Is cn=backup,$ldap_base still required? If yes: it should be documented. If no: it should be removed from the code.
Also need to check, if /etc/ldap-backup.secret /etc/backup-join.secret /etc/slave-join.secret are still required...
/etc/ldap-backup.secret contains the password for cn=backup,$ldap_base which is created locally on each UCS DC as part of base.ldif. Usually he secret is different on each UCS DC. The BindDN has been used for LDAP access by Samba3 BDCs. The initial commit seems to date back to SVN times. By default this has been replaced by the UCR variable samba/user (cn=admin or ldap/hostdn). Thus I guess cn=backup may be removed safely (in univention-samba and univention-ldap).
(In reply to Arvid Requate from comment #2) > /etc/ldap-backup.secret ... is created locally on each UCS DC as part of base.ldif. My DC Slave and DC Master have the same file content in /etc/ldap-backup.secret. It seems to be created by base/univention-server/debian/univention-server-master.preinst or base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh and is copied by management/univention-join/univention-join for Backup and Slave DCs.
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Still confuses people with UCS-4 and should be finally removed with UCS-5?
On new installations, the object cn=backup,$ldap_base was removed from the base.ldiff also, the object will be removed on upgrade during 5.0-x to 5.2 5.2 univention-updater (17.0.4) d41b942ce2ed | Bug #31252: Remove cn=backup,$ldap_base on upgrade to 5.2 univention-ldap (18.0.8) 51f4488fdf50 | Bug #31252: Remove cn=backup,$ldap_base from base.ldif, add objectClass: top to all objects
Successful build Package: univention-ldap Version: 18.0.8 Branch: 5.2-0 Scope: Successful build Package: univention-updater Version: 17.0.4 Branch: 5.2-0 Scope:
The object cn=backup,$ldap_base was removed from the base.ldiff univention-ldap.yaml 87bf0926e33a | Bug #31252: Remove cn=backup,$ldap_base from base.ldif, add objectClass: top to all objects univention-ldap (16.0.15-6) 87bf0926e33a | Bug #31252: Remove cn=backup,$ldap_base from base.ldif, add objectClass: top to all objects Successful build Package: univention-ldap Version: 16.0.15-6 Branch: 5.0-0 Scope: errata5.0-7
QA: OK: code review OK: added objectClass: top to all objects OK: cn=backup,$ldap_base removed during upgrade to 5.2 OK: Changes 5.0-7 and 5.2 OK: Changelog OK: Tested on 5.0-7 upgrade, 5.2 update and 5.2 fresh install
Since 2 days I see massive failures when running the test on OpenStack, but only on non-Samba-Master(Primary): +1.2k tests fail only on the row https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-7/job/AutotestJoinOpenstack/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/10_ldap/24uldap/master090/ Investigation shows that `/etc/ldap-backup.secret` still exists and contains a secret, but `/usr/share/ucs-test/10_ldap/24uldap.py -vf` fails: ``` ====================================================================== ERROR: testDefault (__main__.TestBackupConnection) ---------------------------------------------------------------------- Traceback (most recent call last): File "24uldap.py", line 102, in testDefault access = uldap.getBackupConnection() File "/usr/lib/python3/dist-packages/univention/uldap.py", line 149, in getBackupConnection return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 298, in __init__ self.__open(ca_certfile) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 400, in __open self.bind(self.binddn, self.bindpw) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 215, in _decorated return func(self, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 312, in bind self.lo.simple_bind_s(self.binddn, self.bindpw) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1215, in simple_bind_s res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 444, in simple_bind_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'} ``` Doing a `git grep -e '\<cn=backup\>' -e '\<ldap-backup.secret\>' -- ':!