From e689758d4ec8cbfe326cb90f7cc908cf09ea684b Mon Sep 17 00:00:00 2001 Message-Id: From: Philipp Hahn Date: Fri, 28 Jul 2017 11:03:04 +0200 Subject: [PATCH] Bug #45090 DNS: Fix password change mechanism with LDAP backend Organization: Univention GmbH, Bremen, Germany With the switch from SysV-init to systemd `invoke-rc.d status` returns a different output; grepping for 'is running' no longer works. (FYI: status returns a "exit code"!) Switch to systemctl and use 'reload-or-try-restart', which 1) keeps the DNS server running while the change is still in process 2) is more lightwight than a forced restart 3) does know the state of the service itself --- services/univention-bind/debian/changelog | 6 ++++ .../server_password_change.d/univention-bind | 35 ++-------------------- test/ucs-test/debian/changelog | 6 ++++ .../01_base/02server_password_change_ldap-bind | 29 ++++++++++++++++++ 4 files changed, 44 insertions(+), 32 deletions(-) create mode 100755 test/ucs-test/tests/01_base/02server_password_change_ldap-bind diff --git a/services/univention-bind/debian/changelog b/services/univention-bind/debian/changelog index 7f14cb08ee..32471bfacf 100644 --- a/services/univention-bind/debian/changelog +++ b/services/univention-bind/debian/changelog @@ -1,3 +1,9 @@ +univention-bind (11.0.1-2) unstable; urgency=low + + * Bug #45090: Fix password change mechanism with LDAP backend + + -- Philipp Hahn Fri, 28 Jul 2017 10:56:49 +0200 + univention-bind (11.0.1-1) unstable; urgency=medium * Execute univention-fix-ucr-dns in univention-bind postinst only if diff --git a/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind b/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind index 7de86c37f6..63726285a1 100755 --- a/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind +++ b/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind @@ -36,39 +36,10 @@ if [ -n "$bind_bindpw" -a "$bind_bindpw" != "/etc/machine.secret" ]; then exit 0 fi -bind_service () { - local action="$1" - - # start / stop bind9 only if the ldap backend is configured - if [ "$dns_backend" = "ldap" ]; then - if [ "$action" = "start" ]; then - # start bind9 only if it has been stopped by this script - if [ "$dns_bind9_stoppedbyserverpasswordchange" = "yes" ] ; then - echo "starting bind9 after server password change" | logger -t "server-password-change" - invoke-rc.d bind9 start >/dev/null - univention-config-registry unset dns/bind9/stoppedbyserverpasswordchange >/dev/null - fi - fi - if [ "$action" = "stop" ]; then - if invoke-rc.d bind9 status | grep -q "is running" ; then - univention-config-registry set dns/bind9/stoppedbyserverpasswordchange=yes >/dev/null - echo "stopping bind9 due to upcoming server password change" | logger -t "server-password-change" - invoke-rc.d bind9 stop >/dev/null - fi - fi - fi -} - -if [ "$1" = "prechange" ] ; then - bind_service stop -fi - -if [ "$1" = "nochange" ] ; then - bind_service start -fi - if [ "$1" = "postchange" ] ; then # update zone files sed -i "s|\!x-bindpw=\(.*\),x-tls|\!x-bindpw=$(cat /etc/machine.secret),x-tls|" /etc/bind/univention.conf.d/* - bind_service start + # Reload or restart LDAP-BIND (if running) + [ "$dns_backend" = "ldap" ] && + systemctl reload-or-try-restart bind9.service fi diff --git a/test/ucs-test/debian/changelog b/test/ucs-test/debian/changelog index 1954d3fee3..eff9ecdac4 100644 --- a/test/ucs-test/debian/changelog +++ b/test/ucs-test/debian/changelog @@ -1,3 +1,9 @@ +ucs-test (7.0.23-11) unstable; urgency=low + + * Bug #45090: Fix password change mechanism with LDAP backend + + -- Philipp Hahn Fri, 28 Jul 2017 11:19:04 +0200 + ucs-test (7.0.23-10) unstable; urgency=medium * Bug #45087: 52_s4connector/139sync_repeated_ntsd_modifications diff --git a/test/ucs-test/tests/01_base/02server_password_change_ldap-bind b/test/ucs-test/tests/01_base/02server_password_change_ldap-bind new file mode 100755 index 0000000000..823147c5a6 --- /dev/null +++ b/test/ucs-test/tests/01_base/02server_password_change_ldap-bind @@ -0,0 +1,29 @@ +#!/usr/share/ucs-test/runner bash +## desc: Change the server password and check LDAP-BIND +## bugs: [45090] +## roles-not: [basesystem] +## tags: +## - SKIP-UCSSCHOOL +## - basic +## - apptest +## packages: +## - univention-bind +## exposure: dangerous +## join: true + +. "$TESTLIBPATH/base.sh" || exit 137 +. "$TESTLIBPATH/ucr.sh" || exit 137 + +# Only with LDAP-BIND +case "$dns_backend" in +ldap) ;; +*) exit 77 +esac +# Only when BIND is running/used +systemctl is-active bind9.service || exit 77 + +trap ucr_restore EXIT +ucr set server/password/interval=0 +set -e -x +/usr/lib/univention-server/server_password_change +dig @127.0.0.1 -p 7777 "$DOMAIN" soa -- 2.11.0