Bug 39386 - Create ucs-sso.$domainname
Create ucs-sso.$domainname
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Stefan Gohmann
Erik Damrose
: interim-2
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-22 18:51 CEST by Florian Best
Modified: 2015-11-17 12:12 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-09-22 18:51:03 CEST
Add a pseudo host ucs-sso.$domainname which is used as domain wide default Identity Provider.

* Configurable via UCR variable
* Create SSL certificates for that host
* Add DNS entries of DC master and DC backup systems to that host
** unjoining / ip changes should change the DNS entries
* let all UMC-Service provider use that host as IDP
Comment 1 Florian Best univentionstaff 2015-09-22 18:51:29 CEST
* prevent creation of computer objects with this name
Comment 2 Stefan Gohmann univentionstaff 2015-10-04 14:58:42 CEST
The Jenkins jobs didn't succeed neither on a master nor on a backup. On the master the SSL configuration wasn't re-created after the certificate generation. On the backup it looked like the download was too fast after DNS registration.

Tried to fix it with the following commits:

univention-management-console-frontend r64189:
* It takes some time until the DNS has been updated and the apache is
  ready. The download of the IDP metadata is now done in a loop up to
  30 seconds (Bug #39386)

univention-saml r64190:
* Re-create Apache configuration after the certificate generation
  (Bug #39386)
Comment 3 Stefan Gohmann univentionstaff 2015-10-04 21:28:00 CEST
I did some more changes:

univention-saml (r64191):
* Move univention-saml join script to a later point because it needs
  a running DNS server (Bug #39386)

univention-saml (r64194):
* Ensure apache is reloaded in the SAML join script (Bug #39386)

univention-saml (r64196):
* Ensure apache is reloaded in the SAML join script. Fixed typo of
  previous commit (Bug #39386)

univention-management-console-frontend (r64192):
* Move univention-management-console-web-server join script to a later
  point because it needs a running DNS server (Bug #39386)
Comment 4 Florian Best univentionstaff 2015-10-05 11:45:10 CEST
The renaming of the joinscripts was not complete:

debian/univention-management-console-web-server.postinst:call_joinscript 34univention-management-console-web-server.inst
debian/univention-saml-schema.postinst:         call_joinscript 33univention-saml.inst

I think renaming 34 to 92 should not have side effects as every 35-joinscript of UMC modules currently only need the UMC-server joinscript to be executed.

The apache restart might cause side effects as SSL is also reloaded. If the configuration is done via an HTTPS on an external browser UMC might not answer anymore.
Comment 5 Stefan Gohmann univentionstaff 2015-10-05 16:39:47 CEST
(In reply to Florian Best from comment #4)
> The renaming of the joinscripts was not complete:
> 
> debian/univention-management-console-web-server.postinst:call_joinscript
> 34univention-management-console-web-server.inst
> debian/univention-saml-schema.postinst:         call_joinscript
> 33univention-saml.inst
> 
> I think renaming 34 to 92 should not have side effects as every
> 35-joinscript of UMC modules currently only need the UMC-server joinscript
> to be executed.

OK, I've changed the call_joinscript command.

> The apache restart might cause side effects as SSL is also reloaded. If the
> configuration is done via an HTTPS on an external browser UMC might not
> answer anymore.

Yes, good point. I've created Bug #39476 and we will fix it.
Comment 6 Florian Best univentionstaff 2015-10-06 12:12:57 CEST
/var/lib/dpkg/info/univention-saml.postinst: 59: /var/lib/dpkg/info/univention-saml.postinst: call_joinscript: not found
Comment 7 Florian Best univentionstaff 2015-10-06 17:36:51 CEST
It seems svn r64229 accidentally removed the listener univention-saml.py file from the package.
I made the naming a little bit more clear and readded the handler:

univention-saml (3.0.18-4):
r64266 | Bug #39472: readd listener module
Comment 8 Stefan Gohmann univentionstaff 2015-10-06 20:52:56 CEST
(In reply to Florian Best from comment #1)
> * prevent creation of computer objects with this name

I'm not sure if it is really needed. A computer object can only be created as a Domain Admin. So, I guess it is OK because a Domain Admin has the right to modify the DNS directly. Or am I missing something?
Comment 9 Stefan Gohmann univentionstaff 2015-10-07 06:48:09 CEST
(In reply to Stefan Gohmann from comment #8)
> (In reply to Florian Best from comment #1)
> > * prevent creation of computer objects with this name
> 
> I'm not sure if it is really needed. A computer object can only be created
> as a Domain Admin. So, I guess it is OK because a Domain Admin has the right
> to modify the DNS directly. Or am I missing something?

