Univention Bugzilla – Bug 54465
Slapd not running on unjoined Backup/Replica servers
Last modified: 2022-08-31 12:19:33 CEST
When installing a replica server in UCS 5.0, then upgrading it without joining, the upgrade stops before 5.0-1 due to slapd, univention-ldap-server etc. are not configured. The configuration of slapd fails because of a syntax error. /etc/ldap/slapd.conf: line 65: <suffix> invalid DN 21 (Invalid syntax) This syntax error happens, because the schemas (especially core.schema) are not included and not fetched from master because the server is not joined (yet). The attribute "dc" is therefore unknown and every DN is invalid. Including the schema from conffiles/etc/ldap/slapd.conf.d/10univention-ldap-server_schema makes it so that slapd is started again and the packages can be configured. The update can resume then. We could think about adjusting the 5.0-1 postinst to do this automatically.
Created attachment 10919 [details] fake_initial_schema.sh The attached script uses a function from the join script 01univention-ldap-server-init.inst to fix the missing schema in the slapd.conf. Running the following two commands fixed the configuration of the packages: fake_initial_schema.sh apt-get -f install After that the upgrade to 5.0-1 should work. We could probably add this to the UCS 5.0-1 preup.sh.
also reproduced when installing with 5.0-1 ISO same repro: - install UCS - choose "join into existing UCS domain" and either Backup or Replica - choose not to join after installation - choose to install available updates once the system is installed, upgraded and started the slapd shows the same behavior as described in the initial bug description.
(In reply to Dirk Ahrnke from comment #2) > also reproduced when installing with 5.0-1 ISO > > same repro: > - install UCS > - choose "join into existing UCS domain" and either Backup or Replica > - choose not to join after installation > - choose to install available updates > > once the system is installed, upgraded and started the slapd shows the same > behavior as described in the initial bug description. Did the slapd not running cause any problems for you? The slapd doesn't run on an unjoined system. Whether it is updated or not. The slapd.conf is not made for that case. I guess it's annoying that one can't update to a minor/patchlevel etc. release because the package status failure prevents that. That's why we opened the bug. The error you are seeing may be ugly, but your system should be functional and able to join.
We had problems to join the Replica Nodes into the domain with the state described in the initial bug description. root@dn2:~# tail /var/log/univention/join.log OK: UCS version on dn1.training.ucs is higher or equal (5.01) to the local version (5.00). ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** * Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- The OpenLDAP extension memberOf is activated on the UCS Primary (UCR variable ldap/overlay/memberof is true). In order to join this system successfully the package "univention-ldap-overlay-memberof" has to be installed. ************************************************************************** This behaviour appears not to be reproduceable with the 5.0-1 scenario
We also had this behaviour in Schulportal-SH! After upgrading to UCS5 everything worked fine, but after a re-join from 5.0-1, a backup node wasn't able to join due to LDAP errors.
This causes a lot of confusion for customers and inhibits upgrading an unjoined system without breaking the package statuses. I think we should just revert 20ef0e8bc98 and go back to the old state, where slapd used some default config before the join.
This is especially annoying because joining an old replica to a new primary fails with unknown attr "univentionRadiusPassword" (https://forge.univention.org/bugzilla/show_bug.cgi?id=54629). So, joining fails because we need an update updating fails because we need to joined
Just in addition, my comment from Bug 54548 seems to fit here much better.
2 occurencies during UCS training week 26. workaround using fake_initial_schema.sh did not help, package state still broken
Package: univention-ldap Version: 16.0.7-20A~5.0.0.202208160905 Branch: ucs_5.0-0 Scope: errata5.0-2 af1dd6eaaca8 | Bug #54465: Update advisory 9e9631cac453 | fixup! Bug #54465: changelog and advisory for univention-ldap 5bb9a9f6e0f2 | Bug #54465: changelog and advisory for univention-ldap 4f4b22ee05a0 | Bug #54465: create fake initial schema for unjoined backup/replica too
OK: slapd running on unjoined Replica/Backup servers OK: join OK: yaml Verified
<https://errata.software-univention.de/#/?erratum=5.0x400>