Happend again! Starting /tmp/tmpk_izuu7m/https:__updates.software-univention.de_dists_ucs510_preup.sh (Do 3. Apr 21:10:13 CEST 2025): HINT: Please check the release notes carefully BEFORE updating to UCS 5.1-0: UCS 5.1-0 is an intermediate release and must not be used in production. After the update to UCS 5.1-0 make sure to immediately update to UCS 5.2-0, the updater will ask you to do so. All the necessary information is therefore in the release notes for UCS 5.2-0. English version: https://docs.software-univention.de/release-notes/5.2-0/en/ German version: https://docs.software-univention.de/release-notes/5.2-0/de/ Please also consider documents of following release updates and 3rd party components. Do you want to continue [Y/n]? Custom preupdate script /var/lib/local-preup.sh not found Checking auth_faillog ... OK Checking blocking_apps ... Starting univention-upgrade. Current UCS version is 5.0-10 errata1240 Unable to cache apps Unable to cache apps OK Checking disk_space ... OK Checking docker_storage_driver ... OK Checking failed_ldif ... OK Checking for_postgresql96 ... OK Checking hold_packages ... OK Checking kernel ... OK Checking keycloak_migration ... OK Checking ldap_connection ... OK Checking ldap_schema ... 67eedd25 UNKNOWN attributeDescription "CLIENTSECRET" inserted. 67eedd25 UNKNOWN attributeDescription "CLIENTID" inserted. 67eedd25 UNKNOWN attributeDescription "APPLICATIONTYPE" inserted. 67eedd25 UNKNOWN attributeDescription "REDIRECTURI" inserted. 67eedd25 UNKNOWN attributeDescription "TRUSTED" inserted. OK Checking legacy_objects ... OK Checking master_version ... OK Checking min_version ... OK Checking minimum_ucs_version_of_all_systems_in_domain ... OK Checking openldap_bdb ... OK Checking overwritten_umc_templates ... OK Checking package_status ... OK Checking role_package_removed ... OK Checking selinux_deactivated ... OK Checking slapd_on_member ... OK Checking ssh ... OK Checking system_date_too_old ... OK Checking term ... OK Checking user_country_mapping ... OK Checking valid_machine_credentials ... OK Checking verify_translog_schema ... OK > Several LDAP objects are no longer supported with UCS 5.2 and are removed automatically. > An LDIF file of removed objects is available: /var/univention-backup/update-to-5.1-0/removed_with_ucs5_2025-04-03-43.ldif > Removing objects with obsolete objectClasses >> (structuralObjectClass=univentionPortalEntry) Deleting object(s) with dn: cn=m23,cn=portal,cn=univention,dc=schein,dc=de cn=OWA,cn=portal,cn=univention,dc=schein,dc=de cn=OTRS,cn=portal,cn=univention,dc=schein,dc=de cn=Slack,cn=portal,cn=univention,dc=schein,dc=de [...] Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.schema wird installiert ... File: /etc/init.d/slapd Multifile: /etc/ldap/slapd.conf Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832... done. Moving old database directories to /var/backups: - directory cn=internal... done. - directory cn=translog... done. - directory dc=becon,dc=de... done. Loading from /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832: - directory cn=internal... done. - chowning database directory (openldap:openldap)... done - directory cn=translog... done. - chowning database directory (openldap:openldap)... done - directory dc=becon,dc=de... failed. Loading the database from the LDIF dump failed with the following error while running slapadd: <= str2entry: str2ad(UNIVENTIONCERTIFICATEDAYS): attribute type undefined slapadd: could not parse entry (line=15467) Error, entries missing! entry 195: ou=disabled,dc=becon,dc=de entry 196: ou=user,ou=disabled,dc=becon,dc=de Stopping slapd (via systemctl): slapd.serviceESC[0;1;38;5;185mWarning: The unit file, source configuration file or drop-ins of slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.ESC[0m . Removing obsolete conffile /etc/ldap/schema/ppolicy.schema ... Removing obsolete conffile /etc/ldap/schema/ppolicy.ldif ... ============================================================================================================================================================= +++ This bug was initially created as a clone of Bug #58072 +++ More or less similar issue, but with an other root cause, which we should also prevent. This is not as critical as the original bug, but nevertheless with impact. Custom preupdate script /var/lib/local-preup.sh not found Checking disk_space ... OK Checking failed_ldif ... OK Checking hold_packages ... OK Checking kernel ... OK Checking ldap_connection ... OK Checking ldap_schema ... 