Univention Bugzilla – Bug 38094
ldap/server/addition variable is by default removed
Last modified: 2015-10-07 18:06:57 CEST
The UCR variable ldap/server/addition is set by default by the LDAP directory policy cron job. That means it is removed even if it was set by hand. root@member405:~# ucr get ldap/server/addition root@member405:~# ucr set ldap/server/addition="backup402.deadlock40.intranet" >/dev/null root@member405:~# ucr get ldap/server/addition backup402.deadlock40.intranet root@member405:~# /etc/init.d/univention-directory-policy start [ ok ] Starting Univention Directory Policy:. root@member405:~# ucr get ldap/server/addition root@member405:~# At least the UCR variable description should be adjusted. But I suggest to remove the unset part.
What about using "ucr --forced"? We have that layer for exactly the reason to prevent local UCR settings from being over-ruled like domain wide settings through UMC policies - or in that case a even more specialized Listener module. I changed the description to better describe that the UCRV is managed by a Listener module. r60727 | Bug #38094 base: Document ldap/server/addition better Package: univention-base-files Version: 4.0.8-2.183.201505131737 Branch: ucs_4.0-0 Scope: errata4.0-2 r60728 | Bug #38094 base: Document ldap/server/addition better 2015-05-13-univention-base-files.yaml
(In reply to Philipp Hahn from comment #1) > What about using "ucr --forced"? > We have that layer for exactly the reason to prevent local UCR settings from > being over-ruled like domain wide settings through UMC policies - or in that > case a even more specialized Listener module. Sure, that would be possible. But that is still not the expected behavior. For example the manual describes it in a different way: http://docs.univention.de/manual-4.0.html#computers:configureldapserver " Several LDAP servers can be operated in a UCS domain. The primary one used is specified with the Univention Configuration Registry variable ldap/server/name, further servers can be specified via the Univention Configuration Registry variable ldap/server/addition. Alternatively, the LDAP servers can also be specified via a LDAP server policy in the UMC computer management. The order of the servers determines the order of the computer's requests to the server if a LDAP server cannot be reached. " We can change the description everywhere but I still think it should be possible to use the product without reading the documentation.
Created attachment 6905 [details] Move ldap/server/additional into LDAP layer The implementation for ldap/server/additional is older then the documentation, which was only added for UCS-3.0. The unset is there since before UCS-2.0. So I guess that the documentation is wrong and doesn't document the current implementation. There already was the same request to change the behavior with Bug #20849, but it was denies back then. I see the following issues: 1. As the value is set through a policy, the value should IMHO be written into the LDAP layer to not overwrite any user configured value. Currently it uses the base layer. 2. Unsetting the variable is required to *remove* the 2nd last server, if is is no longer available. Otherwise this might lead to additional timeouts. See attached patch, which moves the value from NORMAL into the LDAP layer of UCR: 1. This a nicely prints the message, that the value is (still) overwritten by the LDAP layer when the user changes the value, 2. It fits into the other behavior known from the UCR layers, 3. auto configuration of new LDAP servers and removing old ones still works, which is what the user expects. Being able to configure things is good, but a working auto-configuration is better. FYI: If the current values for l/s/name and l/s/additional should be moved from NORAML to LDAP, this would required additional code. But since we don't know if they are user modified, removing them from NORMAL could be wrong. The only problematic case would be where NORMAL still names a now unavailable LDAP server, which is only now removed. Because of that the new code sets l/s/additional='' instead of un-setting it, which would make NORMAL visible again.
r60770 | Bug #38094 LDAP: Move ldap/server/additional into LDAP layer r60769 | Bug #38094 LDAP: Copyright 2015 The UCRV ldap/server/addition is now written into the LDAP layer of UCR Package: univention-server Version: 10.0.3-2.218.201505191154 Branch: ucs_4.0-0 Scope: errata4.0-2 r60779 | Bug #38094 LDAP: Move ldap/server/additional into LDAP layer YAML 2015-05-19-univention-server.yaml
OK: The variable may be overwritten via "ucr set --force" and is therefore not removed. The unset is not triggered anymore by /usr/lib/univention-directory-policy/univention-set-ldap-server. OK: YAML
<http://errata.univention.de/ucs/4.0/201.html>
<http://errata.univention.de/ucs/4.0/206.html>
*** Bug 39492 has been marked as a duplicate of this bug. ***