Bug 50274 - Regression: replicate staff users to educational school DCs not possible anymore
Regression: replicate staff users to educational school DCs not possible anymore
Product: UCS@school
Classification: Unclassified
Component: LDAP
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v4
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
Depends on: 49734
  Show dependency treegraph
Reported: 2019-09-26 14:18 CEST by Christina Scheinig
Modified: 2019-11-06 20:11 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019092521000471
Bug group (optional): Regression
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2019-09-26 14:18:24 CEST
With Bug 48068 we introduced a new ucr variable: ucsschool/ldap/replicate_staff_to_edu
which makes possible to replicate staff users to educativ slaves.
This is not entirely working anymore. The users are replicated to the slave, when the ucr variable was already set on the master and the backup servers, but the slave is not able to read them from his ldap.

univention-ldapsearch -D cn=update,$(ucr get ldap/base) -W uid=max.muster
shows the user,
→ with "-y /etc/ldap/rootpw.conf" is not possible so 'cat /etc/ldap/rootpw.conf' and put it via "-W"
but a univention-ldpasearch uid=max.muster does not.

To fix this I set the ucr variable on the slave. Which also shows, that no multifile is generated, and nothing changed in the /etc/ldap/slapd.conf.
A ucr commit /etc/ldap/slapd.conf does this finally and the restart of the slapd.service shows the user. The user is now able to login again.
Comment 1 Florian Best univentionstaff 2019-10-02 14:40:59 CEST
Regression caused by Bug #49734.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2019-10-29 13:58:11 CET
[4.4] 25d974862 Bug #50274: add regression test for staff users on edu slaves
[4.4] 8a7356032 Bug #50274: fix ACL regression caused by bug 49734 - LDAP ACLs on DC slaves are not required

ACLs are now skipped/removed by UCR template if server/role is unequal to "domaincontroller_master" or "domaincontroller_backup". The slapd.conf contains on DC slaves only a hint:
# start 61ucsschool_presettings

# no ACL required on domaincontroller_slave

# end 61ucsschool_presettings
# start 65ucsschool

# no ACL required on domaincontroller_slave

# end 65ucsschool

Additionally a regression test 75_ldap_acls_staff_on_edu_servers has been added to ucs-test-ucsschool that modifies the UCR variable on DC master, creates a staff user and checks with Administrator/teacher/machine credentials, if the user is replicated to the slave and readable.

Package: ucs-school-ldap-acls-master
Version: 17.0.3-1A~
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Package: ucs-test-ucsschool
Version: 6.0.72A~
Branch: ucs_4.4-0
Scope: ucs-school-4.4
Comment 3 Daniel Tröder univentionstaff 2019-10-30 14:57:13 CET
OK: code change
OK: manual test
OK: automatic test (75_ldap_acls_staff_on_edu_servers)
OK: advisory
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2019-11-06 20:11:51 CET
UCS@school 4.4 v3 has been released.


If this error occurs again, please clone this bug.