Univention Bugzilla – Bug 32392
ucs_registerLDAPACL library function
Last modified: 2014-03-20 16:24:19 CET
A function ucs_registerLDAPACL schould be implemented in univention-lib which * takes the name of an existing LDAP ACL UCR template subfile plus an UCS version range * creates an UCS LDAP ACL extension object * saves the given UCR template subfile to the LDAP attribute "univentionLDAPACL" * sets the LDAP attribute "univentionLDAPACLFilename" * sets some other attributes useful to track creator and versionnumber. * sets univentionUCSVersionStart and ...End * The creator and versionnumber may be determined automatically. * The cn schould reflect the basename of the schema file + versionnumber. After creating the UDM object the function waits for the attribute univentionLDAPACLActive to be set by the corresponding listener module on the UCS Master.
Should use the UDM module ldap/acl implemented via Bug 32411.
ucs_unregisterLDAPACL is also required (e.g. for unjoinscripts), to remove the object in case no App is registered any longer for it.
The ucs_unregisterLDAPACL function should probably abort with an error message in case LDAP objects defined by the schema may still be present in the UCS domain.
ucs_registerLDAPACL expects to be called from a postinst or join script to automatically determine pacakgename and packageversion. For QA and ucs-test purposes the UCR variables tests/ucs_registerLDAP/packagename tests/ucs_registerLDAP/packageversion are checked in case the postinst and joinscript check fails.
Now merged into more general functions: ucs_registerLDAPExtension "$@" --acl <filename> ucs_unregisterLDAPExtension "$@" --acl <objectname>
Wait for Bug #31801 and Bug #26785
Am I right, that the ACL template does not get reevaluated on DC master (& other systems) if a UCR variable used within a python block of the template changes its value? Maybe the code should scan the template for python snippets using UCR variables like ucslint does. If the code finds a UCR variable name that is compliant to UCR variable syntax, the variable name may be registered automatically. Benefit: This way there is no need to explicit define variable names during registration of the ACL subtemplate e.g. in the join script. On the downside this mechanism does not work if UCR variables are fetched with constructs like this: varname = 'my/variable/name' foo = configRegistry.get(varname) bar = configRegistry.get(varname + '/with/suffix') baz = configRegistry.get('this/is/%s' % varname)
I guess one could run the ACL UCR template through the python equivalent of "ucr filter" and use a subclass configRegistry to detect all __getattr__ calls and gather a list of ucr variables requested by the UCR template. The ucr filter in itself would also be good to validate the python part of the ACL UCR template.
As another solution Stefan suggested to register the UCR variables "ldap/.*".
univention-ldap-acl-master already registers ldap/acl/.* on slapd.conf, I guess that will do for this release. I fixed a listener traceback on a DC slave, as discussed with Stefan.
There is something wrong with the slapd restart. The slapd is not restarted while removing a schema in postrun. If I restart the slapd on the master manually everything works fine. Test case 10_ldap/70schema_unregistration_basis: See the following log output, I added some ERROR "debug" messages: 25.10.13 15:47:12.713 LDAP ( INFO ) : uldap.modify cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local 25.10.13 15:47:12.719 LISTENER ( INFO ) : postrun handler: nss (prepared=0) 25.10.13 15:47:12.720 LISTENER ( INFO ) : postrun handler: nagios-client (prepared=0) 25.10.13 15:47:12.722 LISTENER ( INFO ) : postrun handler: bind (prepared=0) 25.10.13 15:47:12.722 LISTENER ( INFO ) : postrun handler: nfs-shares (prepared=0) 25.10.13 15:47:12.725 LISTENER ( INFO ) : postrun handler: ldap_server (prepared=0) 25.10.13 15:47:12.726 LISTENER ( INFO ) : postrun handler: keytab (prepared=0) 25.10.13 15:47:12.727 