Univention Bugzilla – Bug 35411
move of UCC UDM object in LDAP "disconnects" client
Last modified: 2016-08-16 17:13:08 CEST
If UCC objects of clients that are already deployed are moved (LDAP DN changes), the client doesn't recognize it. The client then tries to BIND to LDAP with its old DN and failes, so management settings aren't applied anymore. Currently these clients either need to be moved back in LDAP to the old position, must be fixed manually (change UCR ldap/basedn) or need to be re-deployed.
A Cool Solution artice describes an automated workaround:
We should address this in the product. If possible, the client should not use the LDAP-DN but i.e. kerberos for LDAP BIND.
We can fix this for the next UCC release.
This is requested frequently.
Requested again during workshop.
It's quite common that UCCs are moved between different containers/OUs, especially in larger environments. For example, if containers/OUs are used to separate different departments - or 'testing' and 'prod' with different policies linked to them.
Added update-ldap-host-dn to univention-ucc-initramfs/scripts. This script searches the dn of the computer account (kerberos authentication) and verifies that this dn matches ldap/hostdn
The script is called in the initrd (if the system is joined, for pxe and local boot).
OK: LDAP move is detected and UCR ldap/hostdn is updated if necessary
OK: Changelog (added comment that the hostdn is updated)
UCC 3.0 has been released. If this bug occurs again, please clone this bug.