Univention Bugzilla – Bug 48224
Make joinscript 92univention-management-console-web-server.inst configurable
Last modified: 2019-03-27 13:29:26 CET
In a customer environment ucs-sso is not configured and is not required on every server. This causes the 92univention-management-console-web-server.inst to fail every time with this error. Object exists: SAMLServiceProviderIdentifier=https://master-prod.schein.de/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=olb,dc=de No modification: SAMLServiceProviderIdentifier=https://master-prod.schein.de/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=olb,dc=de Not updating ucs/server/sso/fqdn % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html ยท curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. [...] Try to download idp metadata (60/60) Could not download IDP metadata for https://ucs-sso.schein.de/simplesamlphp/saml2/idp/metadata.php 'NoneType' object has no attribute 'find' Unsetting umc/saml/idp-server Module: setup_saml_sp Is there a possibility to make it configurable if ucs-sso is not desired?
If the problem occurs it blocks further progress. Marking the joinscript as "already executed" is not a practicable workaround.
If the SDB article "Configure SAML Single Sign-On as single server solution" is configured and the IdP is thus reachable at a different FQDN than ucs-sso.domainname, one can set the following UCR variable before the join to make the joinscript download the metadata from that FQDN. ucr set ucs/server/sso/fqdn="master.ucs.demo"
The configuration is skipped now if umc/web/sso/enabled=false. univention-management-console.yaml 6beb9cbf7f9e | YAML Bug #48224 univention-management-console (11.0.4-3) 9dc7099e212d | Bug #48224: do not configure the SAML IDP in the UMC WebServer if umc/web/sso/enabled=false.
OK: encapsulate UMC SSO configuration by checking UCR umc/web/sso/enabled Reopen: Check for UCRv does not work. There is no univention-lib function ucr_is_false. It is called is_ucr_false. join.log => 98: /usr/lib/univention-install/92univention-management-console-web-server.inst: ucr_is_false: not found Please test your code before committing it! Also, why is the check "if ! ucr_is_false ...", one could check if the UCRv is true.
(In reply to Erik Damrose from comment #4) > OK: encapsulate UMC SSO configuration by checking UCR umc/web/sso/enabled > > Reopen: Check for UCRv does not work. There is no univention-lib function > ucr_is_false. It is called is_ucr_false. join.log => > 98: > /usr/lib/univention-install/92univention-management-console-web-server.inst: > ucr_is_false: not found > > Please test your code before committing it! Also, why is the check "if ! > ucr_is_false ...", one could check if the UCRv is true. Sorry. ucr_is_false is the better default handling, because unset means true.
Fixed the typo.
09b8b32 fixed typo in yaml Verified
<http://errata.software-univention.de/ucs/4.4/25.html>