Univention Bugzilla – Bug 48091
Joining new UCS systems with higher erratalevel than DC master may fail
Last modified: 2018-12-05 14:39:25 CET
To reproduce: Join a current UCS DVD or appliance as DC Backup into a UCS DC Master with a lower erratalevel - e.g. DC Master erratalevel 229 (i.e. 4.3-2 release state). The join fails because the DC backup has in this case a definition of ACLs for the LDAP objectclass univentionPortalCategory. But the LDAP Master does not have that attribute yet due to low erratalevel, so the schema definition for that objectclass/attribute is not replicated to the DC Backup. The slapd does not start if the ACL definition is installation by the u-ldap-server package. The check if a UCS system can join the domain currently only checks the patchlevel number, not the erratalevel.
As discussed, the schema and ACL registration should be done via registerLDAPExtension, probably in the 33univention-portal.inst join script.
6505cd581a4eb8d895a30432acb3af79ee2e69cc - univention-ldap Removed the @univentionPortalCategory form the portal ACL's. These ACL's are necessary for the UCR<->Portal registration. This mechanism doesn't know anything about settings/portal_category, so we can safely remove this objectclass form the ACL.
OK: change of LDAP ACL. No slapd error when joining. OK: YAML Verified Another issue appeared during QA, which we can not fix in the scope of the bug. But at least the join can be started, and the slapd does not fail. I created Bug 48260
<http://errata.software-univention.de/ucs/4.3/356.html>