Bug 38091 - Improve fail-safe domain setup
Improve fail-safe domain setup
Product: UCS
Classification: Unclassified
Component: General
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Daniel Tröder
Stefan Gohmann
Depends on: 38090
Blocks: 40556
  Show dependency treegraph
Reported: 2015-03-19 15:25 CET by Stefan Gohmann
Modified: 2016-02-04 14:08 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Roadmap discussion (moved)
Max CVSS v3 score:

diff (1.33 KB, patch)
2015-12-21 18:47 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-03-19 15:25:41 CET
We should check if we can implement a better default setup out-of-the-box.

+++ This bug was initially created as a clone of Bug #38090 +++

We have already different hints in the documentation about the domain setup and how to configure multiple LDAP servers, for example:

Nevertheless, we should add a single SDB entry which describes what to do to get a fail-safe setup, for example:

- DNS setup (UCR variable nameserver*)
- LDAP server (LDAP Server Policy)
- Kerberos KDC (dns query)
- Samba DCs (Installation of multiple DCs)

The manual should link to the article.
Comment 1 Daniel Tröder univentionstaff 2015-11-30 16:13:23 CET
When a domain controller (DC) master or DC backup is created, two policies are now created or modified:
* a LDAP server policy to be used by member servers and
* a UCR policy be used by DC slaves.

The policies configure them to use the LDAP servers of all available DC backups, in case the DC master is down. The policies are referenced by cn=computers,$ldap_base.

Slaves currently do not support LDAP server policies, so a UCR policy for "ldap/server/addition" is create and used instead.

The version of the join script is not raised, to not modify existing installations.

Commits: 65992 + 65993
YAML: univention-ldap.yaml : 65993 + 65994
Comment 2 Daniel Tröder univentionstaff 2015-11-30 16:51:25 CET
Commits 65995 + 65996: Do not activate UCR policy by default - slaves can survive a master-down on their own.
Comment 3 Arvid Requate univentionstaff 2015-12-21 18:47:56 CET
Created attachment 7382 [details]

Unfortunately appending a value to a UCR variable policy is not implemented yet, so this breaks when running this on the second DC Backup breaks:

+ univention-directory-manager policies/registry modify --dn=cn=default-ldap-servers,cn=config-registry,cn=policies,dc=ar41i1,dc=qa --append 'registry="ldap/server/addition"  "backup2.ar41i1.qa"'
E: Invalid Syntax: Duplicated variables not allowed: 'ldap/server/addition'

See patch proposal. Please note a line continuation was missing too.
Comment 4 Daniel Tröder univentionstaff 2015-12-28 10:28:15 CET
Thanks, patch applied: r66540 + r66541.
Comment 5 Stefan Gohmann univentionstaff 2016-02-01 09:00:49 CET
If you join a new backup into an existing domain, the policy is created and it does only include the new backup. I think we should create the correct policy in the postinst on the master.

Can you add test scripts which check the creation of the policies?
Comment 6 Daniel Tröder univentionstaff 2016-02-01 18:10:58 CET
The list of servers for the LDAP and the UCR policies is now rebuilt each time the join script runs. This makes it also possible to remove an entry in case a DC is deleted. A test was added.

Code change: 67081, 67092, 67097, 67106
Advisory: 67094, 67098, 67107
Test: 67107
Comment 7 Stefan Gohmann univentionstaff 2016-02-02 07:35:46 CET
(In reply to Daniel Tröder from comment #6)
> The list of servers for the LDAP and the UCR policies is now rebuilt each
> time the join script runs. This makes it also possible to remove an entry in
> case a DC is deleted. A test was added.
> Code change: 67081, 67092, 67097, 67106
> Advisory: 67094, 67098, 67107
> Test: 67107

I've split the test case bug into Bug #40556. That makes it easier to release this erratum.

Code review: OK. One note, you connect the policy every time. That is a problem if one won't use it:
    univention-directory-manager container/cn modify "$@" \
        --dn "cn=computers,$ldap_base" \
        --policy-reference "cn=default-settings,cn=ldap,cn=policies,$ldap_base"
It is a policy, so it can be overwritten. Let's wait if it will be a real problem.

Tests: Fail

1. I've added a simple DC Backup which doesn't have an fqdn:

root@master411:~#  udm computers/domaincontroller_backup create --set name=testdc1
root@master411:~# udm computers/domaincontroller_backup list | grep fqdn
  fqdn: backup412.deadlock41.intranet
  fqdn: None
root@master411:~# univention-ldapsearch objectClass=univentionPolicyLDAPServer | grep univentionLDAPServer
univentionLDAPServer: master411.deadlock41.intranet
univentionLDAPServer: backup412.deadlock41.intranet
univentionLDAPServer: None

2. The master is not set in the UCR policy. That's part of the code, but I guess it is wrong. Any particular reason?

root@backup412:~# univention-directory-manager policies/ldapserver list "$@" --filter name=default-settings | grep ldapServer
  ldapServer: master411.deadlock41.intranet
  ldapServer: backup412.deadlock41.intranet
root@backup412:~# udm policies/registry list

DN: cn=default-ldap-servers,cn=config-registry,cn=policies,dc=deadlock41,dc=intranet
ARG: None
  ldapFilter: (univentionServerRole=slave)
  name: default-ldap-servers
  requiredObjectClasses: univentionDomainController
  registry: ldap/server/addition backup412.deadlock41.intranet


Comment 8 Daniel Tröder univentionstaff 2016-02-02 09:46:33 CET
Commits: 67116, 67117, 67118

* DCs without FQDN are now ignored.
* DC master is added to ldap/server/addition (no idea why I didn't want this previously).
* The ldap server policy is created and attached only once.
Comment 9 Stefan Gohmann univentionstaff 2016-02-03 20:39:08 CET
Code review: OK

Tests: OK

Comment 10 Janek Walkenhorst univentionstaff 2016-02-04 14:08:04 CET