Univention Bugzilla – Bug 30200
A user has to be in groups 'Domain Admins' and 'DC Backup Hosts' to join computers
Last modified: 2019-04-16 18:44:47 CEST
Found during UCC development: A user that is used during rollout to join clients into the domain has to be in groups 'Domain Admins' and 'DC Backup Hosts'.
That is because univention-join logs in a the user and tries to find the corresponding LDAP-DN for that account by using 1. udm users/user this succeeds when the user is in "DC Backup Hosts", since than he can read /etc/ldap.secret 2. ldapsearch -H ldapi:/// will fail, since /var/run/slapd/ldapi=0660@root:root 3. ldapsearch since anonymous bind is disabled
This issue has been filed against UCS 3.1. UCS 3.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please reopen.