Univention Bugzilla – Bug 38091
Improve fail-safe domain setup
Last modified: 2016-02-04 14:08:04 CET
We should check if we can implement a better default setup out-of-the-box. +++ This bug was initially created as a clone of Bug #38090 +++ We have already different hints in the documentation about the domain setup and how to configure multiple LDAP servers, for example: http://docs.univention.de/manual-4.0.html#computers:configureldapserver Nevertheless, we should add a single SDB entry which describes what to do to get a fail-safe setup, for example: - DNS setup (UCR variable nameserver*) - LDAP server (LDAP Server Policy) - Kerberos KDC (dns query) - Samba DCs (Installation of multiple DCs) The manual should link to the article.
When a domain controller (DC) master or DC backup is created, two policies are now created or modified: * a LDAP server policy to be used by member servers and * a UCR policy be used by DC slaves. The policies configure them to use the LDAP servers of all available DC backups, in case the DC master is down. The policies are referenced by cn=computers,$ldap_base. Slaves currently do not support LDAP server policies, so a UCR policy for "ldap/server/addition" is create and used instead. The version of the join script is not raised, to not modify existing installations. Commits: 65992 + 65993 YAML: univention-ldap.yaml : 65993 + 65994
Commits 65995 + 65996: Do not activate UCR policy by default - slaves can survive a master-down on their own.
Created attachment 7382 [details] diff Unfortunately appending a value to a UCR variable policy is not implemented yet, so this breaks when running this on the second DC Backup breaks: + univention-directory-manager policies/registry modify --dn=cn=default-ldap-servers,cn=config-registry,cn=policies,dc=ar41i1,dc=qa --append 'registry="ldap/server/addition" "backup2.ar41i1.qa"' E: Invalid Syntax: Duplicated variables not allowed: 'ldap/server/addition' See patch proposal. Please note a line continuation was missing too.
Thanks, patch applied: r66540 + r66541.
If you join a new backup into an existing domain, the policy is created and it does only include the new backup. I think we should create the correct policy in the postinst on the master. Can you add test scripts which check the creation of the policies?
The list of servers for the LDAP and the UCR policies is now rebuilt each time the join script runs. This makes it also possible to remove an entry in case a DC is deleted. A test was added. Code change: 67081, 67092, 67097, 67106 Advisory: 67094, 67098, 67107 Test: 67107
(In reply to Daniel Tröder from comment #6) > The list of servers for the LDAP and the UCR policies is now rebuilt each > time the join script runs. This makes it also possible to remove an entry in > case a DC is deleted. A test was added. > > Code change: 67081, 67092, 67097, 67106 > Advisory: 67094, 67098, 67107 > Test: 67107 I've split the test case bug into Bug #40556. That makes it easier to release this erratum. Code review: OK. One note, you connect the policy every time. That is a problem if one won't use it: univention-directory-manager container/cn modify "$@" \ --dn "cn=computers,$ldap_base" \ --policy-reference "cn=default-settings,cn=ldap,cn=policies,$ldap_base" It is a policy, so it can be overwritten. Let's wait if it will be a real problem. Tests: Fail 1. I've added a simple DC Backup which doesn't have an fqdn: root@master411:~# udm computers/domaincontroller_backup create --set name=testdc1 [...] root@master411:~# udm computers/domaincontroller_backup list | grep fqdn fqdn: backup412.deadlock41.intranet fqdn: None root@master411:~# univention-ldapsearch objectClass=univentionPolicyLDAPServer | grep univentionLDAPServer univentionLDAPServer: master411.deadlock41.intranet univentionLDAPServer: backup412.deadlock41.intranet univentionLDAPServer: None root@master411:~# 2. The master is not set in the UCR policy. That's part of the code, but I guess it is wrong. Any particular reason? root@backup412:~# univention-directory-manager policies/ldapserver list "$@" --filter name=default-settings | grep ldapServer ldapServer: master411.deadlock41.intranet ldapServer: backup412.deadlock41.intranet root@backup412:~# udm policies/registry list DN: cn=default-ldap-servers,cn=config-registry,cn=policies,dc=deadlock41,dc=intranet ARG: None ldapFilter: (univentionServerRole=slave) name: default-ldap-servers requiredObjectClasses: univentionDomainController registry: ldap/server/addition backup412.deadlock41.intranet root@backup412:~# YAML: OK
Commits: 67116, 67117, 67118 * DCs without FQDN are now ignored. * DC master is added to ldap/server/addition (no idea why I didn't want this previously). * The ldap server policy is created and attached only once.
Code review: OK Tests: OK YAML: OK
<http://errata.software-univention.de/ucs/4.1/84.html>