diff --git doc/errata/staging/univention-ldap.yaml doc/errata/staging/univention-ldap.yaml index 51d3d1ddce..d84445641f 100644 --- doc/errata/staging/univention-ldap.yaml +++ doc/errata/staging/univention-ldap.yaml @@ -7,7 +7,7 @@ fix: 16.0.7-8A~5.0.0.202112071104 desc: | This update addresses the following issue: * On the Primary the LDAP server module `refint` can now be enabled by - setting the UCR variable `ldap/refint=true`. It enforces referential + setting the UCR variable `ldap/overlay/refint=true`. It enforces referential integrity for the attribute `uniqueMember`. For updates the module will not be enabled by default. bug: [54185] diff --git management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/31modules management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/31modules index b291cab311..c3f0520ef9 100644 --- management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/31modules +++ management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/31modules @@ -17,7 +17,7 @@ if configRegistry.is_true('ldap/shadowbind', True): print('moduleload\tshadowbind.so') if configRegistry.is_true('ldap/overlay/lastbind', False): print('moduleload\tlastbind.la') -if configRegistry.is_true('ldap/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master': +if configRegistry.is_true('ldap/overlay/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master': print('moduleload\trefint.so') if configRegistry.is_true('ldap/pw-bcrypt', False): print('moduleload\tpw-bcrypt.so') diff --git management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database index 199a100d3b..1f3f6ebbb6 100644 --- management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database +++ management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database @@ -17,9 +17,9 @@ if configRegistry.get('ldap/database/type') == "mdb" and configRegistry.is_true( if configRegistry.is_true('ldap/ppolicy/enabled', False): ppolicy_default = 'cn=default,cn=ppolicy,cn=univention,%(ldap/base)s' % configRegistry print('ppolicy_default\t"%s"' % configRegistry.get('ldap/ppolicy/default', ppolicy_default)) -if configRegistry.is_true('ldap/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master': +if configRegistry.is_true('ldap/overlay/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master': print('overlay\t\trefint') - print('refint_attributes\t\tuniqueMember') + print('refint_attributes\t\t%s' % (configRegistry.get('ldap/overlay/refint/attributes', 'uniqueMember'),)) if configRegistry.is_true('ldap/shadowbind', True): print('overlay\t\tshadowbind') if 'ldap/shadowbind/ignorefilter' in configRegistry: diff --git management/univention-ldap/debian/univention-ldap-server.postinst management/univention-ldap/debian/univention-ldap-server.postinst index 9239f5bcb2..1d246816ce 100644 --- management/univention-ldap/debian/univention-ldap-server.postinst +++ management/univention-ldap/debian/univention-ldap-server.postinst @@ -116,9 +116,9 @@ if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 13.0.3-5; ucr set ldap/shadowbind=false fi -# set ldap/refint to false for updates +# set ldap/overlay/refint to false for updates if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 16.0.7-7; then - ucr set ldap/refint=false + ucr set ldap/overlay/refint=false fi ucr set \ @@ -148,7 +148,8 @@ ucr set \ slapd/backup?true \ ldap/shadowbind?true \ ldap/shadowbind/ignorefilter?"(|(objectClass=univentionDomainController)(userPassword={KINIT}))" \ - ldap/refint?true \ + ldap/overlay/refint?true \ + ldap/overlay/refint/attributes?uniqueMember \ ldap/maxopenfiles?8192 # Bug #17705 if [ "$1" = "configure" -a -z "$2" ]; then diff --git management/univention-ldap/debian/univention-ldap-server.univention-config-registry management/univention-ldap/debian/univention-ldap-server.univention-config-registry index 369382b894..870338ffa7 100644 --- management/univention-ldap/debian/univention-ldap-server.univention-config-registry +++ management/univention-ldap/debian/univention-ldap-server.univention-config-registry @@ -78,7 +78,7 @@ Variables: ldap/ppolicy Variables: ldap/shadowbind Variables: ldap/overlay/lastbind Variables: ldap/pw-bcrypt -Variables: ldap/refint +Variables: ldap/overlay/refint Variables: server/role Type: subfile @@ -118,7 +118,8 @@ Variables: ldap/shadowbind Variables: ldap/shadowbind/ignorefilter Variables: ldap/overlay/lastbind Variables: ldap/overlay/lastbind/precision -Variables: ldap/refint +Variables: ldap/overlay/refint +Variables: ldap/overlay/refint/attributes Variables: server/role Type: subfile diff --git management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables index 679b4d5ee4..32eaac7001 100644 --- management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables +++ management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables @@ -282,12 +282,18 @@ Description[en]=The precision in seconds defines whether the 'lastbind' overlay Type=str Categories=service-ldap -[ldap/refint] +[ldap/overlay/refint] Description[de]=Bestimmt, ob das Modul refint geladen werden soll. Es erzwingt referentielle Integrität im Attribut uniqueMember. Wird nur auf dem DC Master ausgewertet. Description[en]=Whether or not the refint overlay should be enabled. It enforces referential integrity for the attribute uniqueMember. Only applies to the DC Master. Type=bool Categories=service-ldap +[ldap/overlay/refint/attributes] +Description[de]=Bestimmt, die Attribute für das refint Modul (Leerzeichen separiert) (Standard: uniqueMember). +Description[en]=Defines the attributes for the refint module (space separated) (default: uniqueMember). +Type=str +Categories=service-ldap + [ldap/attributeoptions] Description[de]=Definiert Tagging-Attributoptionen oder Options-Tags/Range-Präfixe (siehe man slapd.conf). Description[en]=Define tagging attribute options or option tag/range prefixes (see man slapd.conf). diff --git test/ucs-test/tests/01_base/52proofuniquemember test/ucs-test/tests/01_base/52proofuniquemember index cd28fc329e..3fd19c7bbd 100755 --- test/ucs-test/tests/01_base/52proofuniquemember +++ test/ucs-test/tests/01_base/52proofuniquemember @@ -18,11 +18,11 @@ group="$(random_chars)" info "Create group and a member for it" -old="$(ucr get ldap/refint)" -ucr set ldap/refint=false +old="$(ucr get ldap/overlay/refint)" +ucr set ldap/overlay/refint=false service slapd restart trap ' -ucr set ldap/refint="$old" +ucr set ldap/overlay/refint="$old" service slapd restart ' INT TERM EXIT