Univention Bugzilla – Bug 9970
Detect move of machine account, adjust ldap/hostdn automatically
Last modified: 2021-04-28 10:06:42 CEST
Verschiebt man im Admin ein Rechnerkonto kann dieser nicht mehr replizieren, bis lokal ebenfalls die neue Host-DN in Config Registry übernommen wurde. Das sollte bei einem Scheitern des LDAP-Bind Listeners geprüft werden, evtl. ruft man im runsv-Skript erst ein kleines Python-Skript auf.
Problem besteht weiterhin und wurde im Rahmen von UCC vom Kunden angefragt Ticket#: 2012101921004587
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
There is a Customer ID set so I set the flag "Enterprise Customer affected".
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Each technical training I have to explain to the participants. TT 2020-07-01/02 TT 2020-06-25/26 TT 2020-05-21/22 TT … Writing a UDL module looks trivial, but the problem here is that UDL needs to open a new LDAP connection, for which UDL uses the OLD location of the machine account, which then is no longer valid. It only would work if the connection from the previous transaction is still open, that is the move transaction happens within the 15 seconds postrun windows. Maybe switch UDL to use GSSAPI instead, so we no longer to explicitly use UCRV `ldap/hostdn` here: kinit $HOSTNAME$ </etc/machine.secret ldapsearch -QY GSSAPI cn=$HOSTNAME 1.1
I also prefer to avoid the DN as part of the authentication. Maybe we can include the patch in UCS 5.0?