Bug 45090 - BIND9 password change does not work with dns/backend=ldap and systemd
BIND9 password change does not work with dns/backend=ldap and systemd
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: DNS
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Philipp Hahn
Stefan Gohmann
: systemd
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-28 10:55 CEST by Philipp Hahn
Modified: 2017-09-26 10:47 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+


Attachments
Use systemctl (2.25 KB, patch)
2017-07-28 10:55 CEST, Philipp Hahn
Details | Diff
v2: Use systemctl (4.98 KB, patch)
2017-07-28 11:30 CEST, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-07-28 10:55:39 CEST
Created attachment 9070 [details]
Use systemctl

services/univention-bind/usr/lib/univention-server/server_password_change.d/univention-bind:53
 »···»···»···if invoke-rc.d bind9 status | grep -q "is running" ; then

# invoke-rc.d bind9 status
● bind9.service - LSB: bind9 Domain Name Server (DNS)
   Loaded: loaded (/etc/init.d/bind9)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (exited) since Fr 2017-07-28 10:31:57 CEST; 12min ago
  Process: 15910 ExecStop=/etc/init.d/bind9 stop (code=exited, status=0/SUCCESS)
  Process: 15925 ExecStart=/etc/init.d/bind9 start (code=exited, status=0/SUCCESS)

Jul 28 10:31:57 dc0 bind9[15925]: Starting bind9 Domain Name Server (DNS): ldap proxy.
Jul 28 10:31:57 dc0 systemd[1]: Started LSB: bind9 Domain Name Server (DNS).


# systemctl stop bind9.service
# systemctl is-active bind9.service ; echo $?
inactive
3
# systemctl start bind9.service
# systemctl is-active bind9.service ; echo $?
active
0



# zless /var/log/daemon.log.4.gz
Jun 27 06:48:22 dc0 named[2674]: LDAP sdb zone '0.168.192.in-addr.arpa': ldapdb_bind(): ldap_sasl_bind_s(ldp, 'cn=dc0,cn=dc,cn=computers,dc=phahn,dc=dev', '<secret>') failed: Invalid credentials

# zless /var/log/univention/server_password_change.log.4.gz
Starting server password change (Tue Jun 27 01:06:29 CEST 2017)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
...
Object modified: cn=dc0,cn=dc,cn=computers,dc=phahn,dc=dev
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind postchange
...
done (Tue Jun 27 01:06:41 CEST 2017)



TODO: Write a test to check that the password change actually worked for BIND
Comment 1 Philipp Hahn univentionstaff 2017-07-28 11:30:57 CEST
Created attachment 9071 [details]
v2: Use systemctl

Add missing serivce name
Add ucs-test
Comment 2 Philipp Hahn univentionstaff 2017-07-28 11:45:32 CEST
Package: univention-bind
Version: 11.0.1-2A~4.2.0.201707281140
Branch: ucs_4.2-0
Scope: errata4.2-1

Package: ucs-test
Version: 7.0.23-11A~4.2.0.201707281140
Branch: ucs_4.2-0
Scope: errata4.2-1

r81523 | Bug #45090 DNS: Fix password change mechanism with LDAP backend YAML
r81522 | Bug #45090 DNS: Fix password change mechanism with LDAP backend
Comment 3 Stefan Gohmann univentionstaff 2017-08-02 07:08:31 CEST
YAML: OK

Code review: OK

Tests: OK, bind9 is restarted during the server password change.
Comment 4 Arvid Requate univentionstaff 2017-08-02 14:34:12 CEST
<http://errata.software-univention.de/ucs/4.2/120.html>