password recovery process an e-mail is sent to the specified e-mail address. Password recovery via e-mail is only available for users if configured and enabled by the administrator.
  mayChange: 1
  module: users/user
  multivalue: 0
  name: UniventionPasswordSelfServiceEmail
  notEditable: 0
  objectClass: univentionPasswordSelfService
  overwritePosition: None
  overwriteTab: 0
  shortDescription: E-mail address
  syntax: emailAddress
  tabAdvanced: 0
  tabName: Password recovery
  tabPosition: None
  translationLongDescription: de_DE: An diese E-Mail-Adresse wird während der Passwort-Wiederherstellung eine Mail verschickt. Der Mail-Versand steht dem Benutzer nur zur Verfügung, wenn dieser vom Administrator eingerichtet und freigeschaltet wurde.
  translationShortDescription: de_DE: E-Mail-Adresse
  translationTabName: de_DE: Passwort-Wiederherstellung
  valueRequired: 0
  version: 2

liebe Grüße,
René

Hi René,

okay, that looks just like mine.
Has a user template been created, or is there one?
Let’s start with this output:
univention-ldapsearch -b cn=templates,cn=univention,$(ucr get ldap/base) dn

I have this one from the self service:
udm settings/usertemplate list --filter cn=selfserviceregistrationtemplate

For completeness:

Master-180 root@master:~# dpkg -l  |grep self
ii  univention-self-service                             4.0.3-50A~4.4.0.202103191337                                        all          Univention Self Service
ii  univention-self-service-invitation                  4.0.3-50A~4.4.0.202103191337                                        all          Invitation module for Univention Self Service.
ii  univention-self-service-master                      4.0.3-50A~4.4.0.202103191337                                        all          Univention Self Service
ii  univention-self-service-passwordreset-umc           4.0.3-50A~4.4.0.202103191337                                        all          Password reset module for Univention Self Service.

LG Christina

Hi,

here we go:

root@dc1:~# univention-ldapsearch -b cn=templates,cn=univention,$(ucr get ldap/base) dn                   

# extended LDIF
#
# LDAPv3
# base <cn=templates,cn=univention,dc=ldap,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: dn 
#

# templates, univention, ldap.domain.com
dn: cn=templates,cn=univention,dc=ldap,dc=domain,dc=com

# selfserviceregistrationtemplate, templates, univention, ldap.domain.com
dn: cn=selfserviceregistrationtemplate,cn=templates,cn=univention,dc=ldap,dc=domain,dc=com

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

root@dc1:~#  udm settings/usertemplate list --filter cn=selfserviceregistrationtemplate

cn=selfserviceregistrationtemplate
DN: cn=selfserviceregistrationtemplate,cn=templates,cn=univention,dc=ldap,dc=domain,dc=com
  DeregisteredThroughSelfService: None
  DeregistrationTimestamp: None
  PasswordRecoveryEmail: None
  PasswordRecoveryEmailVerified: None
  PasswordRecoveryMobile: None
  RegisteredThroughSelfService: None
  city: None
  country: None
  description: None
  disabled: None
  displayName: <firstname> <lastname><:strip>
  employeeNumber: None
  employeeType: None
  homeShare: None
  homeSharePath: None
  homedrive: None
  initials: None
  lastbind: None
  mailPrimaryAddress: None
  name: selfserviceregistrationtemplate
  organisation: None
  physicalDeliveryOfficeName: None
  postcode: None
  preferredDeliveryMethod: None
  preferredLanguage: None
  primaryGroup: cn=Domain Users,cn=groups,dc=ldap,dc=domain,dc=com
  profilepath: None
  pwdChangeNextLogin: None
  roomNumber: None
  sambahome: None
  scriptpath: None
  shell: /bin/bash
  street: None
  title: None
  unixhome: /home/<username>
  zimbraAccountStatus: none
  zimbraHideInGal: 0
  zimbraIsAdminAccount: 0
  zimbraIsSystemAccount: 0
  zimbraIsSystemResource: 0

root@dc1:~# dpkg -l  |grep self
ii  univention-self-service                             4.0.3-50A~4.4.0.202103191337                                        all          Univention Self Service
ii  univention-self-service-invitation                  4.0.3-50A~4.4.0.202103191337                                        all          Invitation module for Univention Self Service.
ii  univention-self-service-master                      4.0.3-50A~4.4.0.202103191337                                        all          Univention Self Service
ii  univention-self-service-passwordreset-umc           4.0.3-50A~4.4.0.202103191337                                        all          Password reset module for Univention Self Service.

