Univention Bugzilla – Bug 48970
translog erratum resets LDAP indices to default
Last modified: 2019-03-13 14:41:18 CET
The last update of univention-ldap introduced an ugly problem: The UCR variables for LDAP indices are reset to defaults. All custom indices for UCS@school, customer packages etc are removed. univention-ldap-server.postinst contains the following code: ---[cut]--- if [ "$server_role" = "domaincontroller_master" ] || [ "$server_role" = "domaincontroller_backup" ]; then JOIN_FORCE="$([ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 14.0.2-37 && echo 1)" \ /usr/lib/univention-install/01univention-ldap-server-init.inst || true /usr/lib/univention-install/10univention-ldap-server.inst || true [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 11.0.12-5 && upgrade_license || : fi ---[cut]--- And 01univention-ldap-server-init.inst contains the command "/usr/share/univention-ldap/ldap_setup_index --force-defaults" So, if a domaincontroller is updated from a version without translog to a version with translog, the joinscript is forced to be executed again via JOIN_FORCE="1". The joinscript then calls "ldap_setup_index --force-defaults" and resets hereby the UCR variables back to defaults. First idea for recovery: parse config-registry.replog{,*.gz} and set the old values
[4.3-3] c3e70c3330 Bug #48970 ldap: Fix regression in translog setup management/univention-ldap/debian/changelog | 6 ++++++ management/univention-ldap/debian/univention-ldap-server.postinst | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) Package: univention-ldap Version: 14.0.2-46A~4.3.0.201903121509 Branch: ucs_4.3-0 Scope: errata4.3-3 (In reply to Sönke Schwardt-Krummrich from comment #0) > First idea for recovery: > parse config-registry.replog{,*.gz} and set the old values Yes, use the values from: find /var/log/univention/config-registry.replog.* -type f \( -name \*.gz -exec zcat {} \; -o -not -name \*.gz -exec cat {} \; \) | grep ldap/index/ | sort -n | grep --color old:
The suggested "find" command does not seem to be perfect. At least on a test system it does not print any changes but syslog shows couple of warnings regarding indexing: ================================================== Feb 13 16:19:22 master slapd[1405]: <= mdb_equality_candidates: (univentionComputerPortal) not indexed Feb 14 10:29:56 master slapd[1524]: <= mdb_equality_candidates: (univentionNagiosParent) not indexed Feb 14 12:04:22 master slapd[1524]: <= mdb_equality_candidates: (name) not indexed Feb 14 14:06:43 master slapd[630]: <= mdb_equality_candidates: (univentionShareHost) not indexed ================================================== While the find command (and my manual search not either) did not show any changes in replog.
[4.3-3] 3b98b0e622 Bug #48970: Recover U@s LDAP attributes to index management/univention-ldap/debian/changelog | 6 ++++++ .../debian/univention-ldap-server.postinst | 25 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) Package: univention-ldap Version: 14.0.2-47A~4.3.0.201903121624 Branch: ucs_4.3-0 Scope: errata4.3-3 [4.3-3] 29a7bb6407 Bug #48970: univention-ldap 14.0.2-47A~4.3.0.201903121624 doc/errata/staging/univention-ldap.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
Small fix for the version detection: [4.3-3 d878c62426] Bug #48970: fix U@s version detection The version was otherwise an empty string on singlemaster systems
Regarding Comment 2: A quick search through our code didn't show up any locations where we dynamically add an index for univentionComputerPortal, univentionNagiosParent, name or univentionShareHost dynamically. The "ldap_setup_index" script only has "name" in the RECOMMENDED_LDAP_INDEX for 'pres' and 'sub'. Maybe we could extend the list, let's discuss the specific scenario via email (can't access the ticket right now due to <reasons>). But grepping for "ldap_setup_index" shows two attributes that we index, that might have been lost: univentionAppID univentionUDMPropertyCopyable
If you are fine with these changes just set it to resolved again: [4.3-3 d878c62426] Bug #48970: fix U@s version detection [4.3-3 ef4b08ddf9] Bug #48970: yaml I tried to make it a bit more clear that systems that never updated to e426 are not affected and that this only affected the indices. otherwise it looks good What I tested: Singleschool indices are repaired -> OK Multischoool indices are repaired -> OK Non school systems don't get school indices added -> OK Indices are not reset to the default any more if update e426 was not installed prior to upgrade -> OK
(In reply to Jürn Brodersen from comment #6) > If you are fine with these changes just set it to resolved again: > [4.3-3 d878c62426] Bug #48970: fix U@s version detection Thanks. The change to the list of U@S packages I can not comment. > [4.3-3 ef4b08ddf9] Bug #48970: yaml > I tried to make it a bit more clear that systems that never updated to e426 > are not affected and that this only affected the indices. Thanks.
(In reply to Philipp Hahn from comment #7) > (In reply to Jürn Brodersen from comment #6) > > If you are fine with these changes just set it to resolved again: > > [4.3-3 d878c62426] Bug #48970: fix U@s version detection > > Thanks. > The change to the list of U@S packages I can not comment. That didn't broke any thing but the slave packages should never be installed on master or backups anyway. -> Verified
<http://errata.software-univention.de/ucs/4.3/456.html>
*** Bug 48835 has been marked as a duplicate of this bug. ***