Bug 41359 - Improve adding/modifying DHCP DNS policies during join
Improve adding/modifying DHCP DNS policies during join
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 4.0 R2
Other Linux
: P5 normal (vote)
: UCS@school 4.1 R2
Assigned To: Florian Best
Daniel Tröder
:
Depends on: 40493
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-26 15:06 CEST by Sönke Schwardt-Krummrich
Modified: 2016-09-30 12:24 CEST (History)
0 users

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2016-05-26 15:06:52 CEST
I think, this code snippet will fail with ou-overlapping user accounts.


+++ This bug was initially created as a clone of Bug #40493 +++

62ucs-school-slave.inst adds the nameserver to all found DHCP DNS policies:

>        for oudn in $(univention-ldapsearch -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do
>                ouname="$(echo "$oudn" | sed -nre 's/ou=([^,]*),(ou=|dc=).*/\1/p')"
> [...]
>                # modify dhcp dns policy if missing
>                udm policies/dhcp_dns modify "$@" \
>                        --dn "cn=dhcp-dns-${ouname},cn=policies,$oudn" \
>                        --set domain_name_servers="$(get_default_ip_address)"
>                # assign dhcp dns policy to dhcp container if missing
>                udm container/cn modify "$@" \
>                        --dn "cn=dhcp,$oudn" \
>                        --policy-reference "cn=dhcp-dns-${ouname},cn=policies,$oudn"
>        done

Problem: If (for some reason, e.g. Bug 40123) the LDAP ACLs are not present on the Master/Backup, the Slave will replicate more than its own OU. In this case, running the joinscript will modify _all_ DHCP DNS policies. This sets the nameserver of one OU also as the nameserver on the policies of all other OUs and breaks DNS there.

Possible solution: univention-ldapsearch should not use '-b "$ldap_base"' but something like '-b ou=$OU,"$ldap_base"' to only show the policies of its own OU in every case. 
Not sure about Single-Server environments with more than one OU, though ...
Comment 1 Florian Best univentionstaff 2016-05-26 15:58:14 CEST
ucs-school-metapackage (9.0.0-1):
r69559 | Bug #41359: enhance check if OU belongs to this host
Comment 2 Florian Best univentionstaff 2016-05-26 15:59:05 CEST
Btw. the singlemaster contains the same for-loop but I didn't adjust it as it is a singlemaster.
Comment 3 Daniel Tröder univentionstaff 2016-06-16 11:56:20 CEST
OK: Code
OK: Manual test on two slaves with the code from 62ucs-school-slave.inst:

# eval "$(ucr shell)"
# . /usr/share/ucs-school-lib/base.sh
# for oudn in $(univention-ldapsearch -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do ouname="$(school_ou "$oudn")"; if [ -z "$ouname" ] ; then echo "Cannot determine OU name - using fallback 'server'"; ouname="server"; fi; if ! univention-ldapsearch -xLLL "(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=$ldap_hostdn))" dn | grep -q "^dn: "; then continue; fi; echo $oudn; done;

→ both returned only their ou dn.
Comment 4 Florian Best univentionstaff 2016-06-28 18:24:54 CEST
UCS@school 4.1 R2 has been released:
http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf

If this error occurs again, please use "Clone This Bug".