The initialization of UDL via replication.py with OpenLDAP 2.5 doesn't work anymore due to new builtin OIDs in slapd. LISTENER ( ERROR ) : ldap_extension: slapd.conf validation failed: /var/lib/univention-ldap/schema.conf: line 4 attributetype: Duplicate attributeType: "1.3.6.1.4.1.4203.666.1.60" slaptest: bad configuration file!
New LDAP attributes and objectClasses are added all the time. Currently we maintain 2 list of OIDs exempted from replication: 1. management/univention-directory-replication/replication.py 2. patches/openldap/ucs_5.1-0/2.4.57+dfsg-3+deb11u1/30_postinst.patch While 1. needs to be updated to exempt them during normal replication, 2. is required for situations, where a domain gets updates: As the Primary is updated first, it may introduce additional attributes, which are then replicated by OLDER hosts and end up in their `/var/lib/univention-ldap/schema.conf`. As long as they run the old SLAPD this is not an issue as there the new attribute is not yet defined INTERNALLY. But as soon as these replicating hosts are also upgraded, the new SLAPD will find the attribute then defined twice and will abort. For that reason only we have to maintain 2. Maintaining these lists is a pain, maintaining it twice is worse. Actually is is trice as the OIDs are listed two times in 2.: Once as comments and again as arguments to `egrep`. Instead of doing a searching ldap://$primary/cn=Subschema we could change `replication.py` to search ldap://$primary/cn=schema,cn=config instead: - it returns the individual `*.schema` files as sub-entries as configured on the Primary - we can easily filter out the base `cn=schema,cn=config` itself which contains all the INTERNAL OpenLDAP definitions. This would require an ACL change as accessing `cn=config` is currently restricted to local access via ldapi:/// only. Opening up access to `cn=config` would also allow us to replicate the "index configuration" (Bug #44925) and would allow us to trigger on online-index-update (Bug #50673). (In reply to Florian Best from comment #0) > Duplicate attributeType: "1.3.6.1.4.1.4203.666.1.60" This is "pKCS8PrivateKey" from "git:OPENLDAP_REL_ENG_2_5_0ALPHA~68^2~21" Also: 1.3.6.1.4.1.42.2.27.8.1.29 pwdLastSuccess from "git:OPENLDAP_REL_ENG_2_5_0ALPHA~63^2~9"
[5.0-4] 646b2edce2 feat(replication): Add missing OIDs from OpenLDAP 2.5 doc/changelog/index.rst | 9 + management/univention-directory-replication/README.md | 27 ++ management/univention-directory-replication/debian/changelog | 6 + .../univention-directory-replication/debian/ucslint.overrides | 1 + management/univention-directory-replication/oid_skip.py | 101 ++++++++ management/univention-directory-replication/oid_skip.txt | 366 ++++++++++++++++++++++++++++ 6 files changed, 510 insertions(+) [5.0-4] 7d81640d4a fix(replication): Add missing OIDs management/univention-directory-replication/oid_skip.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) [5.0-4] b8b619d56c style(replication): Reorder OIDs management/univention-directory-replication/debian/rules | 1 + .../debian/univention-directory-replication.dirs | 1 + management/univention-directory-replication/oid_skip.txt | 212 +++++++++++++++++ management/univention-directory-replication/replication.py | 351 +--------------------------- 4 files changed, 216 insertions(+), 349 deletions(-) [5.0-4] 727360659d perf(replication): Switch OID form list() to set() management/univention-directory-replication/replication.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) Package: univention-directory-replication Version: 13.0.4-1 Branch: ucs_5.0-0 Scope: ucs5.0-4
