Overwiew: A user that is listed as teacher and staff is added to a second school, but does not get access to the management server (Verwaltungsserver) on the second school. Steps to Reproduce: 1) Install a master and two educational slave servers. One for each school. 2) Set UCR variable ucsschool/import/generate/policy/dhcp/dns/set_per_ou to false. (I missed to do it before joining the educational slaves. I'm not sure if that has any influence) 3) Install and join the two management server. 4) create a "teacher and staff" user over the UMC. 5) add the user to the second school. 6) try to log in as the user from the domain of the management server of the second school. Actual Results: The user is not able to log in at the management server of the second school. Expected results: The user is able to log in at the management server of the second school. Build Date & Hardware: Tested on KVM machines UCS 4.3-3. At 08.03.19. Additional Builds and Platforms: The servers where UCS 4.3-3 and the clients Windows 10 Professional Additional Information: LDAP contains no entry for the user on the management server of the second school, but on all the others.
(In reply to Lukas Zumvorde from comment #0) > 3) Install and join the two management server. > 4) create a "teacher and staff" user over the UMC. > 5) add the user to the second school. How exactly did you add the user to the second school? > Additional Information: > LDAP contains no entry for the user on the management server of the second > school, but on all the others. Can you provide the output of "univention-ldapsearch uid=AFFECTEDUSER" called on the DC master?
Created attachment 9906 [details] output of univention-ldapsearch on master
Created attachment 9907 [details] output of univention-ldapsearch on management server
The user was added to the second school using the UMC. 1) in the UMC go to School Administration (Schul-Administration) -> Users [school] (Benutzer [Schulen]) 2) select the first school 3) select the user 4) Advanced Settings (Erweiterte Einstellungen) 5) under UCS@school you find the fields for the schools. Add the second school The attachment ldapsearch_output_master contains the search for uid=<username> made using univention-ldapsearch on the master server. The attachment ldapsearch_output_managementserver contains the search for uid=<username> made using univention-ldapsearch on the management server.
The user must also be made part of certain groups (teachers-$OU, staff-$OU, Domain Users $OU). Please attach the output of: univention-ldapsearch -LLL 'uniqueMember=uid=dan<..rest of DN>' dn
I have done that but the problem still persists. The user was added to the groups using the UMC. * School Administration -> Users (Schools) * Advanced Settings for the specific user * Groups The primary group was left untouched The output of "univention-ldapsearch -LLL 'uniqueMember=uid=dan<..rest of DN>' dn" shows a sucessfull addition to the groups. I have edited the birthday of the user and saved, but the replication is apparently not triggered.
A WIP fix is available in feature branch: sschwardt/48924/43/multiou-staff-on-adm-slave
(In reply to Sönke Schwardt-Krummrich from comment #12) > A WIP fix is available in feature branch: > sschwardt/48924/43/multiou-staff-on-adm-slave ↑↑↑ for UCS 4.3 ↓↓↓ for UCS 4.4 sschwardt/48924/44/multiou-staff-on-adm-slave Please reopen for merge.
(In reply to Sönke Schwardt-Krummrich from comment #13) > Please reopen for merge. I will then create a second bug against 4.3.
[4.4] a8ff01e5d Bug #48924: merge branch 'sschwardt/48924/44/multiou-staff-on-adm-slave' into 4.4 [4.4] cd842d744 Bug #48924: give permission for administrative slaves/memberservers to read/replicate multi-OU staff users [4.4] 725177550 Bug #48924: add/update LDAP ACL test script for edu/adm slave Package: ucs-school-ldap-acls-master Version: 17.0.1-1A~4.4.0.201905101706 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Testrun: root@master140:~# cp /etc/ldap/slapd.conf{,.ALT} root@master140:~# dpkg -i ucs-school-ldap-acls-master_17.0.1-1_all.deb (Lese Datenbank ... 111178 Dateien und Verzeichnisse sind derzeit installiert.) Vorbereitung zum Entpacken von ucs-school-ldap-acls-master_17.0.1-1_all.deb ... Entpacken von ucs-school-ldap-acls-master (17.0.1-1) über (17.0.0-2A~4.4.0.201905081751) ... ucs-school-ldap-acls-master (17.0.1-1) wird eingerichtet ... Calling joinscript 70ucsschool-ldap-acls-master.inst ... 2019-03-06 22:39:32.819883476+01:00 (in joinscript_init) Object exists: cn=ucsschool,cn=groups,dc=nstx,dc=local Object exists: (group) : DC-Verwaltungsnetz Object exists: (group) : Member-Verwaltungsnetz Object exists: (group) : DC-Edukativnetz Object exists: (group) : Member-Edukativnetz Object exists: cn=ldapacl,cn=univention,dc=nstx,dc=local INFO: No change of core data of object 61ucsschool_presettings. Object modified: cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=nstx,dc=local Waiting for activation of the extension object 61ucsschool_presettings: OK Object exists: cn=ldapacl,cn=univention,dc=nstx,dc=local Object modified: cn=65ucsschool,cn=ldapacl,cn=univention,dc=nstx,dc=local Waiting for activation of the extension object 65ucsschool:.............OK 2019-03-06 22:40:30.809751175+01:00 (in joinscript_save_current_version) Joinscript 70ucsschool-ldap-acls-master.inst finished with exitcode 0 Restarting slapd (via systemctl): slapd.service. root@master140:~# root@master140:~# diff -u /etc/ldap/slapd.conf{.ALT,} --- /etc/ldap/slapd.conf.ALT 2019-03-06 22:36:32.293731835 +0100 +++ /etc/ldap/slapd.conf 2019-03-06 22:40:08.459957666 +0100 @@ -543,6 +532,7 @@ # DC-Slaves muessen die Benutzer ihrer Schule lesen und schreiben duerfen access to dn.regex="^uid=([^,]+),cn=(schueler|lehrer|lehrer und mitarbeiter|mitarbeiter|admins),cn=users,ou=([^,]+),dc=nstx,dc=local$$" attrs=entry,cn,objectClass,!univentionShare,!univentionShareNFS,!univentionShareSamba,!posixGroup by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local])/uniqueMember & user" write + by set="([cn=OU]+this/ucsschoolSchool+[-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local])/uniqueMember & user" write by * +0 break access to dn.regex="^uid=([^,]+),cn=examusers,ou=([^,]+),dc=nstx,dc=local$$" attrs=entry,cn,objectClass,!univentionShare,!univentionShareNFS,!univentionShareSamba,!posixGroup by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,dc=nstx,dc=local])/uniqueMember & user" write
Changelog: OK Advisory: MISSING Package installs: OK test packages: NOT BUILD Changes work as intended. Tested by creating multi school environemt (without actual hardware as discussed). Created multi school users and tested LDAP access for the added schools Verwaltungsserver.
[4.4] 38c2f95db Bug #48924: add advisory Package: ucs-test-ucsschool Version: 6.0.0-54A~4.4.0.201905130922 Branch: ucs_4.4-0 Scope: ucs-school-4.4
Advisory: OK Tests pass: OK
UCS@school 4.4 v2 has been released. https://docs.software-univention.de/changelog-ucsschool-4.4v2-de.html If this error occurs again, please clone this bug.