Bug 38094 - ldap/server/addition variable is by default removed
ldap/server/addition variable is by default removed
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-2-errata
Assigned To: Philipp Hahn
Florian Best
:
: 39492 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-19 16:04 CET by Stefan Gohmann
Modified: 2015-10-07 18:06 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Move ldap/server/additional into LDAP layer (12.03 KB, patch)
2015-05-18 11:59 CEST, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-03-19 16:04:17 CET
The UCR variable ldap/server/addition is set by default by the LDAP directory policy cron job. That means it is removed even if it was set by hand.

root@member405:~# ucr get ldap/server/addition
root@member405:~# ucr set ldap/server/addition="backup402.deadlock40.intranet" >/dev/null
root@member405:~# ucr get ldap/server/addition
backup402.deadlock40.intranet
root@member405:~# /etc/init.d/univention-directory-policy start
[ ok ] Starting Univention Directory Policy:.
root@member405:~# ucr get ldap/server/addition
root@member405:~#

At least the UCR variable description should be adjusted. But I suggest to remove the unset part.
Comment 1 Philipp Hahn univentionstaff 2015-05-13 17:44:01 CEST
What about using "ucr --forced"?
We have that layer for exactly the reason to prevent local UCR settings from being over-ruled like domain wide settings through UMC policies - or in that case a even more specialized Listener module.

I changed the description to better describe that the UCRV is managed by a Listener module.

r60727 | Bug #38094 base: Document ldap/server/addition better

Package: univention-base-files
Version: 4.0.8-2.183.201505131737
Branch: ucs_4.0-0
Scope: errata4.0-2

r60728 | Bug #38094 base: Document ldap/server/addition better
 2015-05-13-univention-base-files.yaml
Comment 2 Stefan Gohmann univentionstaff 2015-05-13 19:33:06 CEST
(In reply to Philipp Hahn from comment #1)
> What about using "ucr --forced"?
> We have that layer for exactly the reason to prevent local UCR settings from
> being over-ruled like domain wide settings through UMC policies - or in that
> case a even more specialized Listener module.

Sure, that would be possible. But that is still not the expected behavior. 

For example the manual describes it in a different way:
http://docs.univention.de/manual-4.0.html#computers:configureldapserver

"
Several LDAP servers can be operated in a UCS domain. The primary one used is specified with the Univention Configuration Registry variable ldap/server/name, further servers can be specified via the Univention Configuration Registry variable ldap/server/addition.

Alternatively, the LDAP servers can also be specified via a LDAP server policy in the UMC computer management. The order of the servers determines the order of the computer's requests to the server if a LDAP server cannot be reached.
"

We can change the description everywhere but I still think it should be possible to use the product without reading the documentation.
Comment 3 Philipp Hahn univentionstaff 2015-05-18 11:59:56 CEST
Created attachment 6905 [details]
Move ldap/server/additional into LDAP layer

The implementation for ldap/server/additional is older then the documentation, which was only added for UCS-3.0. The unset is there since before UCS-2.0. So I guess that the documentation is wrong and doesn't document the current implementation.

There already was the same request to change the behavior with Bug #20849, but it was denies back then.

I see the following issues:
1. As the value is set through a policy, the value should IMHO be written into the LDAP layer to not overwrite any user configured value. Currently it uses the base layer.
2. Unsetting the variable is required to *remove* the 2nd last server, if is is no longer available. Otherwise this might lead to additional timeouts.

See attached patch, which moves the value from NORMAL into the LDAP layer of UCR:

1. This a nicely prints the message, that the value is (still) overwritten by the LDAP layer when the user changes the value,
2. It fits into the other behavior known from the UCR layers,
3. auto configuration of new LDAP servers and removing old ones still works, which is what the user expects. Being able to configure things is good, but a working auto-configuration is better.


FYI: If the current values for l/s/name and l/s/additional should be moved from NORAML to LDAP, this would required additional code. But since we don't know if they are user modified, removing them from NORMAL could be wrong.
The only problematic case would be where NORMAL still names a now unavailable LDAP server, which is only now removed. Because of that the new code sets l/s/additional='' instead of un-setting it, which would make NORMAL visible again.
Comment 4 Philipp Hahn univentionstaff 2015-05-19 12:12:08 CEST
r60770 | Bug #38094 LDAP: Move ldap/server/additional into LDAP layer
r60769 | Bug #38094 LDAP: Copyright 2015
 The UCRV ldap/server/addition is now written into the LDAP layer of UCR

Package: univention-server
Version: 10.0.3-2.218.201505191154
Branch: ucs_4.0-0
Scope: errata4.0-2

r60779 | Bug #38094 LDAP: Move ldap/server/additional into LDAP layer YAML
 2015-05-19-univention-server.yaml
Comment 5 Florian Best univentionstaff 2015-05-22 14:57:16 CEST
OK: The variable may be overwritten via "ucr set --force" and is therefore not removed. The unset is not triggered anymore by /usr/lib/univention-directory-policy/univention-set-ldap-server.
OK: YAML
Comment 6 Janek Walkenhorst univentionstaff 2015-05-28 16:49:13 CEST
<http://errata.univention.de/ucs/4.0/201.html>
Comment 7 Janek Walkenhorst univentionstaff 2015-06-17 18:15:39 CEST
<http://errata.univention.de/ucs/4.0/206.html>
Comment 8 Philipp Hahn univentionstaff 2015-10-07 18:06:57 CEST
*** Bug 39492 has been marked as a duplicate of this bug. ***