67d3453f UNKNOWN attributeDescription "XMPPENABLED" inserted. 67d3453f UNKNOWN attributeDescription "XMPPDOMAIN" inserted. 67d3453f UNKNOWN attributeDescription "XMPPDOMAINS" inserted. # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=cc1,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=support,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=regi,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=michi,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPAccount' dn: uid=alex,cn=users,dc=schein,dc=local # (65) Object class violation: unrecognized objectClass 'univentionXMPPHost' dn: cn=ucs-dc1,cn=dc,cn=computers,dc=schein,dc=local OK Checking master_version ... OK Checking minimum_ucs_version_of_all_systems_in_domain ... OK Checking overwritten_umc_templates ... OK Checking package_status ... OK Checking role_package_removed ... OK Checking slapd_on_member ... OK Checking ssh ... OK Checking system_date_too_old ... OK Checking term ... OK Checking valid_machine_credentials ... OK Paketlisten werden gelesen... wenn das Update dann startet. Mich wundert nicht, dass das ldap anschließend defekt ist: Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.schema wird installiert ... File: /etc/init.d/slapd Multifile: /etc/ldap/slapd.conf Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832... done. Moving old database directories to /var/backups: - directory cn=translog... done. - directory dc=schein,dc=local... done. Loading from /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832: - directory cn=translog... done. - chowning database directory (openldap:openldap)... done - directory dc=schein,dc=local... failed. Loading the database from the LDIF dump failed with the following error while running slapadd: /usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.5) or chardet (5.1.0) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " <= str2entry: str2ad(XMPPENABLED): attribute type undefined slapadd: could not parse entry (line=376) Stopping slapd (via systemctl): slapd.serviceESC[0;1;38;5;185mWarning: The unit file, source configuration file or drop-ins of slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.ESC[0m . Removing obsolete conffile /etc/ldap/schema/ppolicy.schema ... The primary dc has still this objectClass univention-ldapsearch -LLL cn=ucs-dc1 objectClass dn: cn=ucs-dc1,cn=dc,cn=computers,dc=schein,dc=local objectClass: krb5KDCEntry objectClass: univentionPolicyReference objectClass: person objectClass: univentionXMPPHost And the preup check on the primary has no issue about that: Custom preupdate script /var/lib/local-preup.sh not found Checking disk_space ... OK Checking failed_ldif ... OK Checking hold_packages ... OK Checking kernel ... OK Checking ldap_connection ... OK Checking ldap_schema ... OK Checking master_version ... OK Checking minimum_ucs_version_of_all_systems_in_domain ... OK Checking overwritten_umc_templates ... OK Checking package_status ... OK Checking role_package_removed ... OK Checking slapd_on_member ... OK Checking ssh ... OK Checking system_date_too_old ... OK Checking term ... OK Checking valid_machine_credentials ... OK Paketlisten werden gelesen... ------------------------------------------------------------------------------------------------------------- +++ This bug was initially created as a clone of Bug #58045 +++ When upgrading from UCS 5.1 to 5.2, a slapadd from backup.ldif fails with the following traceback. slapd (2.5.13+dfsg-5A~5.2.0.202501141029) wird eingerichtet ... Neue Version der Konfigurationsdatei /etc/ldap/schema/README wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/collective.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/corba.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/core.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/core.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/cosine.