Bug 9970 - Detect move of machine account, adjust ldap/hostdn automatically
Detect move of machine account, adjust ldap/hostdn automatically
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 5.0
All Linux
: P3 enhancement (vote)
: UCS 5.0-0-errata
Assigned To: UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-27 16:57 CET by Ingo Steuwer
Modified: 2021-04-28 10:06 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2012101921004587
Bug group (optional): Usability
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2007-11-27 16:57:55 CET
Verschiebt man im Admin ein Rechnerkonto kann dieser nicht mehr replizieren, bis lokal ebenfalls die neue Host-DN in Config Registry übernommen wurde.

Das sollte bei einem Scheitern des LDAP-Bind Listeners geprüft werden, evtl. ruft man im runsv-Skript erst ein kleines Python-Skript auf.
Comment 1 Kevin Dominik Korte univentionstaff 2013-02-04 08:51:46 CET
Problem besteht weiterhin und wurde im Rahmen von UCC vom Kunden angefragt

Ticket#: 2012101921004587
Comment 2 Stefan Gohmann univentionstaff 2017-06-16 20:37:22 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 3 Florian Best univentionstaff 2017-06-28 14:52:04 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 4 Ingo Steuwer univentionstaff 2020-07-03 20:53:52 CEST
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Comment 5 Philipp Hahn univentionstaff 2020-07-04 13:38:44 CEST
Each technical training I have to explain to the participants.

TT 2020-07-01/02
TT 2020-06-25/26
TT 2020-05-21/22
TT …


Writing a UDL module looks trivial, but the problem here is that UDL needs to open a new LDAP connection, for which UDL uses the OLD location of the machine account, which then is no longer valid. It only would work if the connection from the previous transaction is still open, that is the move transaction happens within the 15 seconds postrun windows.

Maybe switch UDL to use GSSAPI instead, so we no longer to explicitly use UCRV `ldap/hostdn` here:
  kinit $HOSTNAME$ </etc/machine.secret
  ldapsearch -QY GSSAPI cn=$HOSTNAME 1.1
Comment 7 Ingo Steuwer univentionstaff 2020-07-07 11:03:39 CEST
I also prefer to avoid the DN as part of the authentication.

Maybe we can include the patch in UCS 5.0?