LISTENER ( INFO ) : postrun handler: nscd_update (prepared=0) 25.10.13 15:47:12.727 LISTENER ( INFO ) : notifier returned = id: 1068 dn: cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local cmd: m 25.10.13 15:47:12.730 LDAP ( INFO ) : connecting to ldap://master191.deadlock19.local:7389/ 25.10.13 15:47:12.733 LDAP ( INFO ) : simple_bind as cn=admin,dc=deadlock19,dc=local 25.10.13 15:47:12.735 LISTENER ( INFO ) : updating cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local 25.10.13 15:47:12.736 LISTENER ( INFO ) : data_size and strlen don't match: 213 != 15 25.10.13 15:47:12.739 LISTENER ( INFO ) : running handlers for cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local 25.10.13 15:47:12.740 LISTENER ( INFO ) : handler: s4-connector (successful) 25.10.13 15:47:12.741 LISTENER ( INFO ) : handler: faillog (successful) 25.10.13 15:47:12.743 LISTENER ( INFO ) : ldap_extension: Moving old file /var/lib/univention-ldap/local-schema/q8i2r7h5sd to /tmp/tmpWeQGqy. 25.10.13 15:47:12.746 LISTENER ( INFO ) : ldap_extension: Writing new extension file /var/lib/univention-ldap/local-schema/q8i2r7h5sd. 25.10.13 15:47:13.286 LISTENER ( INFO ) : ldap_extension: validation successful. 25.10.13 15:47:13.286 LISTENER ( INFO ) : ldap_extension: Removing backup of old file /tmp/tmpWeQGqy. 25.10.13 15:47:13.287 LISTENER ( INFO ) : handler: ldap_extension (successful) 25.10.13 15:47:28.302 LISTENER ( INFO ) : running postrun handlers 25.10.13 15:47:28.302 LISTENER ( INFO ) : postrun handler: samba-shares (prepared=0) 25.10.13 15:47:28.302 LISTENER ( INFO ) : postrun handler: s4-connector (prepared=-1) 25.10.13 15:47:28.302 LISTENER ( INFO ) : postrun handler: samba4-idmap (prepared=0) 25.10.13 15:47:28.302 LISTENER ( INFO ) : postrun handler: keytab-member (prepared=0) 25.10.13 15:47:28.302 LISTENER ( INFO ) : postrun handler: pkgdb-watch (prepared=0) 25.10.13 15:47:28.304 LISTENER ( INFO ) : postrun handler: nfs-homes (prepared=0) 25.10.13 15:47:28.305 LISTENER ( INFO ) : postrun handler: gencertificate (prepared=0) 25.10.13 15:47:28.305 LISTENER ( INFO ) : postrun handler: nagios-server (prepared=0) 25.10.13 15:47:28.306 LISTENER ( INFO ) : postrun handler: license_uuid (prepared=0) 25.10.13 15:47:28.306 LISTENER ( INFO ) : postrun handler: dhcp (prepared=0) 25.10.13 15:47:28.306 LISTENER ( INFO ) : postrun handler: udm_extension (prepared=0) 25.10.13 15:47:28.306 LISTENER ( INFO ) : postrun handler: faillog (prepared=-1) 25.10.13 15:47:28.306 LISTENER ( INFO ) : postrun handler: ldap_extension (prepared=-1) 25.10.13 15:47:28.307 LISTENER ( ERROR ) : ldap_extension: Reloading ? 25.10.13 15:47:28.307 LISTENER ( ERROR ) : ldap_extension: Reloading LDAP server. Initiating graceful reload of ldap server(s). Sending HUP to ldap server(s): slapd ...done. Check database: ...done. Starting ldap server(s): slapd ...done. Checking Schema ID: ...done. UNIVENTION_DEBUG_BEGIN : uldap.__open host=master191.deadlock19.local port=7389 base=dc=deadlock19,dc=local 25.10.13 15:47:35.541 LDAP ( INFO ) : establishing new connection 25.10.13 15:47:35.545 LDAP ( INFO ) : bind binddn=cn=admin,dc=deadlock19,dc=local UNIVENTION_DEBUG_END : uldap.__open host=master191.deadlock19.local port=7389 base=dc=deadlock19,dc=local 25.10.13 15:47:35.556 LDAP ( INFO ) : uldap.search filter=(&(objectClass=univentionAdminProperty)(univentionAdminPropertyModule=settings/ldapschema)) base=cn=univention,dc=deadlock19,dc=local scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0 25.10.13 15:47:35.557 LDAP ( INFO ) : uldap.search filter=(&(objectClass=univentionUDMOption)(univentionUDMOptionModule=settings/ldapschema)) base=cn=univention,dc=deadlock19,dc=local scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0 25.10.13 15:47:35.558 LDAP ( INFO ) : uldap.search filter=(&(objectClass=univentionUDMProperty)(univentionUDMPropertyModule=settings/ldapschema)(univentionUDMPropertyVersion=2)) base=cn=univention,dc=deadlock19,dc=local scope=sub attr=[] unique=0 required=0 timeout=-1 