UCS 4.4 -> 5.0 Self-Service/Passwordreset not working after Update

Hello again!

A customer just updated to UCS 5.0-1 errata1 and ever since experiences the following behaviour when users try to reset their passwords using the password reset function of the selfservice-app:

  1. User clicks on the (self-service) “Reset-Password”-Tile, enters username
  2. User receives the passwordreset-mail and clicks on the Links presented therein which are:

https://machine.domain/univention/selfservice/#/selfservice/newpassword/?token=VERRYS3CR3Tt0k3n&username=me
or
https://machine.domain/univention/selfservice/#/selfservice/newpassword/

  1. User gets an error:
    self-service-error

I tried altering the URL manually from […]univention/selfservice/[…] into […]univention/self-service[…] to no avail: it just redirects onto the “Please enter your username…”-Page, and the procedure starts anew.

Can anybody confirm this problem?

Since the selfservice/passwordreset-functionality is substantial in this use-case I am in the urgend need of a fix.

Please help!

Thank you kindly,
Werner

I think the functionality has changed in later revisions. On my 5.0-2 system the reset password functionality is on the logon screen. I don’t have a reset password tile. It’s password forgotten. Also it works based on information filled out in the contact section of the user account so that needs to be filled in to work properly.

I suspect if you update the system to the current version you would be able to get it to work, but I wouldn’t guarantee it since I never needed to use the selfservice after updating to 5 I can’t say for sure that it was broken originally, but I do seem to recall something about it. Maybe search on the forum to see if you can verify that.

If you have it installed as a VM and can make a snapshot before testing the update then I would say do that.

Hello, thank you for your reply @kevo!

I actually searched the forum quite a bit before submitting my question, nevertheless I might have looked for the wrong keywords, so help me out if I overlooked something.

Sadly, the behaviour I described didn’t change very much at all after updating to 5.0-2.

It seems self-service is kind of broken in 5.0:
on the upper-right-hand-menu (“burger-menu”) there are options like “Protect your account” and “My Profile” despite them clearly being disabled via the corresponding ucr-variables:

image

root@machine:~# ucr search --brief self-service | grep enabled 
self-service/web/enabled: yes
umc/self-service/account-deregistration/enabled: false
umc/self-service/account-registration/backend/enabled: false
umc/self-service/account-registration/frontend/enabled: false
umc/self-service/account-verification/backend/enabled: false
umc/self-service/account-verification/frontend/enabled: false
umc/self-service/enabled: yes
umc/self-service/invitation/enabled: no
umc/self-service/passwordchange/frontend/enabled: no
umc/self-service/passwordreset/backend/enabled: yes
umc/self-service/passwordreset/email/enabled: yes
umc/self-service/passwordreset/external/enabled: no
umc/self-service/passwordreset/frontend/enabled: yes
umc/self-service/passwordreset/sms/enabled: no
umc/self-service/profiledata/enabled: false
umc/self-service/protect-account/backend/enabled: false
umc/self-service/protect-account/frontend/enabled: no
umc/self-service/service-specific-passwords/backend/enabled: false

If there is a misunderstanding on my part, feel free to correct me.
(it used to work like that…)

Anyway I dug around in the dark a bit more and came to the conclusion that the generated link is teh culprit.

The correct URL should be:
https://machine.domain/univention/self-service/#page=newpassword&token=VERRYS3CR3TT0KEN&username=myself

But the link generated in the mail actually is:
https://machine.domain/univention/selfservice/#/selfservice/newpassword/?token=VERRYS3CRETT0KEN&username=myself

Since the customer needs this function for his day-to-day-business here’s my hotfix:

root@machine:/usr/lib/python3/dist-packages/univention/management/console/modules/passwordreset/sending# diff send_email.py~ send_email.py
108,109c108,109
<                       'link': "https://{fqdn}/univention/selfservice/#/selfservice/newpassword/".format(fqdn=frontend_server),
<                       'tokenlink': "https://{fqdn}/univention/selfservice/#/selfservice/newpassword/?token={token}&username={username}".format(fqdn=frontend_server, username=quote(self.data["username"]), token=quote(self.data["token"]))
---
>                       'link': "https://{fqdn}/univention/self-service/#page=newpassword".format(fqdn=frontend_server),
>                       'tokenlink': "https://{fqdn}/univention/self-service/#page=newpassword&token={token}&username={username}".format(fqdn=frontend_server, username=quote(self.data["username"]), token=quote(self.data["token"]))

Univention, please fix soonish.
(am I really the only eskimo to use self-service?)

Kind Regards,
Werner

Interesting. I setup the recovery email on my personal account and “forgot” my password. I got the link like you described in my email and clicked it and it took me to the password reset page. I didn’t actually reset my password, but it seems to be working properly on my system. My suspicion is that something didn’t fully upgrade/install on your system.

I am not sure what you should do about it though.

be very careful…

just in case you think about trying this:
I think uninstalling and re-installing the “password reset functionality” CLEARS the email addresses.
Since they are stored as an extension rather than in the actual record for the AD user.
That is to say… foolishly you have to enter the users email into the AD record
THEN you have to re enter the email into the password reset email address , and there is no simple press this button" to sync them.

Alto there are MULTIPLE parhs to password reset.

  1. NOT logged in ,go to right choose drop down menu . USER SETTINGS-> “password forgotten”
  2. right side choose-> login, but at the bottom is a “forgot your password”

for the record the link is:
https://domain/univention/selfservice/#/selfservice/passwordforgotten

the EMAIL link is:
https://domain/univention/selfservice/#/selfservice/newpassword/?token=sometoken&username=the.user

Which seems to not work for you but does work for our users…