Attachment #10877 for bug #48956

(-)doc/errata/staging/univention-ldap.yaml (-1 / +1 lines)

Lines 7-13 fix: 16.0.7-8A~5.0.0.202112071104	Link Here

desc: |

desc: |

 This update addresses the following issue:

 This update addresses the following issue:

 * On the Primary the LDAP server module `refint` can now be enabled by

 * On the Primary the LDAP server module `refint` can now be enabled by

   setting the UCR variable `ldap/refint=true`. It enforces referential

   setting the UCR variable `ldap/overlay/refint=true`. It enforces referential

   integrity for the attribute `uniqueMember`. For updates the module will not

   integrity for the attribute `uniqueMember`. For updates the module will not

   be enabled by default.

   be enabled by default.

bug: [54185]

bug: [54185]

(-)management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/31modules (-1 / +1 lines)

Lines 17-23 if configRegistry.is_true('ldap/shadowbind', True):	Link Here

	print('moduleload\tshadowbind.so')

	print('moduleload\tshadowbind.so')

if configRegistry.is_true('ldap/overlay/lastbind', False):

if configRegistry.is_true('ldap/overlay/lastbind', False):

	print('moduleload\tlastbind.la')

	print('moduleload\tlastbind.la')

if configRegistry.is_true('ldap/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master':

if configRegistry.is_true('ldap/overlay/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master':

	print('moduleload\trefint.so')

	print('moduleload\trefint.so')

if configRegistry.is_true('ldap/pw-bcrypt', False):

if configRegistry.is_true('ldap/pw-bcrypt', False):

	print('moduleload\tpw-bcrypt.so')

	print('moduleload\tpw-bcrypt.so')

(-)management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database (-2 / +2 lines)

Lines 17-25 if configRegistry.get('ldap/database/type') == "mdb" and configRegistry.is_true(	Link Here

	if configRegistry.is_true('ldap/ppolicy/enabled', False):

	if configRegistry.is_true('ldap/ppolicy/enabled', False):

		ppolicy_default = 'cn=default,cn=ppolicy,cn=univention,%(ldap/base)s' % configRegistry

		ppolicy_default = 'cn=default,cn=ppolicy,cn=univention,%(ldap/base)s' % configRegistry

		print('ppolicy_default\t"%s"' % configRegistry.get('ldap/ppolicy/default', ppolicy_default))

		print('ppolicy_default\t"%s"' % configRegistry.get('ldap/ppolicy/default', ppolicy_default))

if configRegistry.is_true('ldap/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master':

if configRegistry.is_true('ldap/overlay/refint', True) and configRegistry.get('server/role') == 'domaincontroller_master':

	print('overlay\t\trefint')

	print('overlay\t\trefint')

	print('refint_attributes\t\tuniqueMember')

	print('refint_attributes\t\t%s' % (configRegistry.get('ldap/overlay/refint/attributes', 'uniqueMember'),))

if configRegistry.is_true('ldap/shadowbind', True):

if configRegistry.is_true('ldap/shadowbind', True):

	print('overlay\t\tshadowbind')

	print('overlay\t\tshadowbind')

	if 'ldap/shadowbind/ignorefilter' in configRegistry:

	if 'ldap/shadowbind/ignorefilter' in configRegistry:




	ucr set ldap/shadowbind=false
fi

# set ldap/overlay/refint to false for updates
if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 16.0.7-7; then
	ucr set ldap/overlay/refint=false
fi

ucr set \

	slapd/backup?true \
	ldap/shadowbind?true \
	ldap/shadowbind/ignorefilter?"(|(objectClass=univentionDomainController)(userPassword={KINIT}))" \
	ldap/overlay/refint?true \
	ldap/overlay/refint/attributes?uniqueMember \
	ldap/maxopenfiles?8192 # Bug #17705

if [ "$1" = "configure" -a -z "$2" ]; then

(-)management/univention-ldap/debian/univention-ldap-server.univention-config-registry (-2 / +3 lines)

Lines 78-84 Variables: ldap/ppolicy	Link Here

Variables: ldap/shadowbind

Variables: ldap/shadowbind

Variables: ldap/overlay/lastbind

Variables: ldap/overlay/lastbind

Variables: ldap/pw-bcrypt

Variables: ldap/pw-bcrypt

Variables: ldap/refint

Variables: ldap/overlay/refint

Variables: server/role

Variables: server/role

Type: subfile

Type: subfile

Lines 118-124 Variables: ldap/shadowbind	Link Here

118

Variables: ldap/shadowbind/ignorefilter

118

Variables: ldap/shadowbind/ignorefilter

119

Variables: ldap/overlay/lastbind

119

Variables: ldap/overlay/lastbind

120

Variables: ldap/overlay/lastbind/precision

120

Variables: ldap/overlay/lastbind/precision

121

Variables: ldap/refint

121

Variables: ldap/overlay/refint

122

Variables: ldap/overlay/refint/attributes

122

Variables: server/role

123

Variables: server/role

123

124

Type: subfile

125

Type: subfile




Type=str
Categories=service-ldap

[ldap/overlay/refint]
Description[de]=Bestimmt, ob das Modul refint geladen werden soll. Es erzwingt referentielle Integrität im Attribut uniqueMember. Wird nur auf dem DC Master ausgewertet.
Description[en]=Whether or not the refint overlay should be enabled. It enforces referential integrity for the attribute uniqueMember. Only applies to the DC Master.
Type=bool
Categories=service-ldap

[ldap/overlay/refint/attributes]
Description[de]=Bestimmt, die Attribute für das refint Modul (Leerzeichen separiert) (Standard: uniqueMember).
Description[en]=Defines the attributes for the refint module (space separated) (default: uniqueMember).
Type=str
Categories=service-ldap

[ldap/attributeoptions]
Description[de]=Definiert Tagging-Attributoptionen oder Options-Tags/Range-Präfixe (siehe man slapd.conf).
Description[en]=Define tagging attribute options or option tag/range prefixes (see man slapd.conf).

(-)test/ucs-test/tests/01_base/52proofuniquemember (-3 / +3 lines)

Lines 18-28 group="$(random_chars)"	Link Here

info "Create group and a member for it"

info "Create group and a member for it"

old="$(ucr get ldap/refint)"

old="$(ucr get ldap/overlay/refint)"

ucr set ldap/refint=false

ucr set ldap/overlay/refint=false

service slapd restart

service slapd restart

trap '

trap '

ucr set ldap/refint="$old"

ucr set ldap/overlay/refint="$old"

service slapd restart

service slapd restart

' INT TERM EXIT

' INT TERM EXIT

Return to bug 48956