Cannot join DC slave to a UCS domain

bhagert · September 11, 2017, 5:49pm

I have installed a new server as DC slave, however the Univention-join command fails.

From /var/log/univention/join.log

Starting slapd (via systemctl): slapd.service.

echo -e ‘\033[60Gdone’
echo -n 'Search LDAP binddn ’
++ sed -ne ‘s|^DN: ||p’
++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local /u$
binddn=
‘[’ -z ‘’ ‘]’
++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local ld$
++ ldapsearch-wrapper
++ ldapsearch-decode64
++ sed -ne ‘s|^dn: ||p;s|^DN: ||p’
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
binddn=
‘[’ -z ‘’ ‘]’
++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local ld$
++ ldapsearch-wrapper
++ ldapsearch-decode64
++ sed -ne ‘s|^dn: ||p;s|^DN: ||p’
Insufficient access (50)
binddn=
‘[’ -z ‘’ ‘]’
failed_message 'binddn for user Administrator not found. ’
echo ‘’
echo ‘’
echo '************************************************************************$
echo '* Join failed! $
echo '* Contact your system administrator $
echo '************************************************************************$
echo '* Message: binddn for user Administrator not found. ’
echo '************************************************************************$
exit 1

Gohmann · September 15, 2017, 7:20pm

Is Administrator member of DC Backup Hosts and is /etc/ldap.secret readable for the group DC Backup Hosts?

root@master421:~# udm groups/group list --filter cn=“DC Backup Hosts” | grep -i Administrator
users: uid=Administrator,cn=users,dc=deadlock42,dc=intranet
root@master421:~# ls -la /etc/ldap.secret
-rw-r----- 1 root DC Backup Hosts 20 Mai 26 13:22 /etc/ldap.secret
root@master421:~#

bhagert · October 5, 2017, 2:44pm

root@ucspdc:~# udm groups/group list --filter cn="DC Backup Hosts" | grep -i Administrator
  users: uid=Administrator,cn=users,dc=sunhut,dc=local
root@ucspdc:~#
root@ucspdc:~# ls -la /etc/ldap.secret
-rw-r--r-- 1 root DC Backup Hosts 20 nov 14  2015 /etc/ldap.secret
root@ucspdc:~#

bhagert · October 6, 2017, 10:54am

I am able to login to the dcmaster using following command:

univention-ssh passwordfile Administrator@sunhut.local

bhagert · October 6, 2017, 11:23am

Running following command on DC master generates this error

root@ucspdc:~# /usr/sbin/udm users/user list --filter uid=Administrator

Traceback (most recent call last):
File “/usr/share/univention-directory-manager-tools/univention-cli-server”, line 218, in doit
output = univention.admincli.admin.doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 398, in doit
out = _doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 991, in _doit
object.open()
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py”, line 1496, in open
univention.admin.handlers.simpleLdap.open(self)
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/init.py”, line 700, in open
self.call_udm_property_hook(‘hook_open’, self)
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/init.py”, line 692, in call_udm_property_hook
func(module)
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py”, line 83, in hook_open
for k, v in self.ox_defaults(module.lo, module.position).items():
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py”, line 67, in ox_defaults
cls._ox_defaults[attr] = attr_m[0].info[‘default’]
KeyError: ‘default’

troeder · October 17, 2017, 2:15pm

Hello,

please run:
univention-ldapsearch -LLL -b "cn=open-xchange,cn=custom attributes,cn=univention,$(ucr get ldap/base)" '(|(cn=oxAccess)(cn=oxDisplayName)(cn=oxLanguage)(cn=oxTimeZone))' univentionUDMPropertyDefault

The result should be four LDAP objects with an univentionUDMPropertyDefault property each:

dn: cn=oxAccess,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: premium

dn: cn=oxLanguage,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: de_DE

dn: cn=oxTimeZone,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: Europe/Berlin

dn: cn=oxDisplayName,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault:: PGZpcnN0bmFtZT4gPGxhc3RuYW1lPg==

If one is missing or empty, please rerun the OX join script:
univention-run-join-scripts --run-scripts --force 65univention-ox.inst
Then check again (univention-ldapsearch -LLL ...).

Greetings
Daniel Tröder

bhagert · October 18, 2017, 12:12pm

My OX installation got corrupted while moving the VM so possibly I should remove all OX instances in the LDAP directory.

However this is the result of your suggestion:

dn: cn=oxAccess,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut,d
c=local
univentionUDMPropertyDefault: premium

dn: cn=oxLanguage,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut
,dc=local

dn: cn=oxTimeZone,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut
,dc=local
univentionUDMPropertyDefault: Europe/Stockholm

dn: cn=oxDisplayName,cn=open-xchange,cn=custom attributes,cn=univention,dc=sun
hut,dc=local
univentionUDMPropertyDefault:: PGZpcnN0bmFtZT4gPGxhc3RuYW1lPg==

troeder · October 18, 2017, 1:13pm

oxLanguage is missing.
Have you run the join script?

bhagert · October 18, 2017, 4:45pm

My OX installation is corrupt so I cannot run the OX join script. I plan to reinstall OX to the machine I want to join to the domain.

bhagert · October 23, 2017, 5:17pm

I removed all references to OX in LDAP and that resolved the “binddn for user Administrator not found” error.
I am now stuck on “FAILED: failed.ldif exists” error.

I set up a new UCS master domainserver in a new domain and still the message appears.

I am lost

troeder · October 24, 2017, 8:03am

I’m not sure I understand correctly:

You installed a new UCS DC master from DVD?
With no connection or data from the old one?
At some point you got FAILED: failed.ldif exists? When/Doing what?

bhagert · October 24, 2017, 9:44am

I have a new UCS KVM server that I want to connect to a UCS domain.
My first attempt to join the server to the UCS domain resulted in the “binddn for user Administrator not found” error. I subsequently removed all references to OX from LDAP (old OX installation appeared to be the culprit). This resolved the original error but I now got the “FAILED: failed.ldif exists” error.
Now I set up a brand new UCS master domain server using the VM image to test but but still got the “FAILED: failed.ldif exists” error when joining the UCS KVM server.There is no connection to the old domain.
I did remove the failed.ldif file but the error persists.

Both servers are now fresh installs, one from the ISO image and the other from the VM image. None of the servers have been customized or altered.

takang · November 8, 2017, 3:28pm

Good afternoon bhagert,

we need more log files info from the client i.e DC slave machine.

/var/log/univention/join.log
and
/var/lib/univention-directory-replication/failed.ldif

Regards

Anna

bhagert · November 8, 2017, 6:29pm

Hi,
Problem resolved. I did a reinstall of the KVM server