Univention Bugzilla – Bug 42505
join fails on slave/backup if memberOf overlay is installed on master
Last modified: 2017-11-29 19:52:51 CET
Created attachment 8032 [details] join.log from failed join attempt Joining new DC slaves/DC backups to a UCS domain fails during the step "join computer account" if the memberOf overlay is installed on the DC master. The error message states that a "failed.ldif" exists (it does indeed exist). I'm attaching a "join.log" from such a join attempt. Looking through that log reveals errors about the "memberOf" attribute. How to reproduce: 1. Set up a UCS domain. 2. Install the "univention-ldap-overlay-memberof" package on the DC master. Restart slapd afterwards. 3. Set up a new DC slave. 4. Try to join the slave and observe the error. How to work around this problem: Uninstalling the package "univention-ldap-overlay-memberof" from the DC master, restarting slapd and removing the halfly-joined computer object via the UMC allows a subsequent join attempt from the (still unconfigured) new DC slave to succeed. After the successful join the "univention-ldap-overlay-memberof" package can be re-installed on the DC master and on the new DC slave.
Thank you very much! Maybe this is (part of) the reason for Bug #40259 or Bug #39959.
The important lines of the logfiles are: 26.09.16 13:46:34.747 LISTENER ( ERROR ) : replication: Undefined attribute type; dn="uid=cbonnie,cn=users,dc=mbu-test,dc=intranet": Error 26.09.16 13:46:34.747 LISTENER ( ERROR ) : additional info: memberOf: attribute type undefined For the bugzilla search: ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
AFAICS this is stated quite clearly in the SDB article that covers the package "univention-ldap-overlay-memberof": http://sdb.univention.de/1278 A check during/before join with a meaningful error message would be great, though.
It's strange that this still occurs, because the fix for Bug 35480 filters out the MEMBEROF attribute in replication.py. Maybe we can improve the current solution: Instead of filtering out MEMBEROF in replication.py, we could just simply activate the overlay automatically when we see it. We just would have to this: 1. Include the slapd.conf.d/41univention-ldap-overlay-memberof UCR template into standard univention-ldap, so it's always possible to activate via UCR. 2. Adjust replication.py to set the UCR variables as univention-ldap-overlay-memberof.postinst currently does 3. restart slapd 4. replicate the object
(In reply to Michael Grandjean from comment #3) > AFAICS this is stated quite clearly in the SDB article that covers the > package "univention-ldap-overlay-memberof": http://sdb.univention.de/1278 > > A check during/before join with a meaningful error message would be great, > though. Yes, the docu states that univention-ldap-overlay-memberof has to be installed before the join. Added a test in univention-join. Join is aborted with an appropriate message if ldap/overlay/memberof is activated on the master and the memberof package is not installed/configured on the local system. univention-join d387c8cae9e57655e11fec7323e8bf225bfb3f75 (In reply to Arvid Requate from comment #4) > Instead of filtering out MEMBEROF in replication.py, we could just simply > activate the overlay automatically when we see it. So only a test at the moment, if we want to automatically install memberOf, please reopen.
The check is also done on a member server. That is wrong: root@member425:~# univention-join univention-join: joins a computer to an ucs domain copyright (c) 2001-2017 Univention GmbH, Germany Enter DC Master Account : Administrator Enter DC Master Password: Search DC Master: done Check DC Master: done Create tmp/join/test/master/memberof Unsetting tmp/join/test/master/memberof dpkg-query: Kein Paket gefunden, das auf univention-ldap-overlay-memberof passt ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** * Message: The OpenLDAP extension memberOf is activated on the UCS master (UCR variable ldap/overlay/memberof is true). In order to join this system successfully the package "univention-ldap-overlay-memberof" has to be installed. ************************************************************************** root@member425:~# univention-install univention-ldap-overlay-memberof [...] Paketlisten werden gelesen... Paketlisten werden gelesen... Abhängigkeitsbaum wird aufgebaut.... Statusinformationen werden eingelesen.... Die folgenden zusätzlichen Pakete werden installiert: libodbc1 libslp1 python-univention-directory-manager-uvmm slapd univention-ldap-config univention-ldap-server univention-newsid univention-virtual-machine-manager-schema Vorgeschlagene Pakete: libmyodbc odbc-postgresql tdsodbc unixodbc-bin slpd openslp-doc Die folgenden NEUEN Pakete werden installiert: libodbc1 libslp1 python-univention-directory-manager-uvmm slapd univention-ldap-config univention-ldap-overlay-memberof univention-ldap-server univention-newsid univention-virtual-machine-manager-schema 0 aktualisiert, 9 neu installiert, 0 zu entfernen und 0 nicht aktualisiert. Es müssen 1.870 kB an Archiven heruntergeladen werden. Nach dieser Operation werden 6.183 kB Plattenplatz zusätzlich benutzt. Möchten Sie fortfahren? [J/n] n Abbruch.
fixed, check only for domaincontroller_backup or domaincontroller_slave
I've changed the YAML and limited the erratum to UCS 4.2-2: https://git.knut.univention.de/univention/ucs/commit/7ec98f2234f0fc55a2cf689d8fa849a3985ff615 It basically works good. Only one minor issue: the UCR output is written to the console, can you redirect it? ------------------------------------------------------------------- univention-join: joins a computer to an ucs domain copyright (c) 2001-2017 Univention GmbH, Germany Enter DC Master Account : Administrator Enter DC Master Password: Search DC Master: done Check DC Master: done Create tmp/join/test/master/memberof Stop S4-Connector: done -------------------------------------------------------------------
ok, done
Thanks, it works.
<http://errata.software-univention.de/ucs/4.2/176.html>