First Last Prev Next    This bug is not in your last search results.
Bug 32392 - ucs_registerLDAPACL library function
ucs_registerLDAPACL library function
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: univention-lib
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Arvid Requate
Stefan Gohmann
: interim-3
Depends on: 32411
Blocks: 32421
  Show dependency treegraph
 
Reported: 2013-08-27 20:42 CEST by Arvid Requate
Modified: 2014-03-20 16:24 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2013-08-27 20:42:15 CEST 
A function ucs_registerLDAPACL schould be implemented in univention-lib which

* takes the name of an existing LDAP ACL UCR template subfile
  plus an UCS version range
* creates an UCS LDAP ACL extension object
* saves the given UCR template subfile to the LDAP attribute "univentionLDAPACL"
* sets the LDAP attribute "univentionLDAPACLFilename"
* sets some other attributes useful to track creator and versionnumber.
* sets univentionUCSVersionStart and ...End

* The creator and versionnumber may be determined automatically.
* The cn schould reflect the basename of the schema file + versionnumber.


After creating the UDM object the function waits for the attribute univentionLDAPACLActive to be set by the corresponding listener module on the UCS Master.
Comment 1 Arvid Requate univentionstaff 2013-08-28 15:00:45 CEST 
Should use the UDM module ldap/acl implemented via Bug 32411.
Comment 2 Arvid Requate univentionstaff 2013-08-28 16:41:53 CEST 
ucs_unregisterLDAPACL is also required (e.g. for unjoinscripts), to remove the object in case no App is registered any longer for it.
Comment 3 Arvid Requate univentionstaff 2013-08-28 16:51:56 CEST 
The ucs_unregisterLDAPACL function should probably abort with an error message in case LDAP objects defined by the schema may still be present in the UCS domain.
Comment 4 Arvid Requate univentionstaff 2013-09-04 16:51:13 CEST 
ucs_registerLDAPACL expects to be called from a postinst or join script to automatically determine pacakgename and packageversion. For QA and ucs-test purposes the UCR variables
 tests/ucs_registerLDAP/packagename
 tests/ucs_registerLDAP/packageversion
are checked in case the postinst and joinscript check fails.
Comment 5 Arvid Requate univentionstaff 2013-09-16 18:02:59 CEST 
Now merged into more general functions:

ucs_registerLDAPExtension "$@" --acl <filename>

ucs_unregisterLDAPExtension "$@" --acl <objectname>
Comment 6 Stefan Gohmann univentionstaff 2013-09-23 13:50:36 CEST 
Wait for Bug #31801 and Bug #26785
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2013-10-24 09:49:49 CEST 
Am I right, that the ACL template does not get reevaluated on DC master (& other systems) if a UCR variable used within a python block of the template changes its value?
Maybe the code should scan the template for python snippets using UCR variables like ucslint does. If the code finds a UCR variable name that is compliant to UCR variable syntax, the variable name may be registered automatically.

Benefit:
This way there is no need to explicit define variable names during registration of the ACL subtemplate e.g. in the join script.

On the downside this mechanism does not work if UCR variables are fetched with constructs like this:
varname = 'my/variable/name'
foo = configRegistry.get(varname)
bar = configRegistry.get(varname + '/with/suffix')
baz = configRegistry.get('this/is/%s' % varname)
Comment 8 Arvid Requate univentionstaff 2013-10-24 11:23:43 CEST 
I guess one could run the ACL UCR template through the python equivalent of "ucr filter" and use a subclass configRegistry to detect all __getattr__ calls and gather a list of ucr variables requested by the UCR template. The ucr filter in itself would also be good to validate the python part of the ACL UCR template.
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2013-10-24 11:28:27 CEST 
As another solution Stefan suggested to register the UCR variables "ldap/.*".
Comment 10 Arvid Requate univentionstaff 2013-10-24 14:00:22 CEST 
univention-ldap-acl-master already registers ldap/acl/.* on slapd.conf, I guess that will do for this release.

I fixed a listener traceback on a DC slave, as discussed with Stefan.
Comment 11 Stefan Gohmann univentionstaff 2013-10-25 15:49:41 CEST 
There is something wrong with the slapd restart. The slapd is not restarted while removing a schema in postrun. If I restart the slapd on the master manually everything works fine. Test case 10_ldap/70schema_unregistration_basis:


See the following log output, I added some ERROR "debug" messages:

