Bug 50843 – Join of additional UCS systems fails if DC master does not have univention-saml errata443 package installed

Bug 50843 - Join of additional UCS systems fails if DC master does not have univention-saml errata443 package installed


Summary:	Join of additional UCS systems fails if DC master does not have univention-sa...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-02-20 10:30 CET by Erik Damrose
Modified:	2020-03-25 10:24 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.206
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020021921000894, 2020022721000235
Bug group (optional):	Regression, SAML, Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2020-02-20 10:30:02 CET

With bug 49305 a new attribute for SAML service provider was added - signLogouts.

When a new server joins the domain and is updated to the latest version, but the DC Master is below 4.4-3e443, the join fails with:

Configure 92univention-management-console-web-server.inst  failed
**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
[...]

W: The config registry variable
'ucs/web/overview/entries/admin/umc/description/de' does not exist
LDAP Error: Undefined attribute type: signLogouts: attribute type undefined

In 92univention-management-console-web-server.inst at line 77 the service provider entry for the new server should be created. Because the u-saml-schema package provides the latest UDM module code on the affected server, it tries to set signLogouts to the default value, but the schema on the DC master does not have the new LDAP attribute. The saml LDAP schema is only installed locally on DC Master and Backups.

Possible fix: The u-saml-schema package should register the LDAP schema via ucs_registerLDAPExtension. But this would require Joinscript execution on all server roles, which is discouraged in errata updates.

Workaround: Update DC Master to 4.4-3 errata443