Attachment 9071 Details for Bug 45090 – v2: Use systemctl

[patch] v2: Use systemctl

45090-DNS-Fix-password-change-mechanism-with-LDA.patch (text/plain), 4.98 KB, created by Philipp Hahn on 2017-07-28 11:30:57 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Philipp Hahn

Created: 2017-07-28 11:30:57 CEST

Size: 4.98 KB

patch

obsolete

>From e689758d4ec8cbfe326cb90f7cc908cf09ea684b Mon Sep 17 00:00:00 2001
>Message-Id: <e689758d4ec8cbfe326cb90f7cc908cf09ea684b.1501234201.git.hahn@univention.de>
>From: Philipp Hahn <hahn@univention.de>
>Date: Fri, 28 Jul 2017 11:03:04 +0200
>Subject: [PATCH] Bug #45090 DNS: Fix password change mechanism with LDAP
> backend
>Organization: Univention GmbH, Bremen, Germany
>
>With the switch from SysV-init to systemd `invoke-rc.d status` returns a
>different output; grepping for 'is running' no longer works.
>(FYI: status returns a "exit code"!)
>
>Switch to systemctl and use 'reload-or-try-restart', which
>1) keeps the DNS server running while the change is still in process
>2) is more lightwight than a forced restart
>3) does know the state of the service itself
>---
> services/univention-bind/debian/changelog          |  6 ++++
> .../server_password_change.d/univention-bind       | 35 ++--------------------
> test/ucs-test/debian/changelog                     |  6 ++++
> .../01_base/02server_password_change_ldap-bind     | 29 ++++++++++++++++++
> 4 files changed, 44 insertions(+), 32 deletions(-)
> create mode 100755 test/ucs-test/tests/01_base/02server_password_change_ldap-bind
>
>diff --git a/services/univention-bind/debian/changelog b/services/univention-bind/debian/changelog
>index 7f14cb08ee..32471bfacf 100644
>--- a/services/univention-bind/debian/changelog
>+++ b/services/univention-bind/debian/changelog
>@@ -1,3 +1,9 @@
>+univention-bind (11.0.1-2) unstable; urgency=low
>+
>+  * Bug #45090: Fix password change mechanism with LDAP backend
>+
>+ -- Philipp Hahn <hahn@univention.de>  Fri, 28 Jul 2017 10:56:49 +0200
>+
> univention-bind (11.0.1-1) unstable; urgency=medium
> 
>   * Execute univention-fix-ucr-dns in univention-bind postinst only if
>diff --git a/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind b/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind
>index 7de86c37f6..63726285a1 100755
>--- a/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind
>+++ b/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind
>@@ -36,39 +36,10 @@ if [ -n "$bind_bindpw" -a "$bind_bindpw" != "/etc/machine.secret" ]; then
> 	exit 0
> fi
> 
>-bind_service () {
>-	local action="$1"
>-
>-	# start / stop bind9 only if the ldap backend is configured
>-	if [ "$dns_backend" = "ldap" ]; then
>-		if [ "$action" = "start" ]; then
>-			# start bind9 only if it has been stopped by this script
>-			if [ "$dns_bind9_stoppedbyserverpasswordchange" = "yes" ] ; then
>-				echo "starting bind9 after server password change" | logger -t "server-password-change"
>-				invoke-rc.d bind9 start >/dev/null
>-				univention-config-registry unset dns/bind9/stoppedbyserverpasswordchange >/dev/null
>-			fi
>-		fi
>-		if [ "$action" = "stop" ]; then
>-			if invoke-rc.d bind9 status | grep -q "is running" ; then
>-				univention-config-registry set dns/bind9/stoppedbyserverpasswordchange=yes >/dev/null
>-				echo "stopping bind9 due to upcoming server password change" | logger -t "server-password-change"
>-				invoke-rc.d bind9 stop >/dev/null
>-			fi
>-		fi
>-	fi
>-}
>-
>-if [ "$1" = "prechange" ] ; then
>-	bind_service stop
>-fi
>-
>-if [ "$1" = "nochange" ] ; then
>-	bind_service start
>-fi
>-
> if [ "$1" = "postchange" ] ; then
> 	# update zone files
> 	sed -i "s|\!x-bindpw=$.*$,x-tls|\!x-bindpw=$(cat /etc/machine.secret),x-tls|" /etc/bind/univention.conf.d/*
>-	bind_service start
>+	# Reload or restart LDAP-BIND (if running)
>+	[ "$dns_backend" = "ldap" ] &&
>+		systemctl reload-or-try-restart bind9.service
> fi
>diff --git a/test/ucs-test/debian/changelog b/test/ucs-test/debian/changelog
>index 1954d3fee3..eff9ecdac4 100644
>--- a/test/ucs-test/debian/changelog
>+++ b/test/ucs-test/debian/changelog
>@@ -1,3 +1,9 @@
>+ucs-test (7.0.23-11) unstable; urgency=low
>+
>+  * Bug #45090: Fix password change mechanism with LDAP backend
>+
>+ -- Philipp Hahn <hahn@univention.de>  Fri, 28 Jul 2017 11:19:04 +0200
>+
> ucs-test (7.0.23-10) unstable; urgency=medium
> 
>   * Bug #45087: 52_s4connector/139sync_repeated_ntsd_modifications
>diff --git a/test/ucs-test/tests/01_base/02server_password_change_ldap-bind b/test/ucs-test/tests/01_base/02server_password_change_ldap-bind
>new file mode 100755
>index 0000000000..823147c5a6
>--- /dev/null
>+++ b/test/ucs-test/tests/01_base/02server_password_change_ldap-bind
>@@ -0,0 +1,29 @@
>+#!/usr/share/ucs-test/runner bash
>+## desc: Change the server password and check LDAP-BIND
>+## bugs: [45090]
>+## roles-not: [basesystem]
>+## tags:
>+##  - SKIP-UCSSCHOOL
>+##  - basic
>+##  - apptest
>+## packages:
>+##  - univention-bind
>+## exposure: dangerous
>+## join: true
>+
>+. "$TESTLIBPATH/base.sh" || exit 137
>+. "$TESTLIBPATH/ucr.sh" || exit 137
>+
>+# Only with LDAP-BIND
>+case "$dns_backend" in
>+ldap) ;;
>+*) exit 77
>+esac
>+# Only when BIND is running/used
>+systemctl is-active bind9.service || exit 77
>+
>+trap ucr_restore EXIT
>+ucr set server/password/interval=0
>+set -e -x
>+/usr/lib/univention-server/server_password_change
>+dig @127.0.0.1 -p 7777 "$DOMAIN" soa
>-- 
>2.11.0
>

Actions: View | Diff

Attachments on bug 45090: 9070 | 9071