25.10.13 15:47:12.713  LDAP        ( INFO    ) : uldap.modify cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local
25.10.13 15:47:12.719  LISTENER    ( INFO    ) : postrun handler: nss (prepared=0)
25.10.13 15:47:12.720  LISTENER    ( INFO    ) : postrun handler: nagios-client (prepared=0)
25.10.13 15:47:12.722  LISTENER    ( INFO    ) : postrun handler: bind (prepared=0)
25.10.13 15:47:12.722  LISTENER    ( INFO    ) : postrun handler: nfs-shares (prepared=0)
25.10.13 15:47:12.725  LISTENER    ( INFO    ) : postrun handler: ldap_server (prepared=0)
25.10.13 15:47:12.726  LISTENER    ( INFO    ) : postrun handler: keytab (prepared=0)
25.10.13 15:47:12.727  LISTENER    ( INFO    ) : postrun handler: nscd_update (prepared=0)
25.10.13 15:47:12.727  LISTENER    ( INFO    ) : notifier returned = id: 1068   dn: cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local    cmd: m
25.10.13 15:47:12.730  LDAP        ( INFO    ) : connecting to ldap://master191.deadlock19.local:7389/
25.10.13 15:47:12.733  LDAP        ( INFO    ) : simple_bind as cn=admin,dc=deadlock19,dc=local
25.10.13 15:47:12.735  LISTENER    ( INFO    ) : updating cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local
25.10.13 15:47:12.736  LISTENER    ( INFO    ) : data_size and strlen don't match: 213 != 15
25.10.13 15:47:12.739  LISTENER    ( INFO    ) : running handlers for cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local
25.10.13 15:47:12.740  LISTENER    ( INFO    ) : handler: s4-connector (successful)
25.10.13 15:47:12.741  LISTENER    ( INFO    ) : handler: faillog (successful)
25.10.13 15:47:12.743  LISTENER    ( INFO    ) : ldap_extension: Moving old file /var/lib/univention-ldap/local-schema/q8i2r7h5sd to /tmp/tmpWeQGqy.
25.10.13 15:47:12.746  LISTENER    ( INFO    ) : ldap_extension: Writing new extension file /var/lib/univention-ldap/local-schema/q8i2r7h5sd.
25.10.13 15:47:13.286  LISTENER    ( INFO    ) : ldap_extension: validation successful.
25.10.13 15:47:13.286  LISTENER    ( INFO    ) : ldap_extension: Removing backup of old file /tmp/tmpWeQGqy.
25.10.13 15:47:13.287  LISTENER    ( INFO    ) : handler: ldap_extension (successful)
25.10.13 15:47:28.302  LISTENER    ( INFO    ) : running postrun handlers
25.10.13 15:47:28.302  LISTENER    ( INFO    ) : postrun handler: samba-shares (prepared=0)
25.10.13 15:47:28.302  LISTENER    ( INFO    ) : postrun handler: s4-connector (prepared=-1)
25.10.13 15:47:28.302  LISTENER    ( INFO    ) : postrun handler: samba4-idmap (prepared=0)
25.10.13 15:47:28.302  LISTENER    ( INFO    ) : postrun handler: keytab-member (prepared=0)
25.10.13 15:47:28.302  LISTENER    ( INFO    ) : postrun handler: pkgdb-watch (prepared=0)
25.10.13 15:47:28.304  LISTENER    ( INFO    ) : postrun handler: nfs-homes (prepared=0)
25.10.13 15:47:28.305  LISTENER    ( INFO    ) : postrun handler: gencertificate (prepared=0)
25.10.13 15:47:28.305  LISTENER    ( INFO    ) : postrun handler: nagios-server (prepared=0)
25.10.13 15:47:28.306  LISTENER    ( INFO    ) : postrun handler: license_uuid (prepared=0)
25.10.13 15:47:28.306  LISTENER    ( INFO    ) : postrun handler: dhcp (prepared=0)
25.10.13 15:47:28.306  LISTENER    ( INFO    ) : postrun handler: udm_extension (prepared=0)
25.10.13 15:47:28.306  LISTENER    ( INFO    ) : postrun handler: faillog (prepared=-1)
25.10.13 15:47:28.306  LISTENER    ( INFO    ) : postrun handler: ldap_extension (prepared=-1)
25.10.13 15:47:28.307  LISTENER    ( ERROR   ) : ldap_extension: Reloading ?
25.10.13 15:47:28.307  LISTENER    ( ERROR   ) : ldap_extension: Reloading LDAP server.
Initiating graceful reload of ldap server(s).
Sending HUP to ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
Checking Schema ID: ...done.
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=master191.deadlock19.local port=7389 base=dc=deadlock19,dc=local
25.10.13 15:47:35.541  LDAP        ( INFO    ) : establishing new connection
25.10.13 15:47:35.545  LDAP        ( INFO    ) : bind binddn=cn=admin,dc=deadlock19,dc=local
UNIVENTION_DEBUG_END    : uldap.__open host=master191.deadlock19.local port=7389 base=dc=deadlock19,dc=local
25.10.13 15:47:35.556  LDAP        ( INFO    ) : uldap.search filter=(&(objectClass=univentionAdminProperty)(univentionAdminPropertyModule=settings/ldapschema)) base=cn=univention,dc=deadlock19,dc=local scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0
25.10.13 15:47:35.557  LDAP        ( INFO    ) : uldap.search filter=(&(objectClass=univentionUDMOption)(univentionUDMOptionModule=settings/ldapschema)) base=cn=univention,dc=deadlock19,dc=local scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0
25.10.13 15:47:35.558  LDAP        ( INFO    ) : uldap.search filter=(&(objectClass=univentionUDMProperty)(univentionUDMPropertyModule=settings/ldapschema)(univentionUDMPropertyVersion=2)) base=cn=univention,dc=deadlock19,dc=local scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0
Multifile: /etc/ldap/slapd.conf
Multifile: /etc/ldap/slapd.conf
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/ldap_extension.py", line 95, in postrun
    handler_object.mark_active()
  File "/usr/lib/pymodules/python2.6/univention/lib/ldap_extension.py", line 313, in mark_active
