Bug 48091 - Joining new UCS systems with higher erratalevel than DC master may fail
Joining new UCS systems with higher erratalevel than DC master may fail
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Felix Botner
Erik Damrose
:
Depends on:
Blocks: 47943
  Show dependency treegraph
 
Reported: 2018-11-02 11:49 CET by Erik Damrose
Modified: 2018-12-05 14:39 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2018-11-02 11:49:45 CET
To reproduce: Join a current UCS DVD or appliance as DC Backup into a UCS DC Master with a lower erratalevel - e.g. DC Master erratalevel 229 (i.e. 4.3-2 release state).

The join fails because the DC backup has in this case a definition of ACLs for the LDAP objectclass univentionPortalCategory. But the LDAP Master does not have that attribute yet due to low erratalevel, so the schema definition for that objectclass/attribute is not replicated to the DC Backup. The slapd does not start if the ACL definition is installation by the u-ldap-server package.

The check if a UCS system can join the domain currently only checks the patchlevel number, not the erratalevel.
Comment 1 Arvid Requate univentionstaff 2018-11-20 15:31:17 CET
As discussed, the schema and ACL registration should be done via registerLDAPExtension, probably in the 33univention-portal.inst join script.
Comment 2 Felix Botner univentionstaff 2018-11-22 17:10:35 CET
6505cd581a4eb8d895a30432acb3af79ee2e69cc - univention-ldap

Removed the @univentionPortalCategory form the portal ACL's. These ACL's are necessary for the UCR<->Portal registration. This mechanism doesn't know anything about settings/portal_category, so we can safely remove this objectclass form the ACL.
Comment 3 Erik Damrose univentionstaff 2018-12-03 16:53:13 CET
OK: change of LDAP ACL. No slapd error when joining.
OK: YAML
Verified

Another issue appeared during QA, which we can not fix in the scope of the bug.
But at least the join can be started, and the slapd does not fail. I created Bug 48260
Comment 4 Arvid Requate univentionstaff 2018-12-05 14:39:25 CET
<http://errata.software-univention.de/ucs/4.3/356.html>