Cannot join DC slave to a UCS domain

join

#1

I have installed a new server as DC slave, however the Univention-join command fails.

From /var/log/univention/join.log

Starting slapd (via systemctl): slapd.service.

  • echo -e ‘\033[60Gdone’
  • echo -n 'Search LDAP binddn ’
    ++ sed -ne ‘s|^DN: ||p’
    ++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local /u$
  • binddn=
  • ‘[’ -z ‘’ ‘]’
    ++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local ld$
    ++ ldapsearch-wrapper
    ++ ldapsearch-decode64
    ++ sed -ne ‘s|^dn: ||p;s|^DN: ||p’
    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
  • binddn=
  • ‘[’ -z ‘’ ‘]’
    ++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local ld$
    ++ ldapsearch-wrapper
    ++ ldapsearch-decode64
    ++ sed -ne ‘s|^dn: ||p;s|^DN: ||p’
    Insufficient access (50)
  • binddn=
  • ‘[’ -z ‘’ ‘]’
  • failed_message 'binddn for user Administrator not found. ’
  • echo ‘’
  • echo ‘’
  • echo '************************************************************************$
  • echo '* Join failed! $
  • echo '* Contact your system administrator $
  • echo '************************************************************************$
  • echo '* Message: binddn for user Administrator not found. ’
  • echo '************************************************************************$
  • exit 1

#2

Is Administrator member of DC Backup Hosts and is /etc/ldap.secret readable for the group DC Backup Hosts?

root@master421:~# udm groups/group list --filter cn=“DC Backup Hosts” | grep -i Administrator
users: uid=Administrator,cn=users,dc=deadlock42,dc=intranet
root@master421:~# ls -la /etc/ldap.secret
-rw-r----- 1 root DC Backup Hosts 20 Mai 26 13:22 /etc/ldap.secret
root@master421:~#


#3
root@ucspdc:~# udm groups/group list --filter cn="DC Backup Hosts" | grep -i Administrator
  users: uid=Administrator,cn=users,dc=sunhut,dc=local
root@ucspdc:~#
root@ucspdc:~# ls -la /etc/ldap.secret
-rw-r--r-- 1 root DC Backup Hosts 20 nov 14  2015 /etc/ldap.secret
root@ucspdc:~#

#4

I am able to login to the dcmaster using following command:

univention-ssh passwordfile Administrator@sunhut.local


#5

Running following command on DC master generates this error

root@ucspdc:~# /usr/sbin/udm users/user list --filter uid=Administrator

Traceback (most recent call last):
File “/usr/share/univention-directory-manager-tools/univention-cli-server”, line 218, in doit
output = univention.admincli.admin.doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 398, in doit
out = _doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 991, in _doit
object.open()
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py”, line 1496, in open
univention.admin.handlers.simpleLdap.open(self)
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/init.py”, line 700, in open
self.call_udm_property_hook(‘hook_open’, self)
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/init.py”, line 692, in call_udm_property_hook
func(module)
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py”, line 83, in hook_open
for k, v in self.ox_defaults(module.lo, module.position).items():
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py”, line 67, in ox_defaults
cls._ox_defaults[attr] = attr_m[0].info[‘default’]
KeyError: ‘default’


#6

Hello,

please run:
univention-ldapsearch -LLL -b "cn=open-xchange,cn=custom attributes,cn=univention,$(ucr get ldap/base)" '(|(cn=oxAccess)(cn=oxDisplayName)(cn=oxLanguage)(cn=oxTimeZone))' univentionUDMPropertyDefault

The result should be four LDAP objects with an univentionUDMPropertyDefault property each:

dn: cn=oxAccess,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: premium

dn: cn=oxLanguage,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: de_DE

dn: cn=oxTimeZone,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: Europe/Berlin

dn: cn=oxDisplayName,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault:: PGZpcnN0bmFtZT4gPGxhc3RuYW1lPg==

If one is missing or empty, please rerun the OX join script:
univention-run-join-scripts --run-scripts --force 65univention-ox.inst
Then check again (univention-ldapsearch -LLL ...).

Greetings
Daniel Tröder


#7

My OX installation got corrupted while moving the VM so possibly I should remove all OX instances in the LDAP directory.

However this is the result of your suggestion:

dn: cn=oxAccess,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut,d
c=local
univentionUDMPropertyDefault: premium

dn: cn=oxLanguage,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut
,dc=local

dn: cn=oxTimeZone,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut
,dc=local
univentionUDMPropertyDefault: Europe/Stockholm

dn: cn=oxDisplayName,cn=open-xchange,cn=custom attributes,cn=univention,dc=sun
hut,dc=local
univentionUDMPropertyDefault:: PGZpcnN0bmFtZT4gPGxhc3RuYW1lPg==


#8

oxLanguage is missing.
Have you run the join script?


#9

My OX installation is corrupt so I cannot run the OX join script. I plan to reinstall OX to the machine I want to join to the domain.


#10

I removed all references to OX in LDAP and that resolved the “binddn for user Administrator not found” error.
I am now stuck on “FAILED: failed.ldif exists” error.

I set up a new UCS master domainserver in a new domain and still the message appears.

I am lost


#11

I’m not sure I understand correctly:

  • You installed a new UCS DC master from DVD?
  • With no connection or data from the old one?
  • At some point you got FAILED: failed.ldif exists? When/Doing what?

#12

I have a new UCS KVM server that I want to connect to a UCS domain.
My first attempt to join the server to the UCS domain resulted in the “binddn for user Administrator not found” error. I subsequently removed all references to OX from LDAP (old OX installation appeared to be the culprit). This resolved the original error but I now got the “FAILED: failed.ldif exists” error.
Now I set up a brand new UCS master domain server using the VM image to test but but still got the “FAILED: failed.ldif exists” error when joining the UCS KVM server.There is no connection to the old domain.
I did remove the failed.ldif file but the error persists.

Both servers are now fresh installs, one from the ISO image and the other from the VM image. None of the servers have been customized or altered.


#13

Good afternoon bhagert,

we need more log files info from the client i.e DC slave machine.

/var/log/univention/join.log
and
/var/lib/univention-directory-replication/failed.ldif

Regards

Anna


#14

Hi,
Problem resolved. I did a reinstall of the KVM server