    udm_object.modify()
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 338, in modify
    raise univention.admin.uexceptions.noObject
univention.admin.uexceptions.noObject
25.10.13 15:47:35.565  LISTENER    ( INFO    ) : postrun handler: nss (prepared=0)
25.10.13 15:47:35.565  LISTENER    ( INFO    ) : postrun handler: nagios-client (prepared=0)
25.10.13 15:47:35.566  LISTENER    ( INFO    ) : postrun handler: bind (prepared=0)
25.10.13 15:47:35.567  LISTENER    ( INFO    ) : postrun handler: nfs-shares (prepared=0)
25.10.13 15:47:35.567  LISTENER    ( INFO    ) : postrun handler: ldap_server (prepared=0)
25.10.13 15:47:35.568  LISTENER    ( INFO    ) : postrun handler: keytab (prepared=0)
25.10.13 15:47:35.568  LISTENER    ( INFO    ) : postrun handler: nscd_update (prepared=0)
25.10.13 15:47:35.568  LISTENER    ( INFO    ) : notifier returned = id: 1069   dn: cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local    cmd: d
25.10.13 15:47:35.568  LDAP        ( INFO    ) : connecting to ldap://master191.deadlock19.local:7389/
25.10.13 15:47:35.571  LDAP        ( INFO    ) : simple_bind as cn=admin,dc=deadlock19,dc=local
25.10.13 15:47:35.572  LISTENER    ( INFO    ) : updating cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local
25.10.13 15:47:35.573  LISTENER    ( INFO    ) : data_size and strlen don't match: 213 != 15
25.10.13 15:47:35.574  LISTENER    ( INFO    ) : delete handlers for cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local
25.10.13 15:47:35.575  LISTENER    ( INFO    ) : handler: samba-shares (skipped)
25.10.13 15:47:35.576  LISTENER    ( INFO    ) : handler: s4-connector (successful)
25.10.13 15:47:35.576  LISTENER    ( INFO    ) : handler: samba4-idmap (skipped)
25.10.13 15:47:35.577  LISTENER    ( INFO    ) : handler: keytab-member (skipped)
25.10.13 15:47:35.578  LISTENER    ( INFO    ) : handler: pkgdb-watch (skipped)
25.10.13 15:47:35.578  LISTENER    ( INFO    ) : handler: nfs-homes (skipped)
25.10.13 15:47:35.578  LISTENER    ( INFO    ) : handler: gencertificate (skipped)
25.10.13 15:47:35.578  LISTENER    ( INFO    ) : handler: nagios-server (skipped)
25.10.13 15:47:35.579  LISTENER    ( INFO    ) : handler: license_uuid (skipped)
25.10.13 15:47:35.579  LISTENER    ( INFO    ) : handler: dhcp (skipped)
25.10.13 15:47:35.579  LISTENER    ( INFO    ) : handler: udm_extension (skipped)
25.10.13 15:47:35.579  LISTENER    ( INFO    ) : handler: faillog (successful)
25.10.13 15:47:35.580  LISTENER    ( INFO    ) : ldap_extension: Moving old file /var/lib/univention-ldap/local-schema/q8i2r7h5sd to /tmp/tmpDRbFpZ.
25.10.13 15:47:36.150  LISTENER    ( INFO    ) : ldap_extension: validation successful, removing backup of old file /tmp/tmpDRbFpZ.
25.10.13 15:47:36.151  LISTENER    ( INFO    ) : handler: ldap_extension (successful)
25.10.13 15:47:36.151  LISTENER    ( INFO    ) : handler: nss (skipped)
25.10.13 15:47:36.151  LISTENER    ( INFO    ) : handler: nagios-client (skipped)
25.10.13 15:47:36.151  LISTENER    ( INFO    ) : handler: bind (skipped)
25.10.13 15:47:36.151  LISTENER    ( INFO    ) : handler: nfs-shares (skipped)
25.10.13 15:47:36.151  LISTENER    ( INFO    ) : handler: ldap_server (skipped)
25.10.13 15:47:36.151  LISTENER    ( INFO    ) : handler: keytab (skipped)
25.10.13 15:47:36.152  LISTENER    ( INFO    ) : handler: nscd_update (skipped)
25.10.13 15:47:36.152  LISTENER    ( INFO    ) : deleted from cache: cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local
25.10.13 15:47:51.171  LISTENER    ( INFO    ) : running postrun handlers
25.10.13 15:47:51.171  LISTENER    ( INFO    ) : postrun handler: samba-shares (prepared=0)
25.10.13 15:47:51.171  LISTENER    ( INFO    ) : postrun handler: s4-connector (prepared=-1)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: samba4-idmap (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: keytab-member (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: pkgdb-watch (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: nfs-homes (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: gencertificate (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: nagios-server (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: license_uuid (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: dhcp (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: udm_extension (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: faillog (prepared=-1)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: ldap_extension (prepared=-1)
25.10.13 15:47:51.172  LISTENER    ( ERROR   ) : ldap_extension: Reloading ?
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: nss (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: nagios-client (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: bind (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: nfs-shares (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: ldap_server (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: keytab (prepared=0)
25.10.13 15:47:51.172  LISTENER    ( INFO    ) : postrun handler: nscd_update (prepared=0)
Comment 12 Arvid Requate univentionstaff 2013-10-28 20:08:43 CET 
The object was removed already in this test case, I guess due to the following scenario:

