40493 – Improve adding/modifying DHCP DNS policies during join

Bug 40493 - Improve adding/modifying DHCP DNS policies during join

Summary: Improve adding/modifying DHCP DNS policies during join

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	UCS@school
Classification:	Unclassified
Component:	General
Version:	UCS@school 4.0 R2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	Sönke Schwardt-Krummrich
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	41359
	Show dependency tree / graph

Reported:	2016-01-25 13:29 CET by Michael Grandjean
Modified:	2016-05-26 15:06 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:	09711
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2016-01-25 13:29:53 CET

62ucs-school-slave.inst adds the nameserver to all found DHCP DNS policies:

>        for oudn in $(univention-ldapsearch -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do
>                ouname="$(echo "$oudn" | sed -nre 's/ou=([^,]*),(ou=|dc=).*/\1/p')"
> [...]
>                # modify dhcp dns policy if missing
>                udm policies/dhcp_dns modify "$@" \
>                        --dn "cn=dhcp-dns-${ouname},cn=policies,$oudn" \
>                        --set domain_name_servers="$(get_default_ip_address)"
>                # assign dhcp dns policy to dhcp container if missing
>                udm container/cn modify "$@" \
>                        --dn "cn=dhcp,$oudn" \
>                        --policy-reference "cn=dhcp-dns-${ouname},cn=policies,$oudn"
>        done

Problem: If (for some reason, e.g. Bug 40123) the LDAP ACLs are not present on the Master/Backup, the Slave will replicate more than its own OU. In this case, running the joinscript will modify _all_ DHCP DNS policies. This sets the nameserver of one OU also as the nameserver on the policies of all other OUs and breaks DNS there.

Possible solution: univention-ldapsearch should not use '-b "$ldap_base"' but something like '-b ou=$OU,"$ldap_base"' to only show the policies of its own OU in every case. 
Not sure about Single-Server environments with more than one OU, though ...

Comment 1 Michael Grandjean

2016-01-25 13:31:31 CET

2016010421000341

Comment 2 Stefan Gohmann

2016-03-30 09:35:44 CEST

Is it still relevant? We are now distributing the LDAP ACLs via LDAP?

Comment 3 Sönke Schwardt-Krummrich

2016-03-30 22:09:51 CEST

> Not sure about Single-Server environments with more than one OU, though ...

The DHCP service on UCS@school slaves uses the DHCP container within the OU subtree. The DHCP DNS policies are also attached to that OU-specific DHCP container.

In single server environments, the same applies. But the DHCP server on the DC master uses the DHCP container of the first school OU that has been created. Since the policy defines the DC master as DNS server, there should be no problem in that scenario.

(In reply to Stefan Gohmann from comment #2)
> Is it still relevant? We are now distributing the LDAP ACLs via LDAP?

Should be no longer relevant since bugs 40123 and 40124 are closed and LDAP ACLs are registered in LDAP → WORKSFORME

@Michael: please reopen, if still relevant.