Univention Bugzilla – Bug 39386
Create ucs-sso.$domainname
Last modified: 2015-11-17 12:12:34 CET
Add a pseudo host ucs-sso.$domainname which is used as domain wide default Identity Provider. * Configurable via UCR variable * Create SSL certificates for that host * Add DNS entries of DC master and DC backup systems to that host ** unjoining / ip changes should change the DNS entries * let all UMC-Service provider use that host as IDP
* prevent creation of computer objects with this name
The Jenkins jobs didn't succeed neither on a master nor on a backup. On the master the SSL configuration wasn't re-created after the certificate generation. On the backup it looked like the download was too fast after DNS registration. Tried to fix it with the following commits: univention-management-console-frontend r64189: * It takes some time until the DNS has been updated and the apache is ready. The download of the IDP metadata is now done in a loop up to 30 seconds (Bug #39386) univention-saml r64190: * Re-create Apache configuration after the certificate generation (Bug #39386)
I did some more changes: univention-saml (r64191): * Move univention-saml join script to a later point because it needs a running DNS server (Bug #39386) univention-saml (r64194): * Ensure apache is reloaded in the SAML join script (Bug #39386) univention-saml (r64196): * Ensure apache is reloaded in the SAML join script. Fixed typo of previous commit (Bug #39386) univention-management-console-frontend (r64192): * Move univention-management-console-web-server join script to a later point because it needs a running DNS server (Bug #39386)
The renaming of the joinscripts was not complete: debian/univention-management-console-web-server.postinst:call_joinscript 34univention-management-console-web-server.inst debian/univention-saml-schema.postinst: call_joinscript 33univention-saml.inst I think renaming 34 to 92 should not have side effects as every 35-joinscript of UMC modules currently only need the UMC-server joinscript to be executed. The apache restart might cause side effects as SSL is also reloaded. If the configuration is done via an HTTPS on an external browser UMC might not answer anymore.
(In reply to Florian Best from comment #4) > The renaming of the joinscripts was not complete: > > debian/univention-management-console-web-server.postinst:call_joinscript > 34univention-management-console-web-server.inst > debian/univention-saml-schema.postinst: call_joinscript > 33univention-saml.inst > > I think renaming 34 to 92 should not have side effects as every > 35-joinscript of UMC modules currently only need the UMC-server joinscript > to be executed. OK, I've changed the call_joinscript command. > The apache restart might cause side effects as SSL is also reloaded. If the > configuration is done via an HTTPS on an external browser UMC might not > answer anymore. Yes, good point. I've created Bug #39476 and we will fix it.
/var/lib/dpkg/info/univention-saml.postinst: 59: /var/lib/dpkg/info/univention-saml.postinst: call_joinscript: not found
It seems svn r64229 accidentally removed the listener univention-saml.py file from the package. I made the naming a little bit more clear and readded the handler: univention-saml (3.0.18-4): r64266 | Bug #39472: readd listener module
(In reply to Florian Best from comment #1) > * prevent creation of computer objects with this name I'm not sure if it is really needed. A computer object can only be created as a Domain Admin. So, I guess it is OK because a Domain Admin has the right to modify the DNS directly. Or am I missing something?
(In reply to Stefan Gohmann from comment #8) > (In reply to Florian Best from comment #1) > > * prevent creation of computer objects with this name > > I'm not sure if it is really needed. A computer object can only be created > as a Domain Admin. So, I guess it is OK because a Domain Admin has the right > to modify the DNS directly. Or am I missing something? I've created Bug #39485 for the general problem.
(In reply to Florian Best from comment #0) > Add a pseudo host ucs-sso.$domainname which is used as domain wide default > Identity Provider. > > * Configurable via UCR variable > * Create SSL certificates for that host > * Add DNS entries of DC master and DC backup systems to that host > ** unjoining / ip changes should change the DNS entries I guess, we have a few different issues here: 1. Default Settings Every master and backup registers automatically its default IP to the pseudo host entry. The certificate is created and distributed on the systems. 2. Different Name If a different name is used, everything will also happen automatically, certificate generation, IP registration and so on. 3. Individual Setup Maybe one wants to configure it in a different way. For this case, it should be possible to prohibit the pseudo host generation, the SSL certificate generation, the SSL certificate distribution and the IP registration, everything separately via UCR. 4. Cloud Setup Based on the different UCR variables it should be possible to define a CSP setup and a individual setup for large environments.
ip/change now considers the ucs-sso DNS entry: r64328 I've also added a test case for it 60_umc-system/75_ipchange_basic + 60_umc-system/76_ipchange_ucs_sso: r64329 Changelog: r64330
r64336 Fixed reference to old joinscript name in unjoin script
(In reply to Erik Damrose from comment #12) > r64336 Fixed reference to old joinscript name in unjoin script Can you revert this? This is done on purpose for update scenarios to remove the joinscript!?
(In reply to Stefan Gohmann from comment #10) > 3. Individual Setup > > Maybe one wants to configure it in a different way. For this case, it should > be possible to prohibit the pseudo host generation, the SSL certificate > generation, the SSL certificate distribution and the IP registration, > everything separately via UCR. I've added some more variables (r64339): ucs/server/sso/autoregistraton ucs/server/sso/certificate/generation ucs/server/sso/certificate/download I didn't create a variable to prohibit the pseudo host generation because it doesn't make sense. The pseudo host is not generated if the autoregistration is disabled. Still waiting for some test results. The auto IP change for ucs-sso have been added to system setup: r64333 and r64334
(In reply to Florian Best from comment #13) > (In reply to Erik Damrose from comment #12) > > r64336 Fixed reference to old joinscript name in unjoin script > Can you revert this? This is done on purpose for update scenarios to remove > the joinscript!? I think the change is correct. The unjoin script has to remove the reference to its corresponding joinscript, in order for it to be called the next time the package gets installed.
(In reply to Stefan Gohmann from comment #14) > Still waiting for some test results. My tests were successful.
(In reply to Erik Damrose from comment #15) > I think the change is correct. The unjoin script has to remove the reference > to its corresponding joinscript, in order for it to be called the next time > the package gets installed. Yes, that is the goal.
OK: wait for dns entry OK: Move of joinscript execution order OK: DNS Update on ip address change OK: UCRVs for default override -> Verified
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".