1. the ucs_registerLDAPExtension function first "udm creates" the object and then performs an additional udm modify operation to append the appidentifier. After that it waits for the activation of the object via postrun. Strangely, in some cases the postrun seems to have run before the "modify" operation reached the listener:
=======================================================================
24.10.13 06:25:52.811  LISTENER    ( ERROR   ) : HANDLER: add.
24.10.13 06:26:08.963  LISTENER    ( ERROR   ) : POSTRUN: todo: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa'].
Initiating graceful reload of ldap server(s).
Sending HUP to ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
Checking Schema ID: ...done.
24.10.13 06:26:16.204  LISTENER    ( ERROR   ) : MARK_ACTIVE: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa'].


24.10.13 06:26:16.256  LISTENER    ( ERROR   ) : HANDLER: modify.
24.10.13 06:26:16.256  LISTENER    ( ERROR   ) : ldap_extension: extension qfej02c97e: diff_keys: ['univentionLDAPSchemaActive', 'modifiersName'].
24.10.13 06:26:31.980  LISTENER    ( ERROR   ) : POSTRUN: todo: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa'].
Initiating graceful reload of ldap server(s).
Sending HUP to ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
Checking Schema ID: ...done.
24.10.13 06:26:39.230  LISTENER    ( ERROR   ) : MARK_ACTIVE: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa'].
24.10.13 06:26:39.260  LISTENER    ( ERROR   ) : Error modifying cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa: object not found.
=======================================================================

2. Due to a bug in the listener module in the "schema" case it did not consider the setting of the appidentifer as a minor change, and triggered another postrun, as seen above.

3. After the activation of the object, the test script performs a check and then removes the object, appearently before the second postrun tries the modify.



I now fixed this on two layers:

1. The listener now considers modifications of "modifiersName" also as trivial and thus doesn't put the dn on the todo list for postrun activation.

2. The udm modification now handles the noObject exception by issuing a log message and ignoring the exception. Other exceptions are raised as before.

Looks like this fixed the issue.
Comment 13 Arvid Requate univentionstaff 2013-10-28 20:12:51 CET 
Actually I did a third thing here:
 * On object deletion I restart the slapd regardless of the state of the todo list.
Comment 14 Stefan Gohmann univentionstaff 2013-10-29 13:56:38 CET 
OK, it worked like expected, see test cases:
 - 10_ldap/70schema_registration_basis
 - 10_ldap/70schema_unregistration_basis
 - 10_ldap/71schema_replication
 - 10_ldap/72schema_reregistration_object_class
 - 10_ldap/73schema_registration_twice
 - 10_ldap/74schema_update
Comment 15 Stefan Gohmann univentionstaff 2013-11-19 06:42:47 CET 
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.