Bug 38051 - 01univention-ldap-server-init.inst slapadd fails silently
01univention-ldap-server-init.inst slapadd fails silently
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Philipp Hahn
Stefan Gohmann
Depends on:
Blocks: 39866
  Show dependency treegraph
Reported: 2015-03-16 15:37 CET by Florian Best
Modified: 2018-08-15 18:19 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Cleanup, Error handling
Max CVSS v3 score:

/var/log/univention/join.log with set -x (2.84 KB, text/plain)
2016-01-11 16:21 CET, Philipp Hahn

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-03-16 15:37:02 CET
I just joined a DC slave, 01univention-ldap-server-init.inst fails by writing the following into the logfile but the join script is then marked as successfully executed.
The join continues... Everything seems good until the next UMC login which fails somehow with a different problem (SSL). Maybe related to this bug.

Configure 01univention-ldap-server-init.inst Mon Mar 16 15:17:48 CET 2015
2015-03-16 15:17:48.994167114+01:00 (in joinscript_init)
5506e60d /etc/ldap/slapd.conf: line 46: <suffix> invalid DN 21 (Invalid syntax)
slapadd: bad configuration file!
E: your request could not be fulfilled
try `univention-config-registry --help` for more information
Not updating windows/domain
Not updating kerberos/realm
Starting ldap server(s): slapd ...failed.
5506e60d /etc/ldap/slapd.conf: line 46: <suffix> invalid DN 21 (Invalid syntax) slapschema: bad configuration file!.
invoke-rc.d: initscript slapd, action "start" failed.
2015-03-16 15:17:49.342537728+01:00 (in joinscript_save_current_version)
Comment 1 Florian Best univentionstaff 2015-03-16 15:39:54 CET
These are the failing lines from 01univention-ldap-server-init.inst:

        cat /usr/share/univention-ldap/base.ldif /usr/share/univention-ldap/ffpu.ldif | 
                 sed -e \
                "s|@@%%@@ldap\.pw@@%%@@|$pw_crypt|;s|@@%%@@backup\.pw@@%%@@|$backup_crypt|;s|@@%%@@sambadomain@@%%@@|$sambadomain|;s|@@%%@@firstdc@@%%@@|$firstdc|;s|@@%%@@realm@@%%@@|$realm|;s|@@%%@@sid@@%%@@|$sid|;s|@@%@@domain@@%@@|$Domain|" | \
                univention-config-registry filter | slapadd >>/var/log/univention/join.log 2>&1

The lines before that code seem to be very broken - a lot of unquoted variable assignments.
Comment 2 Philipp Hahn univentionstaff 2015-03-17 09:21:53 CET
(In reply to Florian Best from comment #1)
> The lines before that code seem to be very broken - a lot of unquoted
> variable assignments.

FYI: variable assignment needs no extra quoting when using command substitution:
# (foo=$(echo '1  2'); echo ">$foo<")
>1  2<

It much more likely that some of the variables inserted into the sed command break the script, as there no escaping of regular-expression-meta-characters is done.

If you still have the system, please run the command in a shell without the trailing "|slapadd".
Comment 3 Florian Best univentionstaff 2015-03-17 09:32:46 CET
(In reply to Philipp Hahn from comment #2)
> If you still have the system, please run the command in a shell without the
> trailing "|slapadd".

I forced executed the joinscript again, it worked then.
Comment 4 Julian Hupertz univentionstaff 2015-10-09 14:25:14 CEST
This Bug also occurs in different build configurations on Jenkins for the Autotest MutliEnv (IPv6) project in UCS-4.1 (probably also UCS-4.0-3).

The master is a dualstack-machine with ipv4 and ipv6-adress. slave only has a ipv6-adress.

We will look if this behaviour is reproducable on master/backup oder master/member-configurations to get further information
Comment 5 Philipp Hahn univentionstaff 2016-01-11 16:21:33 CET
Created attachment 7400 [details]
/var/log/univention/join.log with set -x

Happens again on my slave, which I had to re-join.
Running `univention-join` always fails:
- 01univention-ldap-server-init.inst fails, but is flagged as having run successfully.
- later on 30univention-appcenter.inst fails, as the local slapd is not running

The bug is explained here: <http://stackoverflow.com/questions/17779078/suffix-invalid-dn-21-invalid-syntax-openldap>
- the backup/slave is unjoined, so /var/lib/univention-ldap/schema.conf is *empty*
- so /etc/openldap/schema/core.schema is *not* included on those replication LDAP servers
- but a DB with *dc*=xxx is given, which is defined in 'core.schema'!
- so slapd does not know the attribute and refuses to start
- normally running the listener in 03 will fetch the schema from the master; then it works
- except other things like slapinex (Bug #39866) still fail

slapd also fails to start if ldap/index/* contains any attributes not yet defined (e.g. univentionAppID from univention-appcenter, which is registered only in 30univention-appcenter.inst)
Comment 6 Philipp Hahn univentionstaff 2016-01-11 16:27:44 CET
r66712 | Bug #38051 LDAP: Initialize LDAP only on master
 Only initialize on DC Master

Package: univention-ldap
Version: 12.1.6-11.801.201601111622
Branch: ucs_4.1-0
Scope: errata4.1-0

r66714 | Bug #39866 ldap: Force ldap/index/* to defaults during join YAML
Comment 7 Philipp Hahn univentionstaff 2016-01-12 11:06:18 CET
r66725 | Bug #38051 ldap: Move cn=config on all server roles

Package: univention-ldap
Version: 12.1.6-12.802.201601121102
Branch: ucs_4.1-0
Scope: errata4.1-0

r66727 | Bug #38051 ldap: Move cn=config on all server roles YAML
Comment 8 Stefan Gohmann univentionstaff 2016-01-31 19:42:10 CET
Code review: OK

Tests upgrade (master|backup|slave): OK

Tests rejoin (backup|slave): Failed

I see the following message in the join.log:
Configure 01univention-ldap-server-init.inst Wed Nov 18 09:51:59 CET 2015
2015-11-18 09:51:59.587404416+01:00 (in joinscript_init)
CRITICAL:__main__:OpenLDAP slapd is running; aborting
Multifile: /etc/ldap/slapd.conf
2015-11-18 09:52:00.796326599+01:00 (in joinscript_save_current_version)

Tests new installation master: OK

Tests new installation slave: OK

Comment 9 Philipp Hahn univentionstaff 2016-02-03 16:19:02 CET
r67152 | Bug #38051 LDAP: Kill OpenLDAP slapd for initial setup during domain (re-)join
 Make sure slapd is stopped and valid schema exists on LDAP slaves
Package: univention-ldap
Version: 12.1.6-21.811.201602031616
Branch: ucs_4.1-0
Scope: errata4.1-0

r67153 | Bug #38051 LDAP: Kill OpenLDAP slapd for initial setup during domain (re-)join YAML
Comment 10 Stefan Gohmann univentionstaff 2016-02-03 21:08:05 CET
Code review: OK

Upgrade (master, backup, slave) + Re-join Tests: OK
I still see this message during a normal upgrade:
 CRITICAL:__main__:OpenLDAP slapd is running; aborting
I think this CRITICAL message will confuse users. I split it into a new bug: Bug #40575.

New backup installation Test: OK

Comment 11 Janek Walkenhorst univentionstaff 2016-02-04 14:08:14 CET