Bug 35411 - move of UCC UDM object in LDAP "disconnects" client
move of UCC UDM object in LDAP "disconnects" client
Product: Univention Corporate Client (UCC)
Classification: Unclassified
Component: Client management
Other Linux
: P5 normal
: UCC 3.0
Assigned To: Felix Botner
Erik Damrose
Depends on:
  Show dependency treegraph
Reported: 2014-07-18 14:04 CEST by Ingo Steuwer
Modified: 2016-08-16 17:13 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2014-07-18 14:04:13 CEST
If UCC objects of clients that are already deployed are moved (LDAP DN changes), the client doesn't recognize it. The client then tries to BIND to LDAP with its old DN and failes, so management settings aren't applied anymore. Currently these clients either need to be moved back in LDAP to the old position, must be fixed manually (change UCR ldap/basedn) or need to be re-deployed.

A Cool Solution artice describes an automated workaround:

We should address this in the product. If possible, the client should not use the LDAP-DN but i.e. kerberos for LDAP BIND.
Comment 1 Moritz Muehlenhoff univentionstaff 2014-07-22 08:40:12 CEST
We can fix this for the next UCC release.
Comment 2 Ingo Steuwer univentionstaff 2014-11-05 10:04:27 CET
This is requested frequently.
Comment 3 Michael Grandjean univentionstaff 2016-04-26 20:05:34 CEST
Requested again during workshop.

It's quite common that UCCs are moved between different containers/OUs, especially in larger environments. For example, if containers/OUs are used to separate different departments - or 'testing' and 'prod' with different policies linked to them.
Comment 4 Felix Botner univentionstaff 2016-07-13 16:21:34 CEST
Added update-ldap-host-dn to univention-ucc-initramfs/scripts. This script searches the dn of the computer account (kerberos authentication) and verifies that this dn matches ldap/hostdn

The script is called in the initrd  (if the system is joined, for pxe and local boot).
Comment 5 Erik Damrose univentionstaff 2016-08-02 17:52:21 CEST
OK: LDAP move is detected and UCR ldap/hostdn is updated if necessary
OK: Changelog (added comment that the hostdn is updated)
Comment 6 Erik Damrose univentionstaff 2016-08-16 17:13:08 CEST
UCC 3.0 has been released. If this bug occurs again, please clone this bug.