Univention Bugzilla – Bug 38051
01univention-ldap-server-init.inst slapadd fails silently
Last modified: 2018-08-15 18:19:05 CEST
I just joined a DC slave, 01univention-ldap-server-init.inst fails by writing the following into the logfile but the join script is then marked as successfully executed. The join continues... Everything seems good until the next UMC login which fails somehow with a different problem (SSL). Maybe related to this bug. Configure 01univention-ldap-server-init.inst Mon Mar 16 15:17:48 CET 2015 2015-03-16 15:17:48.994167114+01:00 (in joinscript_init) 5506e60d /etc/ldap/slapd.conf: line 46: <suffix> invalid DN 21 (Invalid syntax) slapadd: bad configuration file! E: your request could not be fulfilled try `univention-config-registry --help` for more information Not updating windows/domain Not updating kerberos/realm Starting ldap server(s): slapd ...failed. 5506e60d /etc/ldap/slapd.conf: line 46: <suffix> invalid DN 21 (Invalid syntax) slapschema: bad configuration file!. invoke-rc.d: initscript slapd, action "start" failed. 2015-03-16 15:17:49.342537728+01:00 (in joinscript_save_current_version)
These are the failing lines from 01univention-ldap-server-init.inst: cat /usr/share/univention-ldap/base.ldif /usr/share/univention-ldap/ffpu.ldif | sed -e \ "s|@@%%@@ldap\.pw@@%%@@|$pw_crypt|;s|@@%%@@backup\.pw@@%%@@|$backup_crypt|;s|@@%%@@sambadomain@@%%@@|$sambadomain|;s|@@%%@@firstdc@@%%@@|$firstdc|;s|@@%%@@realm@@%%@@|$realm|;s|@@%%@@sid@@%%@@|$sid|;s|@@%@@domain@@%@@|$Domain|" | \ univention-config-registry filter | slapadd >>/var/log/univention/join.log 2>&1 The lines before that code seem to be very broken - a lot of unquoted variable assignments.
(In reply to Florian Best from comment #1) > The lines before that code seem to be very broken - a lot of unquoted > variable assignments. FYI: variable assignment needs no extra quoting when using command substitution: # (foo=$(echo '1 2'); echo ">$foo<") >1 2< It much more likely that some of the variables inserted into the sed command break the script, as there no escaping of regular-expression-meta-characters is done. If you still have the system, please run the command in a shell without the trailing "|slapadd".
(In reply to Philipp Hahn from comment #2) > If you still have the system, please run the command in a shell without the > trailing "|slapadd". I forced executed the joinscript again, it worked then.
This Bug also occurs in different build configurations on Jenkins for the Autotest MutliEnv (IPv6) project in UCS-4.1 (probably also UCS-4.0-3). The master is a dualstack-machine with ipv4 and ipv6-adress. slave only has a ipv6-adress. We will look if this behaviour is reproducable on master/backup oder master/member-configurations to get further information
Created attachment 7400 [details] /var/log/univention/join.log with set -x Happens again on my slave, which I had to re-join. Running `univention-join` always fails: - 01univention-ldap-server-init.inst fails, but is flagged as having run successfully. - later on 30univention-appcenter.inst fails, as the local slapd is not running The bug is explained here: <http://stackoverflow.com/questions/17779078/suffix-invalid-dn-21-invalid-syntax-openldap> - the backup/slave is unjoined, so /var/lib/univention-ldap/schema.conf is *empty* - so /etc/openldap/schema/core.schema is *not* included on those replication LDAP servers - but a DB with *dc*=xxx is given, which is defined in 'core.schema'! - so slapd does not know the attribute and refuses to start - normally running the listener in 03 will fetch the schema from the master; then it works - except other things like slapinex (Bug #39866) still fail slapd also fails to start if ldap/index/* contains any attributes not yet defined (e.g. univentionAppID from univention-appcenter, which is registered only in 30univention-appcenter.inst)
r66712 | Bug #38051 LDAP: Initialize LDAP only on master Only initialize on DC Master Package: univention-ldap Version: 12.1.6-11.801.201601111622 Branch: ucs_4.1-0 Scope: errata4.1-0 r66714 | Bug #39866 ldap: Force ldap/index/* to defaults during join YAML univention-ldap.yaml
r66725 | Bug #38051 ldap: Move cn=config on all server roles Package: univention-ldap Version: 12.1.6-12.802.201601121102 Branch: ucs_4.1-0 Scope: errata4.1-0 r66727 | Bug #38051 ldap: Move cn=config on all server roles YAML univention-ldap.yaml
Code review: OK Tests upgrade (master|backup|slave): OK Tests rejoin (backup|slave): Failed I see the following message in the join.log: ----------------------------------------------------------------------------- Configure 01univention-ldap-server-init.inst Wed Nov 18 09:51:59 CET 2015 2015-11-18 09:51:59.587404416+01:00 (in joinscript_init) CRITICAL:__main__:OpenLDAP slapd is running; aborting Multifile: /etc/ldap/slapd.conf 2015-11-18 09:52:00.796326599+01:00 (in joinscript_save_current_version) ----------------------------------------------------------------------------- Tests new installation master: OK Tests new installation slave: OK YAML: OK
r67152 | Bug #38051 LDAP: Kill OpenLDAP slapd for initial setup during domain (re-)join Make sure slapd is stopped and valid schema exists on LDAP slaves Package: univention-ldap Version: 12.1.6-21.811.201602031616 Branch: ucs_4.1-0 Scope: errata4.1-0 r67153 | Bug #38051 LDAP: Kill OpenLDAP slapd for initial setup during domain (re-)join YAML univention-ldap.yaml
Code review: OK Upgrade (master, backup, slave) + Re-join Tests: OK I still see this message during a normal upgrade: CRITICAL:__main__:OpenLDAP slapd is running; aborting I think this CRITICAL message will confuse users. I split it into a new bug: Bug #40575. New backup installation Test: OK YAML: OK
<http://errata.software-univention.de/ucs/4.1/84.html>