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/cosine.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/duaconf.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/dyngroup.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/dyngroup.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/inetorgperson.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/java.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/misc.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/misc.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/nis.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/nis.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/openldap.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/openldap.schema wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.ldif wird installiert ... Neue Version der Konfigurationsdatei /etc/ldap/schema/pmi.schema wird installiert ... Multifile: /etc/ldap/slapd.conf File: /etc/init.d/slapd Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832... done. Moving old database directories to /var/backups: - directory cn=internal... done. - directory cn=translog... done. - directory dc=dde001826,dc=com... done. Loading from /var/backups/slapd-2.4.57+dfsg-3+deb11u1A~5.1.0.202501151832: - directory cn=internal... done. - chowning database directory (openldap:openldap)... done - directory cn=translog... failed. Loading the database from the LDIF dump failed with the following error while running slapadd: /usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.5) or chardet (5.1.0) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " <= str2entry NULL (smr_normalize reqDN 21) slapadd: could not parse entry (line=14068) Stopping slapd (via systemctl): slapd.serviceESC[0;1;38;5;185mWarning: The unit file, source configuration file or drop-ins of slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.ESC[0m . Removing obsolete conffile /etc/ldap/schema/ppolicy.schema ... Removing obsolete conffile /etc/ldap/schema/ppolicy.ldif ... Multifile: /etc/ldap/slapd.conf File: /etc/init.d/slapd As a result, the LDAP cannot be accessed during the upgrade and the respective join scripts cannot be executed due to invalid credentials. The system is thus completely destroyed and the upgrade cannot be continued. I would therefore classify the bug as critical.
Do we have access to the environment? UCS/errata version (ucr search --brief version)?
updater.log ? Loading the database from the LDIF dump failed with the following error while running slapadd: <= str2entry: str2ad(UNIVENTIONCERTIFICATEDAYS): attribute type undefined slapadd: could not parse entry (line=15467) Error, entries missing! entry 195: ou=disabled,dc=becon,dc=de not sure, but UNIVENTIONCERTIFICATEDAYS seems to be part of the cool solution univention-usercert, maybe this has been removed during the upgrade
ldap version (dpkg -l slapd)?
master.schule.schein / 13.73 / 10:45:11 / ✓ root@master:~ # univention-app info UCS: 5.0-10 errata1240 Installed: bildungslogin-lizenzmanager=1.2.77 keycloak=25.0.6-ucs4 samba4=4.16 self-service=5.0 self-service-backend=5.0 ucsschool=5.0 v7 ucsschool-apis=1.1.0 ucsschool-kelvin-rest-api=1.10.3 Upgradable: master.schule.schein / 4.72 / 10:44:04 / ✓ root@master:~ # slapschema 67ef9c0a The first database does not allow slapschema; using the first available one (2) 67ef9c0a UNKNOWN attributeDescription "CLIENTSECRET" inserted. 67ef9c0a UNKNOWN attributeDescription "CLIENTID" inserted. 67ef9c0a UNKNOWN attributeDescription "APPLICATIONTYPE" inserted. 67ef9c0a UNKNOWN attributeDescription "REDIRECTURI" inserted. 67ef9c0a UNKNOWN attributeDescription "TRUSTED" inserted. 