Univention Bugzilla – Bug 53162
ucschoolRole missing in multi-server env for DC slave and single_master tag added for master
Last modified: 2021-05-06 14:12:33 CEST
In a multi-master env with "m70" as hostname of the DC master: root@m70:~# /usr/share/ucs-school-import/scripts/create_ou test01 root@m70:~# univention-ldapsearch -LLL cn=m70 ucsschoolRole dn: cn=m70,cn=dc,cn=computers,dc=uni,dc=dtr ucsschoolRole: dc_master:school:- ucsschoolRole: single_master:school:test01 The "single_master:school:test01" shouldn't be there. Only this one is correct: root@m70:~# univention-ldapsearch -LLL cn=dctest01 ucsschoolRole dn: cn=dctest01,cn=dc,cn=server,cn=computers,ou=test01,dc=uni,dc=dtr ucsschoolRole: dc_slave_edu:school:test01 ---------------------------------------------------------------------------- When create_ou is run (from Python) on a DC slave with »create_ou(name_edudc=ucr["hostname"])«, the DC slave is used as the educational DC for the new OU. That is required, so that its data is replicated to the DC slave. But the ucsschoolRole is not set on the host: base.create_without_hooks:535 Creating School(name='testou8846', dn='ou=testou8846,dc=uni,dc=dtr') .. base.modify_without_hooks:600 Modifying SchoolDCSlave(name='edu21', school='Gym21', dn='cn=edu21,cn=dc,cn=server,cn=computers,ou=Gym21,dc=uni,dc=dtr') .. school.add_domain_controllers:507 School.add_domain_controllers(): administrative=False dc_name=edu21 self.dc_name='edu21' server=<univention.admin.handlers.computers.domaincontroller_slave.object object at 0x7f69c6c155d0> .. Exception occurred: <class 'univention.testing.utils.LDAPObjectValueMissing'> (DN: cn=edu21,cn=dc,cn=server,cn=computers,ou=Gym21,dc=uni,dc=dtr ucsschoolRole: None, missing : 'dc_slave_edu:school:testou8846'
The ucsschool.lib was modified to handle that ucschoolRole for both DC slaves and DC masters. [dtroeder/53162_fix_ucschoolRole b20c43d29] Bug #53162: fix ucschoolRole in multi-server env for DC slave and DC master
QA → Almost everything OK, but REOPEN for clarification/ fix, see below Code → looks good before fix on primary node: → in this version, the role was not appended: UCS: 4.4-7 errata958 Installed: ucsschool=4.4 v9 /usr/share/ucs-school-import/scripts/create_ou test01 root@ucs-2791:~# univention-ldapsearch -LLL cn=ucs-2791 ucsschoolRole dn: cn=ucs-2791,cn=dc,cn=computers,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_master:school:- → in this version, the error was introduced: UCS: 4.4-8 errata962 Installed: ucsschool=4.4 v9 univention-ldapsearch -LLL cn=ucs-2791 ucsschoolRole dn: cn=ucs-2791,cn=dc,cn=computers,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_master:school:- ucsschoolRole: single_master:school:test02 on replication node I created the school testou5220 univention-ldapsearch -LLL cn=ucs-2791 ucsschoolRole dn: cn=ucs-2791,cn=dc,cn=computers,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_master:school:- ucsschoolRole: single_master:school:testou5220 the ucsschool role `dc_slave_edu:school:testou5220` was missing: root@ucs-2791:~# univention-ldapsearch -LLL cn=ucs-1689 ucsschoolRole dn: cn=ucs-1689,cn=dc,cn=server,cn=computers,ou=DEMOSCHOOL2,dc=wenzel-univention,dc=intranet `01_test_school_creation_ucsschool_role.py` fails on replication node. after fix when creating school `test03` on primary node: univention-ldapsearch -LLL cn=ucs-2791 ucsschoolRole dn: cn=ucs-2791,cn=dc,cn=computers,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_master:school:- univention-ldapsearch -LLL cn=dctest03 ucsschoolRole dn: cn=dctest03,cn=dc,cn=server,cn=computers,ou=test03,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_slave_edu:school:test03 