Bug 48091

Summary: Joining new UCS systems with higher erratalevel than DC master may fail
Product: UCS Reporter: Erik Damrose <damrose>
Component: GeneralAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Erik Damrose <damrose>
Severity: normal    
Priority: P5 CC: botner, requate
Version: UCS 4.3   
Target Milestone: UCS 4.3-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171 Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 47943    

Description Erik Damrose univentionstaff 2018-11-02 11:49:45 CET 
To reproduce: Join a current UCS DVD or appliance as DC Backup into a UCS DC Master with a lower erratalevel - e.g. DC Master erratalevel 229 (i.e. 4.3-2 release state).

The join fails because the DC backup has in this case a definition of ACLs for the LDAP objectclass univentionPortalCategory. But the LDAP Master does not have that attribute yet due to low erratalevel, so the schema definition for that objectclass/attribute is not replicated to the DC Backup. The slapd does not start if the ACL definition is installation by the u-ldap-server package.

The check if a UCS system can join the domain currently only checks the patchlevel number, not the erratalevel.
Comment 1 Arvid Requate univentionstaff 2018-11-20 15:31:17 CET 
As discussed, the schema and ACL registration should be done via registerLDAPExtension, probably in the 33univention-portal.inst join script.
Comment 2 Felix Botner univentionstaff 2018-11-22 17:10:35 CET 
6505cd581a4eb8d895a30432acb3af79ee2e69cc - univention-ldap

Removed the @univentionPortalCategory form the portal ACL's. These ACL's are necessary for the UCR<->Portal registration. This mechanism doesn't know anything about settings/portal_category, so we can safely remove this objectclass form the ACL.
Comment 3 Erik Damrose univentionstaff 2018-12-03 16:53:13 CET 
OK: change of LDAP ACL. No slapd error when joining.
OK: YAML
Verified

Another issue appeared during QA, which we can not fix in the scope of the bug.
But at least the join can be started, and the slapd does not fail. I created Bug 48260
Comment 4 Arvid Requate univentionstaff 2018-12-05 14:39:25 CET 
<http://errata.software-univention.de/ucs/4.3/356.html>