More or less similar issue, but with an other root cause, which we should also prevent. This is not as critical as the original bug, but nevertheless with impact. Custom preupdate script /var/lib/local-preup.sh not found Checking disk_space ... OK Checking failed_ldif ... OK Checking hold_packages ... OK Checking kernel ... OK Checking ldap_connection ... OK Checking ldap_schema ... 67d3453f UNKNOWN attributeDescription "XMPPENABLED" inserted. 67d3453f UNKNOWN attributeDescription "XMPPDOMAIN" inserted. 67d3453f UNKNOWN attributeDescription "XMPPDOMAINS" inserted. # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=cc1,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=support,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=regi,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=michi,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=alex,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPHost' dn: cn=ucs-dc1,cn=dc,cn=computers,dc=schein,dc=local OK Checking master_version ... OK Checking minimum_ucs_version_of_all_systems_in_domain ... OK Checking overwritten_umc_templates ... OK Checking package_status ... OK Checking role_package_removed ... OK Checking slapd_on_member ... OK Checking ssh ... OK Checking system_date_too_old ... OK Checking term ... OK Checking valid_machine_credentials ... OK Paketlisten werden gelesen... wenn das Update dann startet. Mich wundert nicht, dass das ldap anschließend defekt ist: Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.schema wird installiert ... File: /etc/init.d/slapd Multifile: /etc/ldap/slapd.conf Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832... done. Moving old database directories to /var/backups: - directory cn=translog... done. - directory dc=schein,dc=local... done. Loading from /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832: - directory cn=translog... done. - chowning database directory (openldap:openldap)... done - directory dc=schein,dc=local... failed. Loading the database from the LDIF dump failed with the following error while running slapadd: /usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.5) or chardet (5.1.0) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " <= str2entry: str2ad(XMPPENABLED): attribute type undefined slapadd: could not parse entry (line=376) Stopping slapd (via systemctl): slapd.serviceESC[0;1;38;5;185mWarning: The unit file, source configuration file or drop-ins of slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.ESC[0m . Removing obsolete conffile /etc/ldap/schema/ppolicy.schema ... The primary dc has still this objectClass univention-ldapsearch -LLL cn=ucs-dc1 objectClass dn: cn=ucs-dc1,cn=dc,cn=computers,dc=schein,dc=local objectClass: krb5KDCEntry objectClass: univentionPolicyReference objectClass: person objectClass: univentionXMPPHost And the preup check on the primary has no issue about that: Custom preupdate script /var/lib/local-preup.sh not found Checking disk_space ... OK Checking failed_ldif ... OK Checking hold_packages ... OK Checking kernel ... OK Checking ldap_connection ... OK Checking ldap_schema ... OK Checking master_version ... OK Checking minimum_ucs_version_of_all_systems_in_domain ... OK Checking overwritten_umc_templates ... OK Checking package_status ... OK Checking role_package_removed ... OK Checking slapd_on_member ... OK Checking ssh ... OK Checking system_date_too_old ... OK Checking term ... OK Checking valid_machine_credentials ... OK Paketlisten werden gelesen... ------------------------------------------------------------------------------------------------------------- +++ This bug was initially created as a clone of Bug #58045 +++ When upgrading from UCS 5.1 to 5.2, a slapadd from backup.ldif fails with the following traceback. slapd (2.5.13+dfsg-5A~5.2.0.202501141029) wird eingerichtet ... Neue Version der Konfigurationsdatei /etc/ldap/schema/README wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/collective.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/corba.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/core.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/core.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/cosine.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/cosine.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/duaconf.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/dyngroup.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/dyngroup.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/inetorgperson.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/java.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/misc.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/misc.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/nis.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/nis.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/openldap.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/openldap.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.schema wird installiert ... Multifile: /etc/ldap/slapd.conf File: /etc/init.d/slapd Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832... done. Moving old database directories to /var/backups: - directory cn=internal... done. - directory cn=translog... done. - directory dc=dde001826,dc=com... done. Loading from /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832: - directory cn=internal... done. - chowning database directory (openldap:openldap)... done - directory cn=translog... failed. Loading the database from the LDIF dump failed with the following error while running slapadd: /usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.5) or chardet (5.1.0) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " <= str2entry NULL (smr_normalize reqDN 21) slapadd: could not parse entry (line=14068) Stopping slapd (via systemctl): slapd.serviceESC[0;1;38;5;185mWarning: The unit file, source configuration file or drop-ins of slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.ESC[0m . Removing obsolete conffile /etc/ldap/schema/ppolicy.schema ... Removing obsolete conffile /etc/ldap/schema/ppolicy.ldif ... Multifile: /etc/ldap/slapd.conf File: /etc/init.d/slapd As a result, the LDAP cannot be accessed during the upgrade and the respective join scripts cannot be executed due to invalid credentials. The system is thus completely destroyed and the upgrade cannot be continued. I would therefore classify the bug as critical.
So rejoin helps, but there are entries (like in this case the primary account) missing univention-ldapsearch -LLL cn=ucs-dc1 1.1 dn: cn=ucs-dc1,cn=schein.local,cn=dhcp,dc=schein,dc=local
I think the pre-update-check function "ldap_schema" failed here to recognize that some schema containing objetclasses "univentionXMPPAccount" and "univentionXMPPHost" has been installed (and then uninstalled?). Maybe we can inspect the environment to better understand how situations like these can be prevented. The error message > str2entry: str2ad(XMPPENABLED): attribute type undefined Looks very different from Bug #58045. Also it affects the domain partition instead of cn=translog.
yeah, very strange, the pre-up check should abort the update if there is a problem with the schema -- /usr/sbin/slapschema -f /etc/ldap/slapd.conf 1>&2 && return 0 echo "› There is a problem with the LDAP schema on this system." echo "› Please check $UPDATER_LOG or run 'slapschema' manually." return 1 -- in this case he found problems, but says OK?
Somehow after the update to UCS 5.2 there was still an objectClass on the primary computer object that was no longer defined in the schema. Unfortunately, the search of the S4 Connector join script on the backup did not return any results and the S4 Connector was activated on the backup. As a result, the S4 Connector was active on the primary and on the backup.
ucs-patches:97b0f06a5 | Fix for ITS#7901 > build-package-architecture-ng -r 5.0-0-0 -s errata5.0-10 --version "2.4.47+dfsg-3+deb10u7A~5.0.10.202503251748" -p openldap Package: openldap Version: 2.4.47+dfsg-3+deb10u7A~5.0.10.202503251748 Branch: 5.0-0 Scope: errata5.0-10 ucs:749b58e17ed | Advisory As noted on the issue, after release via errata5.0-10 we need to update MIN_VERSION_SYSTEM in * https://updates.software-univention.de/dists/ucs510/ preup.sh * https://updates.software-univention.de/download/univention-update-checks/ pre-update-checks-5.2-0
OK - slapschema returns != 0 i case any object is invalid OK - openldap 2.4.47+dfsg-3+deb10u7A~5.0.10.202503251748 OK - 99_ITS-7901-slapschema-continuemode-and-preserve-rc.quilt OK - yaml
<https://errata.software-univention.de/#/?erratum=5.0x1230>