Bug 42420 - check_ldap_tls_connection in univention-join should retry ldapsearch
check_ldap_tls_connection in univention-join should retry ldapsearch
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
:
Depends on:
Blocks: 40321
  Show dependency treegraph
 
Reported: 2016-09-15 16:55 CEST by Stefan Gohmann
Modified: 2016-10-26 17:09 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2016-09-15 16:55:26 CEST
It might happen that the OpenLDAP server is restarted during the ldapsearch. univention-ldapsearch should be used instead of ldapsearch since it retries the LDAP search.
Comment 1 Philipp Hahn univentionstaff 2016-09-20 12:31:51 CEST
r72684 | Bug #42420 join: Use univention-ldapsearch YAML
r72683 | Bug #42420 join: Use univention-ldapsearch
r72682 | Bug #42420 join: Use univention-ldapsearch

Package: univention-join
Version: 8.0.4-3.516.201609201225
Branch: ucs_4.1-0
Scope: errata4.1-3
Comment 2 Janek Walkenhorst univentionstaff 2016-10-19 17:09:44 CEST
Code review: OK
Tests: failed_message "Establishing a TLS connection…
Advisory: OK
Comment 3 Philipp Hahn univentionstaff 2016-10-19 17:28:27 CEST
(In reply to Janek Walkenhorst from comment #2)
> Tests: failed_message "Establishing a TLS connection…

The bug is not caused by my change, but because of
 # grep ^TLS /etc/ldap/ldap.conf
 TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

It should be a template provided by "univention-ldap-client", which is not installed:
 # dpkg -l univention-ldap-client

Proof:
 echo TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem >>/etc/ldap/ldap.conf
 eval "$(ucr shell)"
 DCNAME=$ldap_master binddn=uid=Administrator,cn=users,$ldap_base DCPWD=$(mktemp)
 echo -n univention >$DCPWD
 ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")"

So something other is very broken with appliance mode or system setup.
Comment 4 Florian Best univentionstaff 2016-10-20 17:09:53 CEST
(In reply to Janek Walkenhorst from comment #2)
> Tests: failed_message "Establishing a TLS connection…
What should that mean? I don't understand this.
Comment 5 Philipp Hahn univentionstaff 2016-10-20 17:54:11 CEST
(In reply to Florian Best from comment #4)
> (In reply to Janek Walkenhorst from comment #2)
> > Tests: failed_message "Establishing a TLS connection…
> What should that mean? I don't understand this.

Janek testes the change and got the message from univention-join:148, indicating that line 146 failed:

146 »···univention-ldapsearch -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null
147 »···if  [ $? != 0 ]; then
148  »··»···failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."

He assumed that my change broke it, but his setup was broken instead: He installed a new UCS system from DVD, aborted USS (Ctrl-Q) which got him into Appliance mode, updated the package "univention-join" and then tried to join the system, which failed with the message above.
Comment 6 Janek Walkenhorst univentionstaff 2016-10-21 11:29:32 CEST
(In reply to Philipp Hahn from comment #5)
> He assumed that my change broke it, but his setup was broken instead: He
> installed a new UCS system from DVD, aborted USS (Ctrl-Q) which got him into
> Appliance mode, updated the package "univention-join" and then tried to join
> the system, which failed with the message above.
Indeed.
Appliance mode works fine, what does not work is to install u-join from a different package source and than deactivating that source, because u-m-c-module-join has an exact-version dependency.

Test: OK
Comment 7 Janek Walkenhorst univentionstaff 2016-10-26 17:09:03 CEST
<http://errata.software-univention.de/ucs/4.1/318.html>