During the initial join of a Backup I found this in join.log: ``` Configure 03univention-directory-listener.inst Fri Jun 16 13:29:25 CEST 2023 2023-06-16 13:29:25.096826531+02:00 (in joinscript_init) 16.06.23 13:29:25.400 DEBUG_INIT 16.06.23 13:29:25.414 LDAP ( PROCESS ) : connecting to ldap://dc27.phahn.dev:7389 16.06.23 13:29:28.528 LISTENER ( WARN ) : handler: replication (not ready) (ignore) Restarting slapd (via systemctl): … 16.06.23 13:29:29.941 LISTENER ( WARN ) : Set Schema ID to 6 16.06.23 13:29:29.941 LISTENER ( WARN ) : initializing module replication File: /var/lib/univention-ldap/ldap/DB_CONFIG slapd: Kein Prozess gefunden File: /var/lib/univention-ldap/ldap/DB_CONFIG Starting slapd (via systemctl): … 16.06.23 13:29:34.761 LISTENER ( ERROR ) : replication: Invalid syntax; dn="cn=default,cn=ppolicy,cn=univention,dc=phahn,dc=dev": Error 16.06.23 13:29:34.762 LISTENER ( ERROR ) : additional info: objectClass: value #2 invalid per syntax 16.06.23 13:29:35.511 LISTENER ( WARN ) : finished initializing module replication with rv=0 ``` Join proceeded anyway, but "cn=default,cn=ppolicy" was not replicated at all: @Primary: ``` # univention-ldapsearch -LLLo ldif-wrap=no -s base -b cn=default,cn=ppolicy,cn=univention,dc=phahn,dc=dev dn: cn=default,cn=ppolicy,cn=univention,dc=phahn,dc=dev objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdMaxFailure: 5 pwdFailureCountInterval: 900 pwdAllowUserChange: TRUE # ldapsearch -xLLLo ldif-wrap=no -s base -b cn=Subschema objectClasses -E mv='(objectClasses=pwdPolicy)' dn: cn=Subschema objectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) # grep -e ppolicy -e pwdPolicy /etc/ldap/slapd.conf /etc/ldap/schema/ppolicy.schema /etc/ldap/slapd.conf:include /etc/ldap/schema/ppolicy.schema /etc/ldap/schema/ppolicy.schema:# $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.2.2.4 2007/01/02 21:44:09 kurt Exp $ /etc/ldap/schema/ppolicy.schema: NAME 'pwdPolicyChecker' /etc/ldap/schema/ppolicy.schema: NAME 'pwdPolicy' ``` @Backup: ``` # univention-ldapsearch -LLLo ldif-wrap=no -s base -b cn=default,cn=ppolicy,cn=univention,dc=phahn,dc=dev No such object (32) Matched DN: cn=ppolicy,cn=univention,dc=phahn,dc=dev # ldapsearch -xLLLo ldif-wrap=no -s base -b cn=Subschema objectClasses -E mv='(objectClasses=pwdPolicy)' dn: cn=Subschema # grep -F 1.3.6.1.4.1.42.2.27.8.2.1 /usr/share/univention-ldap/oid_skip 1.3.6.1.4.1.42.2.27.8.2.1 ```
OpenLDAP 2.5 massively extended the built-in `ppolicy` schema. Running `./oid_skip.py |grep ppolicy` retuns - 11 ATs and 1 OC on UCS 5.0-4 with OpenLDAP 2.4.47 - 40 ATs and 2 OCs on UCS 5.2-0 with OpenLDAP 2.5 `/etc/ldap/schema/ppolicy.schema` defines - 17 ATs and 2 OCs ``` # grep -Eoe ' \<1\.3\.6\.1\.4\.1\.(42|4754)(\.