Univention Bugzilla – Bug 47494
join scripts do not receive LDAP credentials when run on DC master
Last modified: 2021-05-14 16:38:23 CEST
When a join script runs, LDAP admin credentials are supplied as "--binddn $DN" and "--bindpwd $PW" and are passed to programs that require them through "$@" - except when a join script is run on a DC master. Thus programs that get passed "$@" cannot rely on it, but must retrieve LDAP credentials on their own, scattering open(ldap.secret).read() all over the place. (Including in ISV code, that we cannot fix, once we move to a more secure password location.) The LDAP admin credentials in "$@" is a undocumented feature. There are references to it in the developer documentation that "$@" should be passed to UDM calls, but non explain what's in it and where it comes from. And especially not how to cope with the missing credentials in case of DC master. 1) The API for join scripts should be equal on all server roles. Add "--binddn $DN" and "--bindpwd $PW" to "$@" of join scripts run on a DC master. 2) Document this feature in the developer documentation. Not making a separate bug for this, because documenting unexpected behavior can IMHO also be considered a fix. (So 1. is optional, but 2. is mandatory.)
please do no longer use or document --bindpwd, instead use --bindpwdfile, see Bug #46842 for more information
I have created a separate bug to document the new join script API: Bug #47497. Whether it is active on a DC master or not, must still be decided and documented in this bug.
*** Bug 52131 has been marked as a duplicate of this bug. ***
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.