Univention Bugzilla – Bug 55602
admingrp-user-passwordreset restarts slapd every postrun
Last modified: 2023-06-08 11:38:03 CEST
The package univention-admingrp-user-passwordreset delivers a ldap-group-to-file-hook, which checks the group membership of certain groups each postrun, resolves their members and writes them into a ucr variable (ldap/acl/user/passwordreset/internal/groupmemberlist/$group) If the membership changed, a ucr template is committed and slapd is restarted. Problem is, that the membership gotten by this code snipped is not sorted the same every time it is called. import grp grpstruct = grp.getgrnam(groupname) return ','.join(grpstruct.gr_mem) we can see in the config_registry.replog that these UCR variables are set to the same value(but sorted differently) over and over again and slapd is restarted, which is disrupting the system every few minutes on a busy system.
I can see these kind of lines in the config-registry.replog each time this is logged, slapd will be restarted 2023-01-20 07:43:19: set ldap/acl/user/passwordreset/internal/groupmemberlist/Domain Admins=test3,Administrator,test1,test2 old:Administrator,test2,test3,test1 2023-01-20 07:43:42: set ldap/acl/user/passwordreset/internal/groupmemberlist/Domain Admins=Administrator,test2,test1,test3 old:test3,Administrator,test1,test2 2023-01-20 08:10:29: set ldap/acl/user/passwordreset/internal/groupmemberlist/Domain Admins=Administrator,test2,test3,test1 old:Administrator,test2,test1,test3
I stumbled over this myself and have a patch in working, which fixes this. UCS-4.4 is also affected and the test is failing there for 308 Builds: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/01_base/95rename_administrator/master091/ Installing management/univention-admingrp-user-passwordreset version 9.0.2-1A~4.4.0.202004141032 does set UCRV > 2023-01-25 18:09:59: set ldap/acl/user/passwordreset/internal/groupmemberlist/Domain Admins=Administrator old:[Previously undefined] which depends on LDAP-group-to-file to run, but the test does not wait for this.
2023-01-27 17:55:12.127029 prerun 2023-01-27 17:55:12.127130 handler uid=Administrator,cn=users,dc=phahn,dc=dev t NID LID /etc/ldap/slapd.conf contains /var/lib/extrausers/group 0 56401 56396 18831 1674838265 True 2761 1674838466 2023-01-27 17:55:10.475656 13 56401 56396 18825 1674838524 True 2761 1674838466 2023-01-27 17:55:24.359268 uid={Administrator→NEW} replicated root 19603 0.3 7.0 5160688 71512 ? S 17:25 0:06 | \_ /usr/sbin/univention-directory-listener -F -d 2 -b dc=phahn,dc=dev -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -ZZ -x -D cn=admin,dc=phahn,dc=dev -y /etc/ldap.secret root 31519 0.0 0.0 4280 732 ? S 17:55 0:00 | \_ /bin/sh -c /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 31521 0.0 0.0 4280 708 ? S 17:55 0:00 | \_ /bin/sh /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 31526 0.0 0.2 28328 2636 ? R 17:55 0:00 | \_ ps xfu 2023-01-27 17:55:25.835264 handler uid=yfz9jbplse,cn=users,dc=phahn,dc=dev 2023-01-27 17:55:26.116600 handler uid=yfz9jbplse,cn=users,dc=phahn,dc=dev 2023-01-27 17:55:26.149559 prerun.nss 2023-01-27 17:55:26.150988 handler.nss cn=Domain Admins,cn=groups,dc=phahn,dc=dev 2023-01-27 17:55:26.152205 handler cn=Domain Admins,cn=groups,dc=phahn,dc=dev 15 56401 56401 18825 1674838524 True 2761 1674838466 2023-01-27 17:55:26.493249 replication finished root 19603 0.3 6.6 5160688 67156 ? S 17:25 0:07 | \_ /usr/sbin/univention-directory-listener -F -d 2 -b dc=phahn,dc=dev -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -ZZ -x -D cn=admin,dc=phahn,dc=dev -y /etc/ldap.secret root 31672 1.0 2.3 167648 23648 ? S 17:55 0:00 | \_ /usr/bin/python2.7 /usr/lib/univention-pam/ldap-group-to-file.py --check_member root 31675 0.0 0.0 4176 684 ? S 17:55 