lg
René

Hi René,

can you provide the univention-ldapsearch from the userobject, which causes the error?
univention-ldapsearch -LLL uid=<username> '*' '+'

thanks and lg
Christina

Hi Christina,

here’s the requested output:

dn: uid=siedl,cn=users,dc=ldap,dc=domain,dc=com                                                                                                                                         
uid: siedl 
krb5PrincipalName: siedl@LDAP.DOMAIN.COM
objectClass: krb5KDCEntry
objectClass: zimbra4ucsUser
objectClass: organizationalPerson
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: person
objectClass: univentionPWHistory
objectClass: shadowAccount
objectClass: univentionObject
objectClass: univentionMail
objectClass: krb5Principal
objectClass: posixAccount
uidNumber: 2093
sambaAcctFlags: [U          ]
sambaBadPasswordCount: 0
krb5MaxLife: 86400
cn: Siedl Networks
mailForwardCopyToSelf: 0
krb5MaxRenew: 604800
sambaBadPasswordTime: 0
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
gidNumber: 5001
zimbraHideInGal: 1
displayName: Siedl Networks
mailPrimaryAddress: siedl@domain.com
zimbraAccountStatus: active
gecos: Siedl Networks
sn: Networks
homeDirectory: /home/siedl
givenName: Siedl
sambaPrimaryGroupSID: S-1-5-21-3510874815-1049332411-1564533752-513
structuralObjectClass: inetOrgPerson
entryUUID: ed146e32-d28b-103b-8c8d-9b44cc5d3f4d
creatorsName: uid=Administrator,cn=users,dc=ldap,dc=domain,dc=com
createTimestamp: 20211105135632Z
memberOf: cn=Domain Users,cn=groups,dc=ldap,dc=domain,dc=com
sambaSID: S-1-5-21-3510874815-1049332411-1564533752-1197
userPassword:: e2NyeXB0fSQ2JDVXS2djcWFpWDcyNHZQZS4kOHFWY05BUkFvYkRXVU5xSTl5V285WDdLT2ZtcTJLWFlYTUROVXRaNmhoMHhXUkVUSnR3aGkwUGJBS3ZsUUJKb05YODhnaE9WNkJuejdnZkxVd2hZVTA=
krb5Key:: MFShKzApoAMCARKhIgQgOJeTa1JPTptay7YJUuEdPJtsiU5t5Sl9Irt8XYNpGdaiJTAjoAMCAQOhHAQaTERBUC5GT1hFRFVDQVRJT04uQ09Nc2llZGw=
krb5Key:: MEShGzAZoAMCARGhEgQQjFmIjsZ+tmtRLoK6DX2MF6IlMCOgAwIBA6EcBBpMREFQLkZPWEVEVUNBVElPTi5DT01zaWVkbA==
krb5Key:: MEShGzAZoAMCARehEgQQbu5xs8DPF42BCkjxiF5+7KIlMCOgAwIBA6EcBBpMREFQLkZPWEVEVUNBVElPTi5DT01zaWVkbA==
krb5Key:: MDyhEzARoAMCAQGhCgQIINqKN9/Vv6KiJTAjoAMCAQOhHAQaTERBUC5GT1hFRFVDQVRJT04uQ09Nc2llZGw=
krb5Key:: MDyhEzARoAMCAQOhCgQIINqKN9/Vv6KiJTAjoAMCAQOhHAQaTERBUC5GT1hFRFVDQVRJT04uQ09Nc2llZGw=
krb5Key:: MDyhEzARoAMCAQKhCgQIINqKN9/Vv6KiJTAjoAMCAQOhHAQaTERBUC5GT1hFRFVDQVRJT04uQ09Nc2llZGw=
krb5Key:: MEyhIzAhoAMCARChGgQYtdxbRnULmIxd2f37JrwLua7BUaiJYWv7oiUwI6ADAgEDoRwEGkxEQVAuRk9YRURVQ0FUSU9OLkNPTXNpZWRs
krb5KeyVersionNumber: 5
pwhistory: $6$2YEvPr7COsjLvR4/$jo8Bpqu8CdYAz3Aqe/VhaeDmLqWODPJlR15JILlMlh.MBllqTs4wdXjCc/PFO.RipaTgrRf8xEBfKOmnySOpz/ $6$86SSejsX4hl..X1d$fE4lJaqZLo3Pbgcq3rg7Hh2uZq5fvkvqNdJPedSy0flW4BbBWZoTtCkpc9kqLFVTgwnbKi7bXCketUTIaWwgL. $6$tfNcAMJED6RMFthv$11JqziDQ6mZo.5F9SPez9b6x9VAxx6a8tJongF.fGjwocdfxUVVk31LmgwXQgEM5qcPxYiwj2.wAr4HZ9.oFR1
sambaNTPassword: 6EEE71B3C0CF178D810A48F1885E7EEC
sambaPasswordHistory: 6B5E2980F9ABD8B4C33DABAA88AE6E8A501C02C2B0191F8B83D85936AF417FA5BB367F5AE637C14EEF117036FB0763A9683F5E0C8E35EA1BAA6667866CF2FC79DEAA444A45DC1619443E5D65BFE5B270696BBE58114525B13249E370727B4E9499D46240DF62B812D34494C6B3360C4D36AE583EDC149D94D6FE02D4233479B1D0A01727741274949D910BC4B1DF6B8204B32AAAAF389790213DC47D266FB124
sambaPwdLastSet: 1637158325
shadowLastChange: 18948
entryCSN: 20211117141208.792571Z#000000#000#000000
modifiersName: cn=admin,dc=ldap,dc=domain,dc=com
modifyTimestamp: 20211117141208Z
entryDN: uid=siedl,cn=users,dc=ldap,dc=domain,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Liebe Grüße,
René