**/debian/changelog'` I still find many referenced to that file / user: ``` base/univention-python/modules/uldap.py:130: bindpw = open('/etc/ldap-backup.secret').read().rstrip('\n') base/univention-python/modules/uldap.py:133: return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, reconnect=reconnect) base/univention-python/modules/uldap.py:138: return access(host=backup, port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, reconnect=reconnect) base/univention-server/debian/univention-server-master.preinst:67:if [ ! -e /etc/ldap-backup.secret ] base/univention-server/debian/univention-server-master.preinst:69: touch /etc/ldap-backup.secret base/univention-server/debian/univention-server-master.preinst:70: chmod 600 /etc/ldap-backup.secret base/univention-server/debian/univention-server-master.preinst:71: create_machine_password > /etc/ldap-backup.secret base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:181: create_machine_password >/etc/ldap-backup.secret base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:183: rm -f /etc/ldap.secret /etc/ldap-backup.secret base/univention-updater/script/postup.sh:141: ldapdelete -x -H ldapi:/// cn=backup,$(ucr get ldap/base) 2>/dev/null management/univention-directory-manager-modules/univention-object-type-migrate:67: # cn=admin,$ldap_base cn=backup,$ldap_base management/univention-join/20univention-join.inst:127: test -e /etc/ldap-backup.secret && chgrp "DC Backup Hosts" /etc/ldap-backup.secret && chmod 640 /etc/ldap-backup.secret management/univention-join/univention-join:809: if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi management/univention-join/univention-join:818: echo -n "Sync ldap-backup.secret: " management/univention-join/univention-join:819: univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 management/univention-join/univention-join:820: if [ ! -e "/etc/ldap-backup.secret" ]; then management/univention-join/univention-join:821: failed_message "/etc/ldap-backup.secret not found" management/univention-join/univention-join:907: echo -n "Sync ldap-backup.secret: " management/univention-join/univention-join:909: if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi management/univention-join/univention-join:911: univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >>/var/log/univention/join.log 2>&1 management/univention-ldap/01univention-ldap-server-init.inst:80: backup_crypt=$(mkpasswd --hash=sha-512 --stdin < /etc/ldap-backup.secret) services/univention-samba/conffiles/etc/samba/smb.conf.d/11univention-samba_ldap:33: print('\tldap admin dn = cn=backup,%s' % (configRegistry['ldap/base'])) services/univention-samba/conffiles/etc/samba/smb.conf.d/21univention-samba_winbind:13: admindn = 'cn=admin,%s' % ldap_base if configRegistry['server/role'] == 'domaincontroller_master' else 'cn=backup,%s' % ldap_base test/product-tests/samba/bigenv.cfg:39: udm computers/domaincontroller_backup modify --dn cn=backup,cn=dc,cn=computers,dc=bigenv,dc=test --set ip=[backup_IP] test/scenarios/keycloak/keycloak-mariadb.cfg:37: udm computers/domaincontroller_backup remove --remove_referring --dn "cn=backup,cn=dc,cn=computers,$(ucr get ldap/base)" test/scenarios/update-testing/current-primary-old-replica.cfg:40: udm computers/domaincontroller_backup remove --remove_referring --dn "cn=backup,cn=dc,cn=computers,$(ucr get ldap/base)" test/ucs-test/tests/10_ldap/02check-permission-etc.py:2:## desc: Check for filesystem permissions on ldap.secret, ldap-backup.secret, slave-join.secret test/ucs-test/tests/10_ldap/02check-permission-etc.py:32: ("/etc/ldap-backup.secret", "DC Backup Hosts"), test/ucs-test/tests/10_ldap/24uldap.py:91:@skipUnless(exists('/etc/ldap-backup.secret'), 'Missing ldap-backup.secret') test/ucs-test/tests/59_udm/57_obj_by_dn.py:46: udm.obj_by_dn('cn=backup,%s' % ucr_test['ldap/base']) ``` @dev: What happend to our rule that an *experienced* developer is required to do QA for such a significant change?
Changes was reverted 5.2 univention-updater (17.0.6) a606f6ac35e3 | Bug #31252: Partial revert Remove cn=backup,$ldap_base from base.ldif univention-ldap (18.0.9) a606f6ac35e3 | Bug #31252: Partial revert Remove cn=backup,$ldap_base from base.ldif Successful build Package: univention-updater Version: 17.0.6 Branch: 5.2-0 Successful build Package: univention-ldap Version: 18.0.9 Branch: 5.2-0
5.0-7 univention-ldap.yaml a8c3b3f63175 | Bug #31252: Revert remove cn=backup,$ldap_base from base.ldif. univention-ldap (16.0.15-8) a8c3b3f63175 | Bug #31252: Revert remove cn=backup,$ldap_base from base.ldif. Successful build Package: univention-ldap Version: 16.0.15-8 Branch: 5.0-0 Scope: errata5.0-7
Reverted
Has been reverted