0:00 | \_ /bin/run-parts --verbose /var/lib/ldap-group-to-file-hooks.d root 31676 1.3 1.4 47004 15080 ? S 17:55 0:00 | \_ /usr/bin/python2.7 /var/lib/ldap-group-to-file-hooks.d/admingrp-user-passwordreset root 32013 0.0 0.0 4280 700 ? S 17:55 0:00 | \_ /bin/sh -c /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 32014 0.0 0.0 4280 688 ? S 17:55 0:00 | \_ /bin/sh /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 32020 0.0 0.2 28328 2624 ? R 17:55 0:00 | \_ ps xfu 2023-01-27 17:55:25.835264 handler uid=yfz9jbplse,cn=users,dc=phahn,dc=dev 2023-01-27 17:55:26.116600 handler uid=yfz9jbplse,cn=users,dc=phahn,dc=dev 2023-01-27 17:55:26.149559 prerun.nss 2023-01-27 17:55:26.150988 handler.nss cn=Domain Admins,cn=groups,dc=phahn,dc=dev 2023-01-27 17:55:26.152205 handler cn=Domain Admins,cn=groups,dc=phahn,dc=dev 2023-01-27 17:55:43.830787 postrun.nss 32 56401 56401 18825 1674838524 True 2749 1674838544 2023-01-27 17:55:44.686366 postrun start root 19603 0.3 6.6 5160688 67156 ? S 17:25 0:07 | \_ /usr/sbin/univention-directory-listener -F -d 2 -b dc=phahn,dc=dev -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -ZZ -x -D cn=admin,dc=phahn,dc=dev -y /etc/ldap.secret root 31672 1.0 2.3 167648 23648 ? S 17:55 0:00 | \_ /usr/bin/python2.7 /usr/lib/univention-pam/ldap-group-to-file.py --check_member root 31675 0.0 0.0 4176 684 ? S 17:55 0:00 | \_ /bin/run-parts --verbose /var/lib/ldap-group-to-file-hooks.d root 31676 1.3 1.4 47004 15080 ? S 17:55 0:00 | \_ /usr/bin/python2.7 /var/lib/ldap-group-to-file-hooks.d/admingrp-user-passwordreset root 32013 0.0 0.0 4280 700 ? S 17:55 0:00 | \_ /bin/sh -c /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 32014 0.0 0.0 4280 688 ? S 17:55 0:00 | \_ /bin/sh /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 32020 0.0 0.2 28328 2624 ? R 17:55 0:00 | \_ ps xfu root 19603 0.3 6.5 5160688 66196 ? S 17:25 0:07 | \_ /usr/sbin/univention-directory-listener -F -d 2 -b dc=phahn,dc=dev -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -ZZ -x -D cn=admin,dc=phahn,dc=dev -y /etc/ldap.secret root 31672 0.5 2.3 167648 23648 ? S 17:55 0:00 | \_ /usr/bin/python2.7 /usr/lib/univention-pam/ldap-group-to-file.py --check_member root 31675 0.0 0.0 4176 684 ? S 17:55 0:00 | \_ /bin/run-parts --verbose /var/lib/ldap-group-to-file-hooks.d root 31676 0.6 1.4 47004 15080 ? S 17:55 0:00 | \_ /usr/bin/python2.7 /var/lib/ldap-group-to-file-hooks.d/admingrp-user-passwordreset root 32022 0.8 1.4 35840 14164 ? S 17:55 0:00 | \_ /usr/bin/python2.7 /usr/sbin/ucr commit /etc/ldap/slapd.conf root 32369 0.0 0.0 4280 736 ? S 17:56 0:00 | \_ /bin/sh -c /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 32370 0.0 0.0 4280 736 ? S 17:56 0:00 | \_ /bin/sh /etc/univention/templates/scripts/etc/ldap/slapd.conf postinst root 32375 0.0 0.2 28328 2636 ? R 17:56 0:00 | \_ ps xfu 2023-01-27 17:56:09.467775 postrun 44 56401 56401 18822 1674838556 False 2749 1674838544 2023-01-27 17:55:57.555281 ldap-group-to-file finished 55 56401 56401 18822 1674838568 False 2749 1674838544 2023-01-27 17:56:09.356645 STABLE
[4.4-9] db6748fc93 test(rename-admin): Wait longer test/ucs-test/tests/01_base/95rename_administrator | 179 ++++++++++++++++++++++++++--------------- 1 file changed, 112 insertions(+), 67 deletions(-) [4.4-9] 10168ad200 doc(ucs-test): Fix PEP-484 type annotation test/ucs-test/univention/testing/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Package: ucs-test Version: 9.0.7-94A~4.4.0.202301271918 Branch: ucs_4.4-0 Scope: errata4.4-9 For the code change to `management/univention-admingrp-user-passwordreset` for UCS 4.4-9 (that is what I was already looking at) is at https://git.knut.univention.de/univention/ucs/-/merge_requests/636 After successful Code-Review I can also port those changes to 5.0-2.
