@@ -, +, @@ backend --- a/services/univention-bind/debian/changelog +++ a/services/univention-bind/debian/changelog @@ -1,3 +1,9 @@ +univention-bind (11.0.1-2) unstable; urgency=low + + * Bug #45090: Fix password change mechanism with LDAP backend + + -- Philipp Hahn Fri, 28 Jul 2017 10:56:49 +0200 + univention-bind (11.0.1-1) unstable; urgency=medium * Execute univention-fix-ucr-dns in univention-bind postinst only if --- a/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind +++ a/services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind @@ -36,39 +36,10 @@ if [ -n "$bind_bindpw" -a "$bind_bindpw" != "/etc/machine.secret" ]; then exit 0 fi -bind_service () { - local action="$1" - - # start / stop bind9 only if the ldap backend is configured - if [ "$dns_backend" = "ldap" ]; then - if [ "$action" = "start" ]; then - # start bind9 only if it has been stopped by this script - if [ "$dns_bind9_stoppedbyserverpasswordchange" = "yes" ] ; then - echo "starting bind9 after server password change" | logger -t "server-password-change" - invoke-rc.d bind9 start >/dev/null - univention-config-registry unset dns/bind9/stoppedbyserverpasswordchange >/dev/null - fi - fi - if [ "$action" = "stop" ]; then - if invoke-rc.d bind9 status | grep -q "is running" ; then - univention-config-registry set dns/bind9/stoppedbyserverpasswordchange=yes >/dev/null - echo "stopping bind9 due to upcoming server password change" | logger -t "server-password-change" - invoke-rc.d bind9 stop >/dev/null - fi - fi - fi -} - -if [ "$1" = "prechange" ] ; then - bind_service stop -fi - -if [ "$1" = "nochange" ] ; then - bind_service start -fi - if [ "$1" = "postchange" ] ; then # update zone files sed -i "s|\!x-bindpw=\(.*\),x-tls|\!x-bindpw=$(cat /etc/machine.secret),x-tls|" /etc/bind/univention.conf.d/* - bind_service start + # Reload or restart LDAP-BIND (if running) + [ "$dns_backend" = "ldap" ] && + systemctl reload-or-try-restart bind9.service fi --- a/test/ucs-test/debian/changelog +++ a/test/ucs-test/debian/changelog @@ -1,3 +1,9 @@ +ucs-test (7.0.23-11) unstable; urgency=low + + * Bug #45090: Fix password change mechanism with LDAP backend + + -- Philipp Hahn Fri, 28 Jul 2017 11:19:04 +0200 + ucs-test (7.0.23-10) unstable; urgency=medium * Bug #45087: 52_s4connector/139sync_repeated_ntsd_modifications --- a/test/ucs-test/tests/01_base/02server_password_change_ldap-bind +++ a/test/ucs-test/tests/01_base/02server_password_change_ldap-bind @@ -0,0 +1,29 @@ +#!/usr/share/ucs-test/runner bash +## desc: Change the server password and check LDAP-BIND +## bugs: [45090] +## roles-not: [basesystem] +## tags: +## - SKIP-UCSSCHOOL +## - basic +## - apptest +## packages: +## - univention-bind +## exposure: dangerous +## join: true + +. "$TESTLIBPATH/base.sh" || exit 137 +. "$TESTLIBPATH/ucr.sh" || exit 137 + +# Only with LDAP-BIND +case "$dns_backend" in +ldap) ;; +*) exit 77 +esac +# Only when BIND is running/used +systemctl is-active bind9.service || exit 77 + +trap ucr_restore EXIT +ucr set server/password/interval=0 +set -e -x +/usr/lib/univention-server/server_password_change +dig @127.0.0.1 -p 7777 "$DOMAIN" soa --