sizelimit=0 Multifile: /etc/ldap/slapd.conf Multifile: /etc/ldap/slapd.conf Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/ldap_extension.py", line 95, in postrun handler_object.mark_active() File "/usr/lib/pymodules/python2.6/univention/lib/ldap_extension.py", line 313, in mark_active udm_object.modify() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 338, in modify raise univention.admin.uexceptions.noObject univention.admin.uexceptions.noObject 25.10.13 15:47:35.565 LISTENER ( INFO ) : postrun handler: nss (prepared=0) 25.10.13 15:47:35.565 LISTENER ( INFO ) : postrun handler: nagios-client (prepared=0) 25.10.13 15:47:35.566 LISTENER ( INFO ) : postrun handler: bind (prepared=0) 25.10.13 15:47:35.567 LISTENER ( INFO ) : postrun handler: nfs-shares (prepared=0) 25.10.13 15:47:35.567 LISTENER ( INFO ) : postrun handler: ldap_server (prepared=0) 25.10.13 15:47:35.568 LISTENER ( INFO ) : postrun handler: keytab (prepared=0) 25.10.13 15:47:35.568 LISTENER ( INFO ) : postrun handler: nscd_update (prepared=0) 25.10.13 15:47:35.568 LISTENER ( INFO ) : notifier returned = id: 1069 dn: cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local cmd: d 25.10.13 15:47:35.568 LDAP ( INFO ) : connecting to ldap://master191.deadlock19.local:7389/ 25.10.13 15:47:35.571 LDAP ( INFO ) : simple_bind as cn=admin,dc=deadlock19,dc=local 25.10.13 15:47:35.572 LISTENER ( INFO ) : updating cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local 25.10.13 15:47:35.573 LISTENER ( INFO ) : data_size and strlen don't match: 213 != 15 25.10.13 15:47:35.574 LISTENER ( INFO ) : delete handlers for cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local 25.10.13 15:47:35.575 LISTENER ( INFO ) : handler: samba-shares (skipped) 25.10.13 15:47:35.576 LISTENER ( INFO ) : handler: s4-connector (successful) 25.10.13 15:47:35.576 LISTENER ( INFO ) : handler: samba4-idmap (skipped) 25.10.13 15:47:35.577 LISTENER ( INFO ) : handler: keytab-member (skipped) 25.10.13 15:47:35.578 LISTENER ( INFO ) : handler: pkgdb-watch (skipped) 25.10.13 15:47:35.578 LISTENER ( INFO ) : handler: nfs-homes (skipped) 25.10.13 15:47:35.578 LISTENER ( INFO ) : handler: gencertificate (skipped) 25.10.13 15:47:35.578 LISTENER ( INFO ) : handler: nagios-server (skipped) 25.10.13 15:47:35.579 LISTENER ( INFO ) : handler: license_uuid (skipped) 25.10.13 15:47:35.579 LISTENER ( INFO ) : handler: dhcp (skipped) 25.10.13 15:47:35.579 LISTENER ( INFO ) : handler: udm_extension (skipped) 25.10.13 15:47:35.579 LISTENER ( INFO ) : handler: faillog (successful) 25.10.13 15:47:35.580 LISTENER ( INFO ) : ldap_extension: Moving old file /var/lib/univention-ldap/local-schema/q8i2r7h5sd to /tmp/tmpDRbFpZ. 25.10.13 15:47:36.150 LISTENER ( INFO ) : ldap_extension: validation successful, removing backup of old file /tmp/tmpDRbFpZ. 25.10.13 15:47:36.151 LISTENER ( INFO ) : handler: ldap_extension (successful) 25.10.13 15:47:36.151 LISTENER ( INFO ) : handler: nss (skipped) 25.10.13 15:47:36.151 LISTENER ( INFO ) : handler: nagios-client (skipped) 25.10.13 15:47:36.151 LISTENER ( INFO ) : handler: bind (skipped) 25.10.13 15:47:36.151 LISTENER ( INFO ) : handler: nfs-shares (skipped) 25.10.13 15:47:36.151 LISTENER ( INFO ) : handler: ldap_server (skipped) 25.10.13 15:47:36.151 LISTENER ( INFO ) : handler: keytab (skipped) 25.10.13 15:47:36.152 LISTENER ( INFO ) : handler: nscd_update (skipped) 25.10.13 15:47:36.152 LISTENER ( INFO ) : deleted from cache: cn=q8i2r7h5sd,cn=ldapschema,cn=univention,dc=deadlock19,dc=local 25.10.13 15:47:51.171 LISTENER ( INFO ) : running postrun handlers 25.10.13 15:47:51.171 LISTENER ( INFO ) : postrun handler: samba-shares (prepared=0) 25.10.13 15:47:51.171 LISTENER ( INFO ) : postrun handler: s4-connector (prepared=-1) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: samba4-idmap (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: keytab-member (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: pkgdb-watch (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: nfs-homes (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: gencertificate (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: nagios-server (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: license_uuid (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: dhcp (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: udm_extension (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: faillog (prepared=-1) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: ldap_extension (prepared=-1) 25.10.13 15:47:51.172 LISTENER ( ERROR ) : ldap_extension: Reloading ? 