I've created Bug #39485 for the general problem.
Comment 10 Stefan Gohmann univentionstaff 2015-10-07 07:33:06 CEST
(In reply to Florian Best from comment #0)
> Add a pseudo host ucs-sso.$domainname which is used as domain wide default
> Identity Provider.
> 
> * Configurable via UCR variable
> * Create SSL certificates for that host
> * Add DNS entries of DC master and DC backup systems to that host
> ** unjoining / ip changes should change the DNS entries

I guess, we have a few different issues here:

1. Default Settings

Every master and backup registers automatically its default IP to the pseudo host entry. The certificate is created and distributed on the systems.

2. Different Name

If a different name is used, everything will also happen automatically, certificate generation, IP registration and so on.

3. Individual Setup

Maybe one wants to configure it in a different way. For this case, it should be possible to prohibit the pseudo host generation, the SSL certificate generation, the SSL certificate distribution and the IP registration, everything separately via UCR.

4. Cloud Setup

Based on the different UCR variables it should be possible to define a CSP setup and a individual setup for large environments.
Comment 11 Stefan Gohmann univentionstaff 2015-10-08 08:36:10 CEST
ip/change now considers the ucs-sso DNS entry: r64328
I've also added a test case for it 60_umc-system/75_ipchange_basic + 60_umc-system/76_ipchange_ucs_sso: r64329
Changelog: r64330
Comment 12 Erik Damrose univentionstaff 2015-10-08 14:54:47 CEST
r64336 Fixed reference to old joinscript name in unjoin script
Comment 13 Florian Best univentionstaff 2015-10-08 16:30:02 CEST
(In reply to Erik Damrose from comment #12)
> r64336 Fixed reference to old joinscript name in unjoin script
Can you revert this? This is done on purpose for update scenarios to remove the joinscript!?
Comment 14 Stefan Gohmann univentionstaff 2015-10-08 17:24:49 CEST
(In reply to Stefan Gohmann from comment #10)
> 3. Individual Setup
> 
> Maybe one wants to configure it in a different way. For this case, it should
> be possible to prohibit the pseudo host generation, the SSL certificate
> generation, the SSL certificate distribution and the IP registration,
> everything separately via UCR.

I've added some more variables (r64339):
  ucs/server/sso/autoregistraton
  ucs/server/sso/certificate/generation
  ucs/server/sso/certificate/download

I didn't create a variable to prohibit the pseudo host generation because it doesn't make sense. The pseudo host is not generated if the autoregistration is disabled.

Still waiting for some test results.

The auto IP change for ucs-sso have been added to system setup: r64333 and r64334
Comment 15 Erik Damrose univentionstaff 2015-10-13 10:12:01 CEST
(In reply to Florian Best from comment #13)
> (In reply to Erik Damrose from comment #12)
> > r64336 Fixed reference to old joinscript name in unjoin script
> Can you revert this? This is done on purpose for update scenarios to remove
> the joinscript!?

I think the change is correct. The unjoin script has to remove the reference to its corresponding joinscript, in order for it to be called the next time the package gets installed.
Comment 16 Stefan Gohmann univentionstaff 2015-10-13 21:33:52 CEST
(In reply to Stefan Gohmann from comment #14)
> Still waiting for some test results.

My tests were successful.
Comment 17 Stefan Gohmann univentionstaff 2015-10-13 21:35:11 CEST
(In reply to Erik Damrose from comment #15)
> I think the change is correct. The unjoin script has to remove the reference
> to its corresponding joinscript, in order for it to be called the next time
> the package gets installed.

Yes, that is the goal.
Comment 18 Erik Damrose univentionstaff 2015-10-30 09:57:58 CET
OK: wait for dns entry
OK: Move of joinscript execution order
OK: DNS Update on ip address change
OK: UCRVs for default override
-> Verified
Comment 19 Stefan Gohmann univentionstaff 2015-11-17 12:12:34 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".