Univention Bugzilla – Full Text Bug Listing |
Summary: | In some cases LDAP ACLs are not active on DC backup and DC slave | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | LDAP | Assignee: | Sönke Schwardt-Krummrich <schwardt> |
Status: | CLOSED FIXED | QA Contact: | Jürn Brodersen <brodersen> |
Severity: | major | ||
Priority: | P5 | CC: | best, damrose, grandjean, heidelberger, requate, voelker |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 7: Crash: Bug causes crash or data loss |
Who will be affected by this bug?: | 4: Will affect most installed domains | How will those affected feel about the bug?: | 4: A User would return the product |
User Pain: | 0.640 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: |
Description
Sönke Schwardt-Krummrich
2019-01-24 17:40:27 CET
DC backup/slave systems, that have correct ACLs and are about to rejoin, are not affected because the ACL files created by the listener module are *not* removed during resync/initialisation of the listener module. In this case, this behaviour is very good and prevents more harm but in some other corner cases this will produce other problems (DC backup is offline, ACLs get removed in LDAP, DC backup is rejoined → old ACLs are still active but should not). → Bug 48533 The defective query in the listener module ldap_extension was corrected. LDAP ACL objects that were newly created from the listener module's point of view and are already active are now handled and no longer ignored. To avoid missing LDAP ACLs on the DC backup systems, the update to version 14.0.2-35 of univention-ldap-server triggers a resync of the listener module ldap_extension. A jitter of 15 seconds is used to prevent all LDAP servers from failing at the same time if the update is started simultaneously on the systems (e.g. via cron). The resync is not executed on DC Master and member server systems because the ACLs are either already active or are not used there. In univention-ldap-server the versioned dependency was updated to python-univention-lib. The latter package contains the adapted code part of the listener module. c8a47ddc38 Bug #48530: update advisories 7cd0a1cb5f Bug #48530: Merge branch 'sschwardt/48530/4.3/ldap_acl_registration' into 4.3-3 d15258ccf0 Bug #48530: add/update advisories a399e31822 Bug #48530: add changelog entry b222cb63f2 Bug #48530: resync listener module ldap_extension only during update e35dc8ad9b Bug #48530: add dependency to fixed version of python-univention-lib 1373608548 Bug #48530: add changelog entry d5c09115dd Bug #48530: only skip object if univentionLDAPACLActive is not "TRUE" Package: univention-ldap Version: 14.0.2-35A~4.3.0.201901251325 Branch: ucs_4.3-0 Scope: errata4.3-3 Package: univention-lib Version: 7.0.0-21A~4.3.0.201901251325 Branch: ucs_4.3-0 Scope: errata4.3-3 merged to UCS 4.4: Package: univention-ldap Version: 15.0.0-5A~4.4.0.201901251351 Branch: ucs_4.4-0 Scope: Package: univention-lib Version: 8.0.0-3A~4.4.0.201901251351 Branch: ucs_4.4-0 Scope: da972f95cd Bug #48530: add/update advisories a92dcd9b9c Bug #48530: add changelog entry 515c43817d Bug #48530: resync listener module ldap_extension only during update b113a3d110 Bug #48530: add dependency to fixed version of python-univention-lib 167de04450 Bug #48530: add changelog entry 8eaae40806 Bug #48530: only skip object if univentionLDAPACLActive is not "TRUE" Jenkins tests for UCS 4.3-3 look good. Tested update/rejoin on DC backup and DC slave: 25.01.19 09:55:31.937 LISTENER ( WARN ) : initializing module ldap_extension 25.01.19 09:55:32.908 LISTENER ( PROCESS ) : ldap_extension: cn=65ucsschool,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE'] 25.01.19 09:55:34.411 LISTENER ( PROCESS ) : ldap_extension: cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE'] 25.01.19 09:55:34.898 LISTENER ( PROCESS ) : ldap_extension: cn=66univention-appcenter_app,cn=ldapacl,cn=univention,dc=nstx,dc=local active? ['TRUE'] 25.01.19 09:55:35.406 LISTENER ( WARN ) : finished initializing module ldap_extension with rv=0 → RESOLVED What I tested: Updated package on master -> OK Updated package on backup -> Installed acl on master -> OK Installed acl on master -> Join Backup -> Updated package on backup -> OK Install acl on master -> Updated package on UNJOINED backup -> join -> OK Schoolslave -> OK (ACLs are installed after a read STOP acl, which is intended) Rejoin schoolslave -> OK YAML -> OK Merge to 4.4 -> OK |