Hi René,

lets step back.
The error occurs ins the UMC when a user tries to change the contact data via self-service, or if the Administrator changes the contact data in the UMC for the user.

I am a little bit confused because the error is shown in the passwordreset.log. I would expect that in the m-c-web-server.log, because it is not a password reset.

So it is possible to make the changes for the user via udm, or does the same error occure?

LG
Christina

Hi Christina,

the error occurs, when the user tries to set the restore email for himself over the self service module (Protect Account function).

additionally to the error in the management-console-module-passwordreset.log … the following error occurs in the management-console-web-server.log:

19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand (172.16.16.1:51314) response status code: 500
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand (172.16.16.1:51314) response reason : None
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand (172.16.16.1:51314) response message: Changing contact data failed.
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand (172.16.16.1:51314) response result: None
19.11.21 08:42:40.849  MAIN        ( PROCESS ) : CPCommand (172.16.16.1:51314) response error: {u'traceback': None, u'command': u'set_contact'}

Liebe Grüße,
René

Hi René,

sorry for the delay. Can you post the output of

ucr get self-service/ldap_attributes
ucr get self-service/udm_attributes

Ach ja und bitte einmal ein
univention-check-join-status
LG
Christina

Hi Christina,
here is the output:

ucr get self-service/ldap_attributes
jpegPhoto,telephoneNumber,roomNumber,departmentNumber,st,homePhone,mobile,homePostalAddress

ucr get self-service/udm_attributes
jpegPhoto,phone,roomnumber,departmentNumber,country,homeTelephoneNumber,mobileTelephoneNumber,homePostalAddress

univention-check-join-status
Joined successfully

LG
Marcel

Any updates to this?

First I looked where the message came from

• the message “Undefined attribute type” is reported by the underlying OpenLDAP library: error.c#L60.
• and the meaning of the placeholder is, that it is reported, if an attribute is unknown: LDAP_UNDEFINED_TYPE

It seems that when modifying the attribute “univentionPasswordSelfServiceEmail” and its content, the Schema definition is unknown to OpenLDAP. Please double check that

• the Schema file is present on all servers /var/lib/univention-ldap/local-schema/self-service-passwordreset.schema, otherwise reinstall the self-service app
• “self-service-passwordreset.schema” is included in /etc/ldap/slapd.conf, otherwise type ucr commit /etc/ldap/slapd.conf and restart the ldap service

There is also a similar topic at the forum, see

Hi peichert,

thanks for your update.

The schema file was in fact missing.
However, reinstalling the app did not resolve that. I just copied the file from another installation and put it in that directory. Is this alright or could this cause issues?

The commit on the slapd.conf then added the mentioned schema-file and after restarting the slapd setting the e-mail address works.

Thanks and Regards
Marcel