Bug 48224 - Make joinscript 92univention-management-console-web-server.inst configurable
Make joinscript 92univention-management-console-web-server.inst configurable
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Florian Best
Erik Damrose
:
Depends on:
Blocks: 48985
  Show dependency treegraph
 
Reported: 2018-11-27 11:52 CET by Christina Scheinig
Modified: 2019-03-27 13:29 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.057
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Ticket number: 2018112621000377
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2018-11-27 11:52:00 CET
In a customer environment ucs-sso is not configured and is not required on every server. This causes the 92univention-management-console-web-server.inst to fail every time with this error.

Object exists: SAMLServiceProviderIdentifier=https://master-prod.schein.de/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=olb,dc=de
No modification: SAMLServiceProviderIdentifier=https://master-prod.schein.de/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=olb,dc=de
Not updating ucs/server/sso/fqdn
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
ยท
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

[...]

Try to download idp metadata (60/60)
Could not download IDP metadata for https://ucs-sso.schein.de/simplesamlphp/saml2/idp/metadata.php
'NoneType' object has no attribute 'find'
Unsetting umc/saml/idp-server
Module: setup_saml_sp

Is there a possibility to make it configurable if ucs-sso is not desired?
Comment 1 Christina Scheinig univentionstaff 2018-11-29 09:54:28 CET
If the problem occurs it blocks further progress. Marking the joinscript as "already executed" is not a practicable workaround.
Comment 2 Valentin Heidelberger univentionstaff 2019-02-18 12:59:46 CET
If the SDB article "Configure SAML Single Sign-On as single server solution" is configured and the IdP is thus reachable at a different FQDN than ucs-sso.domainname, one can set the following UCR variable before the join to make the joinscript download the metadata from that FQDN.

ucr set ucs/server/sso/fqdn="master.ucs.demo"
Comment 3 Florian Best univentionstaff 2019-03-12 16:15:58 CET
The configuration is skipped now if umc/web/sso/enabled=false.

univention-management-console.yaml
6beb9cbf7f9e | YAML Bug #48224

univention-management-console (11.0.4-3)
9dc7099e212d | Bug #48224: do not configure the SAML IDP in the UMC WebServer if umc/web/sso/enabled=false.
Comment 4 Erik Damrose univentionstaff 2019-03-13 16:41:32 CET
OK: encapsulate UMC SSO configuration by checking UCR umc/web/sso/enabled

Reopen: Check for UCRv does not work. There is no univention-lib function ucr_is_false. It is called is_ucr_false. join.log =>
98: /usr/lib/univention-install/92univention-management-console-web-server.inst: ucr_is_false: not found

Please test your code before committing it! Also, why is the check "if ! ucr_is_false ...", one could check if the UCRv is true.
Comment 5 Florian Best univentionstaff 2019-03-13 18:18:19 CET
(In reply to Erik Damrose from comment #4)
> OK: encapsulate UMC SSO configuration by checking UCR umc/web/sso/enabled
> 
> Reopen: Check for UCRv does not work. There is no univention-lib function
> ucr_is_false. It is called is_ucr_false. join.log =>
> 98:
> /usr/lib/univention-install/92univention-management-console-web-server.inst:
> ucr_is_false: not found
> 
> Please test your code before committing it! Also, why is the check "if !
> ucr_is_false ...", one could check if the UCRv is true.
Sorry. 
ucr_is_false is the better default handling, because unset means true.
Comment 6 Florian Best univentionstaff 2019-03-13 18:41:30 CET
Fixed the typo.
Comment 7 Erik Damrose univentionstaff 2019-03-15 16:04:01 CET
09b8b32 fixed typo in yaml

Verified
Comment 8 Arvid Requate univentionstaff 2019-03-27 13:29:26 CET
<http://errata.software-univention.de/ucs/4.4/25.html>