(In reply to Philipp Hahn from comment #4) > [4.4-9] db6748fc93 test(rename-admin): Wait longer > test/ucs-test/tests/01_base/95rename_administrator | 179 > ++++++++++++++++++++++++++--------------- > 1 file changed, 112 insertions(+), 67 deletions(-) > > [4.4-9] 10168ad200 doc(ucs-test): Fix PEP-484 type annotation > test/ucs-test/univention/testing/utils.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > Package: ucs-test > Version: 9.0.7-94A~4.4.0.202301271918 > Branch: ucs_4.4-0 > Scope: errata4.4-9 > > For the code change to `management/univention-admingrp-user-passwordreset` > for UCS 4.4-9 (that is what I was already looking at) is at > https://git.knut.univention.de/univention/ucs/-/merge_requests/636 > > After successful Code-Review I can also port those changes to 5.0-2. Since this change 95rename_administrators cleanup seems to fail on at least on machine every day. which leads to 500+ tests to fail because the default Administrator credentials used in the remaining tests are not valid. Either the UCR variable is not set correctly or the user is not renamed back again. https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestUpgrade/SambaVersion=s4,Systemrolle=master/302/testReport/junit/01_base/95rename_administrator/master071/
Package: ucs-test Version: 9.0.7-95A~4.4.0.202302071219 Branch: ucs_4.4-0 Scope: errata4.4-9
Tests have been restarted: - https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoin/ - https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestUpgrade/ (In reply to Julia Bremer from comment #5) > Since this change 95rename_administrators cleanup seems to fail on at least > on machine every day. which leads to 500+ tests to fail because the default > Administrator credentials used in the remaining tests are not valid. > Either the UCR variable is not set correctly or the user is not renamed back > again. FYI: This might still fail, but we're monitoring the above runs. [4.4-9] b41b16841c fix(test): admingrp-user-passwordreset restarts slapd every postrun test/ucs-test/tests/01_base/95rename_administrator | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [4.4-9] 445fdbba7c test(rename-admin): Wait longer test/ucs-test/tests/01_base/95rename_administrator | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) [4.4-9] db6748fc93 test(rename-admin): Wait longer test/ucs-test/tests/01_base/95rename_administrator | 179 ++++++++++++++++++++++++++--------------- 1 file changed, 112 insertions(+), 67 deletions(-) This only fixed ucs-test for UCS 4.4-9 so far, the change to changes to management/univention-admingrp-user-passwordreset/ are still missing. See linked !636 above.
Customer effected 2023012621000233 UCS Version: 5.0-1-378
[4.4-9] d185ce652c fix(password-reset): Only restart slapd on real change doc/errata/staging/univention-admingrp-user-passwordreset.yaml | 18 +++++++++++ .../univention-admingrp-user-passwordreset/debian/changelog | 6 ++++ .../univention-admingrp-user-passwordreset/debian/control | 1 + .../ldap-group-to-file-hooks.d/admingrp-user-passwordreset | 48 +++++++++++++++++------------ 4 files changed, 53 insertions(+), 20 deletions(-) [4.4-9] 275c49154d style(password-reset): Fix shellechk issues .../95univention-admingrp-user-passwordreset.inst | 7 +++++-- .../debian/univention-admingrp-user-passwordreset.postinst | 9 +++------ 2 files changed, 8 insertions(+), 8 deletions(-) [4.4-9] f0e63f6e61 style(password-reset): Modernize UCR template .../conffiles/etc/ldap/slapd.conf.d/65admingrp-user-passwordreset | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) Package: univention-admingrp-user-passwordreset Version: 9.0.2-2 Branch: ucs_4.4-0 Scope: errata4.4-9 FYI: test/ucs-test/tests/01_base/95rename_administrator remains broken and needs to be fixed later on, but that is another issue.
Verified: * Advisory: OK * Test OK * Code Review OK
[4.4-9] aa490731ef Bug #55602: univention-admingrp-user-passwordreset 9.0.2-3 doc/errata/staging/univention-admingrp-user-passwordreset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-9] 846e0b53f9 fix(pwreset): Move logic into join script .../95univention-admingrp-user-passwordreset.inst | 6 ++++++ management/univention-admingrp-user-passwordreset/debian/changelog | 6 ++++++ .../debian/univention-admingrp-user-passwordreset.postinst | 19 +++---------------- 3 files changed, 15 insertions(+), 16 deletions(-) Package: univention-admingrp-user-passwordreset Version: 9.0.2-3 Branch: ucs_4.4-0 Scope: errata4.4-9
<https://errata.software-univention.de/#/?erratum=4.4x1409>