Bug 46453 – Installation failed due to wrong installation order of LDAP ACLs and LDAP schema

Bug 46453 - Installation failed due to wrong installation order of LDAP ACLs and LDAP schema


Summary:	Installation failed due to wrong installation order of LDAP ACLs and LDAP schema

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	LDAP
Version:	UCS@school 4.2
Hardware:	Other Linux

Importance:	P5 critical (vote)
Target Milestone:	UCS@school 4.3 v1
Assigned To:	Sönke Schwardt-Krummrich
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-03-01 16:30 CET by Sönke Schwardt-Krummrich
Modified:	2019-03-01 21:05 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	4: Will affect most installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.686
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2018-03-01 16:30:06 CET

The installation of a DC slave failed due to the wrong installation order of LDAP ACLs and LDAP schema. The schema is required by the LDAP ACLs, but were not available:

root@master:~# egrep "(cn=ucs-school-import|cn=65ucsschool)" /var/log/univention/listener.log | grep PROCESS
01.03.18 14:28:56.345  LISTENER    ( PROCESS ) : updating 'cn=65ucsschool,cn=ldapacl,cn=univention,dc=oschwieg1,dc=intranet' command a
01.03.18 14:32:19.300  LISTENER    ( PROCESS ) : updating 'cn=ucs-school-import,cn=ldapschema,cn=univention,dc=oschwieg1,dc=intranet' command a
01.03.18 14:32:38.039  LISTENER    ( PROCESS ) : updating 'cn=ucs-school-import,cn=ldapschema,cn=univention,dc=oschwieg1,dc=intranet' command m
root@master:~# 

01.03.18 14:28:58.157  LISTENER    ( ERROR   ) : ldap_extension: slapd.conf validation failed:
5a98001a OVER: Loading Translog Overlay
5a98001a Loading shadowbind Overlay.OVER: db_init
5a98001a OVER: Configuring Translog Overlay
5a98001a OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener"
5a98001a shadowbind_db_init
5a98001a shadowbind_db_config
5a98001a /etc/ldap/slapd.conf: line 503: unknown attr "@ucsschoolOrganizationalUnit" in to clause
5a98001a <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ 
<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>
<attrlist> ::= <attr> [ , <attrlist> ]
<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
        [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
        [dnattr=<attrname>]
        [realdnattr=<attrname>]
        [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
        [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
        [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
        [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]
        [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<style> ::= exact | regex | base(Object)
<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex
<attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children
<peernamestyle> ::= exact | regex | ip | ipv6 | path
<domainstyle> ::= exact | regex | base(Object) | sub(tree)
<access> ::= [[real]self]{<level>|<priv>}
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
<control> ::= [ stop | continue | break ]
dynacl:
        <name>=ACI      <pattern>=<attrname>

slaptest: bad configuration file!

Comment 1 Daniel Tröder

2018-03-01 17:30:05 CET


*** This bug has been marked as a duplicate of bug 45033 ***

Comment 2 Sönke Schwardt-Krummrich

2018-03-02 09:14:08 CET

No, not the same problem. ACL and Schema are registered via seperate calls of 
ucs_registerLDAPExtension.

Comment 3 Daniel Tröder

2018-03-02 09:52:14 CET

Ah yes.

I guess ucs-school-import must get a dependency on ucs-school-ldap-acls-master to fix this.

I wonder if this would not be a good time to split 35ucs-school-import.inst into a part that stays in ucs-school-import and a part that belongs to (and is run by) ucs-school-import-schema. That is the one that contains the files that are installed.
As ucs-school-import depends on ucs-school-import-schema it'd be installed before and the join script name must begin with a number be lower than 35.
Then ucs-school-import-schema would be the one to get a dependency on ucs-school-ldap-acls-master.

Comment 4 Sönke Schwardt-Krummrich

2018-03-04 21:13:41 CET

(In reply to Daniel Tröder from comment #3)
> I guess ucs-school-import must get a dependency on
> ucs-school-ldap-acls-master to fix this.

The other way around.

> I wonder if this would not be a good time to split 35ucs-school-import.inst
> into a part that stays in ucs-school-import and a part that belongs to (and
> is run by) ucs-school-import-schema. That is the one that contains the files
> that are installed.
> As ucs-school-import depends on ucs-school-import-schema it'd be installed
> before and the join script name must begin with a number be lower than 35.
> Then ucs-school-import-schema would be the one to get a dependency on
> ucs-school-ldap-acls-master.