when creating school `testou8705` on replication node: univention-ldapsearch -LLL cn=ucs-2791 ucsschoolRole dn: cn=ucs-2791,cn=dc,cn=computers,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_master:school:- univention-ldapsearch -LLL cn=ucs-1689 ucsschoolRole dn: cn=ucs-1689,cn=dc,cn=server,cn=computers,ou=DEMOSCHOOL2,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_slave_edu:school:testou8705 `01_test_school_creation_ucsschool_role.py` → passes on edu & admin ucs-3522 is an admin-replication-node: >>ou_name, ou_dn = schoolenv.create_ou(name_admindc=schoolenv.ucr["hostname"]) → this is correct: univention-ldapsearch -LLL cn=ucs-3522 ucsschoolRole dn: cn=ucs-3522,cn=dc,cn=server,cn=computers,ou=psg,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_slave_admin:school:testou1686 → I would have expected the dc_slave_admin role here, too. Is this intended? univention-ldapsearch -LLL cn=dctestou1686 ucsschoolRole dn: cn=dctestou1686,cn=dc,cn=server,cn=computers,ou=testou1686,dc=wenzel-univention,dc=intranet ucsschoolRole: dc_slave_edu:school:testou1686
(In reply to Tobias Wenzel from comment #2) > ucs-3522 is an admin-replication-node: > > >>ou_name, ou_dn = schoolenv.create_ou(name_admindc=schoolenv.ucr["hostname"]) > > → this is correct: > univention-ldapsearch -LLL cn=ucs-3522 ucsschoolRole > dn: > cn=ucs-3522,cn=dc,cn=server,cn=computers,ou=psg,dc=wenzel-univention, > dc=intranet > ucsschoolRole: dc_slave_admin:school:testou1686 > > → I would have expected the dc_slave_admin role here, too. Is this intended? > > univention-ldapsearch -LLL cn=dctestou1686 ucsschoolRole > dn: > cn=dctestou1686,cn=dc,cn=server,cn=computers,ou=testou1686,dc=wenzel- > univention,dc=intranet > ucsschoolRole: dc_slave_edu:school:testou1686 Only the admin-DC-name was passed to create_ou(). So the edu-DC-name was automatically calculated as "dc<ou>" → "dctestou1686". Thus cn=dctestou1686 is the edu-server and "ucsschoolRole=dc_slave_edu:school:testou1686" is correct.
"m20" is the DC master on which the following commands are executed: When passed both edu and adm names, the following happened before: --------------------------------------------------------------------------------- root@m20:~# /usr/share/ucs-school-import/scripts/create_ou ou123 edu123 adm123 root@m20:~# univention-ldapsearch -LLL cn=$(hostname) ucsschoolRole dn: cn=m20,cn=dc,cn=computers,dc=uni,dc=dtr ucsschoolRole: dc_master:school:- ucsschoolRole: single_master:school:ou123 # <=== error root@m20:~# univention-ldapsearch -LLL cn=adm123 ucsschoolRole dn: cn=adm123,cn=dc,cn=server,cn=computers,ou=ou123,dc=uni,dc=dtr ucsschoolRole: dc_slave_admin:school:ou123 # <=== OK root@m20:~# univention-ldapsearch -LLL cn=edu123 ucsschoolRole dn: cn=edu123,cn=dc,cn=server,cn=computers,ou=ou123,dc=uni,dc=dtr ucsschoolRole: dc_slave_edu:school:ou123 # <=== OK --------------------------------------------------------------------------------- And after applying the fix from this bug: --------------------------------------------------------------------------------- root@m20:~# /usr/share/ucs-school-import/scripts/create_ou ou222 edu222 adm222 root@m20:~# univention-ldapsearch -LLL cn=$(hostname) ucsschoolRole dn: cn=m20,cn=dc,cn=computers,dc=uni,dc=dtr ucsschoolRole: dc_master:school:- # <=== OK root@m20:~# univention-ldapsearch -LLL cn=adm222 ucsschoolRole dn: cn=adm222,cn=dc,cn=server,cn=computers,ou=ou222,dc=uni,dc=dtr ucsschoolRole: dc_slave_admin:school:ou222 # <=== OK root@m20:~# univention-ldapsearch -LLL cn=edu222 ucsschoolRole dn: cn=edu222,cn=dc,cn=server,cn=computers,ou=ou222,dc=uni,dc=dtr ucsschoolRole: dc_slave_edu:school:ou222 # <=== OK --------------------------------------------------------------------------------- On a edu replication node (edu21.uni.dtr): == BEFORE ==--------------------------------------------------------------------- root@edu21:~# ipython import univention.admin.uldap from ucsschool.lib.models.school import School lo = univention.admin.uldap.access(host="m20.uni.dtr", base="dc=uni,dc=dtr", binddn="uid=Administrator,cn=users,dc=uni,dc=dtr", bindpw="univention") school = School(name="test444", dc_name="edu444", dc_name_administrative="adm444") school.create(lo) lo.searchDn(base="ou=test444,dc=uni,dc=dtr") ['ou=test444,dc=uni,dc=dtr', ... 'cn=adm444,cn=dc,cn=server,cn=computers,ou=test444,dc=uni,dc=dtr', 'cn=edu444,cn=dc,cn=server,cn=computers,ou=test444,dc=uni,dc=dtr'] lo.get("cn=m20,cn=dc,cn=computers,dc=uni,dc=dtr", attr=["ucsschoolRole"]) {'ucsschoolRole': ['dc_master:school:-', 'single_master:school:test444']} # <=== error lo.get("cn=adm444,cn=dc,cn=server,cn=computers,ou=test333,dc=uni,dc=dtr", attr=["ucsschoolRole"]) {} # <=== error lo.get("cn=edu444,cn=dc,cn=server,cn=computers,ou=test333,dc=uni,dc=dtr", attr=["ucsschoolRole"]) {} # <=== error --------------------------------------------------------------------------------- == AFTER ==---------------------------------------------------------------------- root@edu21:~# ipython import univention.admin.uldap from ucsschool.lib.models.school import School lo = univention.admin.uldap.access(host="m20.uni.dtr", base="dc=uni,dc=dtr", binddn="uid=Administrator,cn=users,dc=uni,dc=dtr", bindpw="univention") school = School(name="test333", dc_name="edu333", dc_name_administrative="adm333") school.create(lo) lo.searchDn(base="ou=test333,dc=uni,dc=dtr") ['ou=test333,dc=uni,dc=dtr', 'cn=dhcp,ou=test333,dc=uni,dc=dtr', ... 'cn=adm333,cn=dc,cn=server,cn=computers,ou=test333,dc=uni,dc=dtr', 'cn=edu333,cn=dc,cn=server,cn=computers,ou=test333,dc=uni,dc=dtr'] lo.get("cn=m20,cn=dc,cn=computers,dc=uni,dc=dtr", attr=["ucsschoolRole"]) {'ucsschoolRole': ['dc_master:school:-']} # <=== OK lo.get("cn=adm333,cn=dc,cn=server,cn=computers,ou=test333,dc=uni,dc=dtr", attr=["ucsschoolRole"]) {'ucsschoolRole': ['dc_slave_admin:school:test333']} # <=== OK lo.get("cn=edu333,cn=dc,cn=server,cn=computers,ou=test333,dc=uni,dc=dtr", attr=["ucsschoolRole"]) {'ucsschoolRole': ['dc_slave_edu:school:test333']} # <=== OK ---------------------------------------------------------------------------------
QA → set to REOPEN for merge & build Thanks for the clarification, that helps a lot!
Merged and built. [4.4] 95b1e5a29 Bug #53162: fix ucschoolRole in multi-server env for DC slave and DC master [4.4] 4c3a9b415 Bug #53162: Merge branch 'dtroeder/53162_fix_ucschoolRole' into 4.4 [4.4] 9b3e6ba71 Bug #53162: changelog, advisory [4.4] a7f45e888 Bug #53162: advisory update ucs-school-lib (12.2.23A~4.4.0.202104280914) ---- I'm trying to find out, if there are customers with bad ucsschoolRole data on their servers, and if a fix-script will be needed. If that's the case, I suggest to create a separate bug to address that.
The test 90_ucsschool/01_test_school_creation_ucsschool_role now also runs on DC slave and currently fails there: https://jenkins.knut.univention.de:8181/job/UCSschool-4.4/job/Install%20Multiserver/832/Config=s4,TestGroup=base1,UCSRelease=public/testReport/junit/90_ucsschool/01_test_school_creation_ucsschool_role/slave2032/ Tomorrow it should run successfully.
Sounds good! merge → OK changelog → OK yaml → OK
Jenkins tests pass as expected → verify
Errata updates for UCS@school 4.4 v9 have been released. https://docs.software-univention.de/changelog-ucsschool-4.4v9-de.html If this error occurs again, please clone this bug.