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: nss (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: nagios-client (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: bind (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: nfs-shares (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: ldap_server (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: keytab (prepared=0) 25.10.13 15:47:51.172 LISTENER ( INFO ) : postrun handler: nscd_update (prepared=0)
The object was removed already in this test case, I guess due to the following scenario: 1. the ucs_registerLDAPExtension function first "udm creates" the object and then performs an additional udm modify operation to append the appidentifier. After that it waits for the activation of the object via postrun. Strangely, in some cases the postrun seems to have run before the "modify" operation reached the listener: ======================================================================= 24.10.13 06:25:52.811 LISTENER ( ERROR ) : HANDLER: add. 24.10.13 06:26:08.963 LISTENER ( ERROR ) : POSTRUN: todo: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa']. Initiating graceful reload of ldap server(s). Sending HUP to ldap server(s): slapd ...done. Check database: ...done. Starting ldap server(s): slapd ...done. Checking Schema ID: ...done. 24.10.13 06:26:16.204 LISTENER ( ERROR ) : MARK_ACTIVE: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa']. 24.10.13 06:26:16.256 LISTENER ( ERROR ) : HANDLER: modify. 24.10.13 06:26:16.256 LISTENER ( ERROR ) : ldap_extension: extension qfej02c97e: diff_keys: ['univentionLDAPSchemaActive', 'modifiersName']. 24.10.13 06:26:31.980 LISTENER ( ERROR ) : POSTRUN: todo: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa']. Initiating graceful reload of ldap server(s). Sending HUP to ldap server(s): slapd ...done. Check database: ...done. Starting ldap server(s): slapd ...done. Checking Schema ID: ...done. 24.10.13 06:26:39.230 LISTENER ( ERROR ) : MARK_ACTIVE: ['cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa']. 24.10.13 06:26:39.260 LISTENER ( ERROR ) : Error modifying cn=qfej02c97e,cn=ldapschema,cn=univention,dc=ar311r1,dc=qa: object not found. ======================================================================= 2. Due to a bug in the listener module in the "schema" case it did not consider the setting of the appidentifer as a minor change, and triggered another postrun, as seen above. 3. After the activation of the object, the test script performs a check and then removes the object, appearently before the second postrun tries the modify. I now fixed this on two layers: 1. The listener now considers modifications of "modifiersName" also as trivial and thus doesn't put the dn on the todo list for postrun activation. 2. The udm modification now handles the noObject exception by issuing a log message and ignoring the exception. Other exceptions are raised as before. Looks like this fixed the issue.
Actually I did a third thing here: * On object deletion I restart the slapd regardless of the state of the todo list.
OK, it worked like expected, see test cases: - 10_ldap/70schema_registration_basis - 10_ldap/70schema_unregistration_basis - 10_ldap/71schema_replication - 10_ldap/72schema_reregistration_object_class - 10_ldap/73schema_registration_twice - 10_ldap/74schema_update
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".