[0-9]+)+\>' /etc/ldap/schema/ppolicy.schema > ./oids # grep -Fwf ./oids oid_skip.txt 1.3.6.1.4.1.42.2.27.8.1.1 # ppolicy: attributeType.pwdAttribute 1.3.6.1.4.1.42.2.27.8.1.2 # ppolicy: attributeType.pwdMinAge 1.3.6.1.4.1.42.2.27.8.1.3 # ppolicy: attributeType.pwdMaxAge 1.3.6.1.4.1.42.2.27.8.1.4 # ppolicy: attributeType.pwdInHistory 1.3.6.1.4.1.42.2.27.8.1.5 # ppolicy: attributeType.pwdCheckQuality 1.3.6.1.4.1.42.2.27.8.1.6 # ppolicy: attributeType.pwdMinLength 1.3.6.1.4.1.42.2.27.8.1.7 # ppolicy: attributeType.pwdExpireWarning 1.3.6.1.4.1.42.2.27.8.1.8 # ppolicy: attributeType.pwdGraceAuthNLimit 1.3.6.1.4.1.42.2.27.8.1.9 # ppolicy: attributeType.pwdLockout 1.3.6.1.4.1.42.2.27.8.1.10 # ppolicy: attributeType.pwdLockoutDuration 1.3.6.1.4.1.42.2.27.8.1.11 # ppolicy: attributeType.pwdMaxFailure 1.3.6.1.4.1.42.2.27.8.1.12 # ppolicy: attributeType.pwdFailureCountInterval 1.3.6.1.4.1.42.2.27.8.1.13 # ppolicy: attributeType.pwdMustChange 1.3.6.1.4.1.42.2.27.8.1.14 # ppolicy: attributeType.pwdAllowUserChange 1.3.6.1.4.1.42.2.27.8.1.15 # ppolicy: attributeType.pwdSafeModify 1.3.6.1.4.1.42.2.27.8.1.30 # ppolicy: attributeType.pwdGraceExpiry 1.3.6.1.4.1.42.2.27.8.2.1 # ppolicy: objectClass.pwdPolicy 1.3.6.1.4.1.4754.1.99.1 # ppolicy: attributeType.pwdCheckModule 1.3.6.1.4.1.4754.2.99.1 # ppolicy: objectClass.pwdPolicyChecker ``` This becomes problematic on updated to UCS 5.2: - Primary is updated to 5.2 > needs to disable `include ppolicy.schema` as otherwise the ATs and OCs are defined twice afterwards all 28 ATs and 2 OCs are "exported" - Backup / Replica are updated to 5.2 > is those new OIDs were replicated, they part of "/var/lib/univention-ldap/schema.conf" and `slapd` will refuse to start with "moduleload ppolicy.so". > We can add those (and others?) to https://git.knut.univention.de/univention/ucs-patches/-/blob/main/openldap/ucs_5.2-0/2.5.13%2Bdfsg-5/30_postinst.patch to get them removed during update to OpenLDAP 2.5
[5.0-4] 470c7368c7 fix(replication): Allow ppolicy OIDs management/univention-directory-replication/debian/changelog | 8 ++++++- management/univention-directory-replication/oid_skip.txt | 38 ++++++++++++++++---------------- 2 files changed, 26 insertions(+), 20 deletions(-) [5.0-4] 94936b8d6c fix(replication): Allow ppolicy OIDs 2 management/univention-directory-replication/debian/changelog | 6 ++++++ management/univention-directory-replication/debian/rules | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) [5.0-4] 73f41dccd3 fix(replication): Allow ppolicy OIDs 3 management/univention-directory-replication/debian/changelog | 6 ++++++ management/univention-directory-replication/debian/rules | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) Package: univention-directory-replication Version: 13.0.5-1 Version: 13.0.6-1 Version: 13.0.7-1 Branch: ucs_5.0-0 Scope: ucs5.0-4 OK: `univention-ldapsearch -LLLo ldif-wrap=no -s base -b cn=default,cn=ppolicy,cn=univention,dc=phahn,dc=dev` was replicated OK: No other error in join.log OK: join succeeded
Verified: * Change review * Binary package contains new file /usr/share/univention-ldap/oid_skip * Generated from source package file management/univention-directory-replication/oid_skip.txt * Release changelog entry explaining the change * CI tests look good * Manual test ok TODO for 5.2-0: * add them to openldap/ucs_5.2-0/2.5.13+dfsg-5/30_postinst.patch
UCS 5.0-4 has been released: https://docs.software-univention.de/release-notes/5.0-4/en/ If this error occurs again, please use the 'Clone This Bug' option.