IIRC we started in Bug 30499 using ucs_registerLDAPSchema(). Unfortunately I
have no idea why we decided to use ucs_registerLDAPSchema() in the join script
of ucs-school-import instead of ucs-school-import-schema. Maybe the idea was
to remove ucs-school-import-schema entirely on the long run.

Currently the schema is installed in the *filesystem* via
ucs-school-import-schema. ucs-school-import depends on
ucs-school-import-schema, so the schema file is in the filesystem when the
ucs-school-import.postinst is called. Within this postinst the joinscript
35ucs-school-import.inst is called directly and the schema is registered
by the joinscript.

ucs-school-ldap-acls-master stores the LDAP ACLs in the *filesystem* upon
package extraction. The postinst of ucs-school-ldap-acls-master also calls
its joinscript 70ucs-school-ldap-acls-master.inst directly where the ACLs
are registered in LDAP.

If the joinscripts are called by univention-join, the correct order is
preserved. First 35ucs-school-import.inst then
70ucs-school-ldap-acls-master.inst.

But since both postinst scripts call their joinscript directly on a UCS
master, the registration order of ACLs and schema depends on the execution
order of those two postinst scripts.

I will now add a dependency in ucs-school-ldap-acls-master that requires
ucs-school-import to be installed and configured first.

As far as I can see, this should to the trick.

Btw: is it possible to add comments to debian/control files?
I would like to add a small comment, so noone comes to the idea to remove
the dependency without reason.

--- a/ucs-school-ldap-acls-master/debian/control
+++ b/ucs-school-ldap-acls-master/debian/control
@@ -9,7 +9,7 @@ Standards-Version: 3.5.2
 
 Package: ucs-school-ldap-acls-master
 Architecture: all
-Depends: univention-ldap-server, univention-ldap-config
+Depends: univention-ldap-server, univention-ldap-config, ucs-school-import
 Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem
 Description: Special LDAP ACLs for UCS@school
  This package provides additional LDAP ACLs for slapd


Waiting for jenkins test results before setting this bug to "RESOLVED".

ucs-school-ldap-acls-master (16.0.1-1)
117fe6d74ce3 | Bug #46453: add changelog entry
07de9aa4e4c6 | Bug #46453: add dependency to ucs-school-import

Package: ucs-school-ldap-acls-master
Version: 16.0.1-1A~4.3.0.201803042112
Branch: ucs_4.3-0
Scope: ucs-school-4.3

Comment 5 Sönke Schwardt-Krummrich

2018-03-07 13:12:46 CET

> Waiting for jenkins test results before setting this bug to "RESOLVED".

Jenkins tests are looking very good → RESOLVED

Comment 6 Daniel Tröder

2018-03-09 09:16:06 CET

OK: code change
OK: test in jenkins:

line | text
-----+-----------------
 9455 Entpacken von ucs-school-ldap-acls-master (16.0.1-1A~4.3.0.201
 9454 Unpacking ucs-school-import (amd64)
 9760 Configuring ucs-school-import-schema (amd64)
 9907 ucs-school-import (16.0.1-6A~4.3.0.201803081836) wird eingerichtet
 9908 Configuring ucs-school-import (amd64)
 9927 Waiting for activation of the extension object ucs-school-import:.......OK
10027 Configuring ucs-school-ldap-acls-master (amd64)
10036 Waiting for activation of the extension object 61ucsschool_presettings:........OK
10039 <probably the activation of 65ucsschool is here, but the line was to long and was cut off>

OK: test in KVM VM (shortend for readability):

# grep 'Waiting for activation of the extension object' /var/log/univention/management-console-module-schoolinstaller.log | cut -b 50-

Waiting for activation of the extension object syntax.ucs-school-import: OK
Waiting for activation of the extension object ucs-school-import:.......OK
Waiting for activation of the extension object schoolOU:.OK
Waiting for activation of the extension object schoolAdminGroup: OK
Waiting for activation of the extension object ucsschool_user_options: OK
Waiting for activation of the extension object ucsschool_purge_timestamp:.OK
Waiting for activation of the extension object 61ucsschool_presettings:........OK
Waiting for activation of the extension object 65ucsschool:.......OK

Comment 7 Sönke Schwardt-Krummrich

2018-03-14 13:11:48 CET

UCS@school 4.3 v1 has been released.

https://docs.software-univention.de/release-notes-ucsschool-4.3v1-de.html

If this error occurs again, please clone this bug.