67ef9c0a UNKNOWN attributeDescription "INSECURE" inserted. Download pre-up from https://docs.software-univention.de/release-notes/latest/de/index.html is not failing! master.schule.schein / 4.59 / 11:21:01 / ✓ root@master:~/univention-support # curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.2-1{.gpg,} % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 801 100 801 0 0 8257 0 --:--:-- --:--:-- --:--:-- 8257 100 20609 100 20609 0 0 359k 0 --:--:-- --:--:-- --:--:-- 359k master.schule.schein / 4.87 / 11:21:04 / ✓ root@master:~/univention-support # apt-key verify pre-update-checks-5.2-1{.gpg,} && bash pre-update-checks-5.2-1 gpgv: Signatur vom Di 11 Mär 2025 12:13:13 CET gpgv: mittels RSA-Schlüssel C882B6F1F7229D9A gpgv: Korrekte Signatur von "Univention Corporate Server 5.2 <packages@univention.de>" Starting pre-update-checks-5.2-1 (Fr 4. Apr 11:21:12 CEST 2025): Checking disk_space ... OK Checking failed_ldif ... OK Checking hold_packages ... OK Checking ldap_connection ... OK Checking ldap_schema ... OK Checking master_version ... OK Checking minimum_ucs_version_of_all_systems_in_domain ... OK Checking overwritten_umc_templates ... OK Checking package_status ... OK Checking role_package_removed ... OK Checking slapd_on_member ... OK Checking system_date_too_old ... OK Checking valid_machine_credentials ... OK
Lets ignore this here for now Checking ldap_schema ... 67eedd25 UNKNOWN attributeDescription "CLIENTSECRET" inserted. 67eedd25 UNKNOWN attributeDescription "CLIENTID" inserted. 67eedd25 UNKNOWN attributeDescription "APPLICATIONTYPE" inserted. 67eedd25 UNKNOWN attributeDescription "REDIRECTURI" inserted. 67eedd25 UNKNOWN attributeDescription "TRUSTED" inserted. OK But need to check if there is another problem with slapschem! The actual problem here is: Loading the database from the LDIF dump failed with the following error while running slapadd: <= str2entry: str2ad(UNIVENTIONCERTIFICATEDAYS): attribute type undefined slapadd: could not parse entry (line=15467) Error, entries missing! entry 195: ou=disabled,dc=becon,dc=de entry 196: ou=user,ou=disabled,dc=becon,dc=de So "UNUNIVENTIONCERTIFICATEDAYS" is unknown. This comes from the package "univention-usercert". And this package is removed during the upgrade (see updater.log) Die folgenden Pakete werden ENTFERNT: ... univention-usercert The schema check in the updater can't find this problem, because at the time the check is executed the schema for usercert is still installed. Then the update starts, removes univention-usercert and with it the usercert.schema and the import fails. This is a problem of how the package "univention-usercert" adds the schema. It does not register the schema so that the schema is available even after you remove the package. Questions: * is "univention-usercert" even available for 5.2 * i guess this comes from the component "cool-solutions", is this component available for 5.2 * How do we block updates if the component "cool-solutions" is available, but just some package is missing (like univention-usercert) Options: * block update if "univention-usercert" is installed * Workaround: UNTESTED maybe copy the schema file from univention-usercert to "/var/lib/univention-ldap/local-schema", so that we have the schema even if the package is removed $ cp /usr/share/univention-ldap/schema/univention-manage-certificates.schema /var/lib/univention-ldap/local-schema * provide a "5.2" compatible version of "univention-usercert" * add schema registration to "univention-usercert" See https://github.com/univention/cool-solutions/tree/ucs-5.0/master/univention-usercert
### Workaround (this disables the cool-solution univention-usercert!) # Copy schema from /usr/share... to /var/lib... cp /usr/share/univention-ldap/schema/univention-manage-certificates.schema /var/lib/univention-ldap/local-schema/ # Update slapd configuration ucr commit /etc/ldap/slapd.conf # Check if the schema is included. It should still come from /usr/share... grep univention-manage-certificates /etc/ldap/slapd.conf # Restart LDAP systemctl restart slapd # Check if LDAP is working univention-ldapsearch uid=Administrator | grep dn: # Uninstall packages univention-remove univention-usercert univention-ldap-usercert # Update slapd configuration ucr commit /etc/ldap/slapd.conf # Check if the schema is included. It should now come from /var/lib... grep univention-manage-certificates /etc/ldap/slapd.conf # Restart LDAP systemctl restart slapd # Check if LDAP is working univention-ldapsearch uid=Administrator | grep dn: # Upgrade to UCS 5.2 e.g.: univention-upgrade --ignoressh --ignoreterm --noninteractive --enable-app-updates
Functional test: OK code review: OK updater log: OK Mirror updated: OK