Bug 37351 - AD-Member: Moving of DC-Master host object in AD breaks ldap bind
AD-Member: Moving of DC-Master host object in AD breaks ldap bind
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Stefan Gohmann
Felix Botner
Depends on:
Blocks: 52263 55150
  Show dependency treegraph
Reported: 2014-12-15 18:17 CET by Janis Meybohm
Modified: 2022-08-31 07:54 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2014-12-15 18:17:23 CET

In AD Member mode:
If the DC-Master host object in AD is moved, it is also moved in OpenLDAP and that breaks LDAP binds in many situations:

15.12.2014 12:06:10,577 LDAP        (PROCESS): sync to ucs:   [            ou] [       add] OU=foo,dc=autotest221,dc=local
15.12.2014 12:06:22,685 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [      move] cn=admember221,ou=foo,dc=autotest221,dc=local

root@admember221:~# univention-ldapsearch -xLLL -D cn=admin,$ldap_base -y /etc/ldap.secret cn=admember221 dn
dn: cn=admember221,ou=foo,dc=autotest221,dc=local

root@admember221:~# univention-ldapsearch -xLLL -D $ldap_hostdn -y /etc/machine.secret cn=admember221 dn
ldap_bind: Invalid credentials (49)

Moving back is impossible as there is no cn=dc,cn=computers,... container in AD and moving via UDM is forbidden because the object has a "synced" flag.
Comment 1 Stefan Gohmann univentionstaff 2015-03-17 17:14:04 CET
I've added a check whether the target object should be ignored. 

Fix: r59137

YAML: 2015-03-17-univention-ad-connector.yaml (r59138)

ucs-test: TODO
Comment 2 Stefan Gohmann univentionstaff 2015-03-18 11:08:26 CET
(In reply to Stefan Gohmann from comment #1)
> ucs-test: TODO

ucs-test: done
Comment 3 Felix Botner univentionstaff 2015-03-23 15:02:58 CET
OK - move/modify... for dc master forbidden in ad connector
OK - 2015-03-17-univention-ad-connector.yaml
Comment 4 Janek Walkenhorst univentionstaff 2015-03-25 16:38:43 CET