Univention Bugzilla – Bug 48627
Sanitize univention-join
Last modified: 2022-12-19 11:11:59 CET
"univention-join" has too many deficits and is a nightmare to debug and extend: 1. on a re-join is does not reset the system to a sane state; e.g. the local BIND is still used with still uses the (stale) data from the local SLAPD. 2. The joind script "03univention-directory-listener.inst" is handled especially and univention-join contains some special handling for it. 3. The LDAP server is started very early - at a point where the initial LDAP schema has not be replicated yet; this is only faked in "01univention-ldap-server-init.inst". We should (at least) do the following (not complete): 1. Reset the local system to not use any local services: dns, ... 2. Purge old LDAP databases and JOIN related state 3. (Re-)create HOST account and fetch machine.secret and SSL certificates 4. Fetch SCHEMA¹ and attributes to index from Master 5. Start slapd 6. Start UDN² (needs local slapd for cn=translog) 7. Start UDL³ (replication.py needs local slapd) ... ¹: Replace fake_initial_schema() in 01univention-ldap-server-init.inst with: python -c 'from univention.uldap import getMachineConnection access = getMachineConnection(ldap_master=True) result = access.search(base="cn=Subschema", scope="base", attr=["objectClasses", "attributeTypes"], unique=True, required=True) ((dn, attrs),) = result execfile("/usr/lib/univention-directory-listener/system/replication.py") update_schema(attrs)' ²: Please note that the Master is the only server role where UDN must be started *before* UDL as UDL connects to UDN. "univention-join" is never executed on the Master, instead the simplified code from base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:264 is used. ³: I have the nagging memory, that on all other server roles except UDL must be started before UDN, but I cannot remember the issue any more - maybe it was because Bug #48427 one time ago required UDL to replicate the univentionTranslog.schema for UDN to start.
Previous existing failed.ldif is not deleted
Bug #44925: Fetch LDAP attributes to index from Master
Applying a fake schema instead of fetching one of the DC Master causes Bug #41782.
7½. Currently UCRV `listener/cache/mdb/maxsize` is copied from the PDC to any BDC or RPC. In most cases this is insufficient because `replication.py` exists only on those 2 server roles, which replicates *any* entry which requires MUCH MORE space for the UDL cache than on the PDC. Joining large domains thus requires a `ucr set --forces listener/cache/mdb/maxsize=…` to be done *before* the join.