With UCS 5.2 before the upgrade to UCS 5.1 is possible we should require that domains migrated to the correct LDAP representation of st (state) and c (country). - [ ] We can simply check for the UCR variable in the preup.sh. - [ ] We should remove the UCR variable from the code and have only one mapping +++ This bug was initially created as a clone of Bug #50073 +++ Split off from Bug 50033 Comment 5: We also postponed the synchronizarion of UDM property "country", because there is a quirk in the definition of this UDM property: It ist mapped to LDAP attribute "st" instead of "c". To get out of this we would also need to create a UDM property to sync "c". And we probably should change the UDM poperty names to match the LDAP attributes. After that, we may add them to the S4-Connector mapping (st<->st and c<->c, instead of "st<->c").
OK: preup.sh checks require the migration OK: script and diagnostic module have been removed OK: changelog entry OK: Jenkins .cfg files are doing the migration
univention-updater (16.0.8) 0103c414d0c4 | ci(jenkins): check for LDAP country migration in pre upgrade univention-management-console-module-diagnostic (7.0.5) f2e6cffb68d4 | feat(udm): remove configurability of country/state property univention-directory-manager-modules (16.0.7) f2e6cffb68d4 | feat(udm): remove configurability of country/state property ucs-test (11.0.8) f2e6cffb68d4 | feat(udm): remove configurability of country/state property NONE 9df973ab6530 | ci(jenkins): add prepare_domain_for_ucs50_preup_checks to all upgrade Jenkins jobs
This pre-update check "user_country_mapping" currently hits if you try to join a UCS 5.0-9 replica into a (fresh) 5.2-0 primary, see logs below. While this is a unicorn corner case, there are two points that we may want to improve here: 1. Why is this necessary in this case? Is the migration step really needed in this case? 2. The check just fails and outputs some text telling the admin that they need to do something manually. (Why) can't the check simply do the required change? Maybe ask for credentials if run interactively? ======= # https://jenkins2022.knut.univention.de/view/Active/job/UCS-5.2/job/UCS-5.2-0/job/Keycloak%20Product%20Tests/mode=no-keycloak/ws/test/replicanokeycloak50/ **** Starting univention-updater 5.0-9 with parameter=['/usr/share/univention-updater/univention-updater', 'net', '--updateto', '5.1-0', '--silent', '--ignoressh', '--ignoreterm'] --->DBG:update_available(mode=net) Checking network repository Update to = 5.1-0 **** Downloading scripts at Fri Nov 8 06:03:58 2024 **** Starting actual update at Fri Nov 8 06:03:58 2024 Starting /tmp/tmpb419x01p/http:__updates-test.knut.univention.de_dists_ucs510_preup.sh (Fri 08 Nov 2024 06:03:58 AM CET): HINT: Please check the release notes carefully BEFORE updating to UCS 5.1-0: English version: https://docs.software-univention.de/release-notes/5.1-0/en/ German version: https://docs.software-univention.de/release-notes/5.1-0/de/ Please also consider documents of following release updates and 3rd party components. Update will wait here for 60 seconds... Press CTRL-c to abort or press ENTER to continue Checking disk_space ... OK Checking failed_ldif ... OK Checking hold_packages ... OK Checking kernel ... OK Checking keycloak_migration ... OK Checking ldap_connection ... OK Checking ldap_schema ... OK Checking legacy_objects ... OK Checking master_version ... OK Checking minimum_ucs_version_of_all_systems_in_domain ... OK Checking openldap_bdb ... OK Checking overwritten_umc_templates ... OK Checking package_status ... OK Checking role_package_removed ... OK Checking slapd_on_member ... OK Checking ssh ... OK Checking system_date_too_old ... OK Checking term ... OK Checking user_country_mapping ... FAIL Checking valid_machine_credentials ... OK The system can not be updated to UCS 5.1 due to the following reasons: user_country_mapping: Users in LDAP need to be migrated so their "country" property is stored in the correct LDAP attribute "c" instead of in the state ("st"). UCS 5.0 supported both configurations. With UCS 5.1 only the correct mapping is supported. A migration is necessary before upgrading. The migration can be performed using the command /usr/share/univention-directory-manager-tools/udm-remap-country-from-st-to-c or using the UMC module "System diagnostic". Error: Update aborted by pre-update script of release 5.1-0 exitcode of univention-updater: 1 ERROR: update failed. Please check /var/log/univention/updater.log =======
What is the point of asking the customer if this is required for the update, why not just do it on the primary in the preup?
we will improve this by: - update_check_user_country_mapping only on primary - run /usr/share/univention-directory-manager-tools/udm-remap-country-from-st-to-c on primary by default, don't ask (can be disabled by ucr)