ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"} - univention-adsearch missing

samba-ad
ad-connection
update
ucs-4-3

#1

Hello,

after the successful (?) update to UCS 4.3-2 from 4.2 by disabling and re-enabling the Kopano repos and after thoroughly (at least I thought so) testing the UCS server (updater.log, apt-get autoremove --purge check, Windows client connection, Kopano Webapp & Z-Push, joinscripts, UCS system-diagnosis etc.) I’ve deleted the VM-snapshot, activated fetchmail again and didn’t expect further problems.

Seems like I’ve been wrong. After some time I’ve got this message for root:

Traceback (most recent call last):
  File "/usr/share/univention-updater/updater-statistics", line 113, in <module>
    main()
  File "/usr/share/univention-updater/updater-statistics", line 108, in main
    'updater/statistics': encode_additional_info(users=get_users(), role=get_role()),
  File "/usr/share/univention-updater/updater-statistics", line 100, in get_users
    lo, _ = getReadonlyAdminConnection()
  File "/usr/share/univention-updater/updater-statistics", line 88, in getReadonlyAdminConnection
    lo, position = univention.admin.uldap.getAdminConnection()
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 155, in getAdminConnection
    lo = univention.uldap.getAdminConnection(start_tls, decode_ignorelist=decode_ignorelist)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 74, in getAdminConnection
    return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=admin,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 166, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 216, in __open
    self.lo.start_tls_s()
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 954, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 935, in _apply_method_s
    self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 911, in reconnect
    raise e
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"}

To check what’s gone wrong I wanted to execute univention-ldapsearch (works without errors) univention-adsearch (command is missing!!!). :fearful:

This seems to me like some components of the Samba/S4 connector system are missing. But I don’t know which one.
Could someone please help me find and reinstall the missing components? There are no unresolved dependencies.

I can still login from my Windows clients and Kopano works, but of course I have a strange feeling in the stomach!

BR,
TP


#2

Hi!

univention-adsearch is an optional tool that comes with univention-ad-connector (see https://www.univention.com/products/univention-app-center/app-catalog/adconnector/). It is not part of the Samba AD / S4-Connector feature, but meant to search in a remote (Microsoft) Active Directory. So if you didn’t install the App “Active Directory Connection”, it’s perfectly fine if univention-adsearch is not present on your system.

You might be looking for univention-s4search? This searches in the local Samba AD directory.

Can you show us the output of univention-app info to verify this?

Anyway, the traceback you got uses a python module called uldap.py and afaik this always uses OpenLDAP as backend. This might as well be a one-time hickup? Does the traceback occur if you run /usr/share/univention-updater/updater-statistics manually now?

Best regards,
Michael Grandjean


#3

Hello @Grandjean,

many thanks for the quick answer!

univention-adsearch is an optional tool that comes with univention-ad-connector (see https://www.univention.com/products/univention-app-center/app-catalog/adconnector/). It is not part of the Samba AD / S4-Connector feature, but meant to search in a remote (Microsoft) Active Directory. So if you didn’t install the App “Active Directory Connection”, it’s perfectly fine if univention-adsearch is not present on your system.

Yes, you’re right! I was following THIS guide and completely forgot about the difference between AD-Connector and S4-Connector. I actually confused it with the often used univention-s4search, which still works without problems. What a relief!

Sure, here it is:

root@ucs:~# univention-app info
UCS: 4.3-2 errata229
Installed: adtakeover=5.0 dhcp-server=12.0 fetchmail=6.3.26 kde=5.8 kopano-core=8.6.2.1 kopano-webapp=3.4.2.1108 nagios=4.3 samba4=4.7 z-push-kopano=2.3.8
Upgradable: kopano-webapp z-push-kopano

True, I’ve tried running /usr/share/univention-updater/updater-statistics the output is

root@ucs:~# /usr/share/univention-updater/updater-statistics
Module: kopano-cfg
File: /etc/apt/apt.conf.d/55user_agent

and the root messages remain clean. It has happened twice during the upgrade and one E-Mail message had been delayed for some time, that’s what made me think this is a permanent error, logged every 30 minutes or so.

Currently only one error message for root remains, every day at 3:00 AM.

tdb_mutex_open_ok[./private/netlogon_creds_cli.tdb]: Can use mutexes only with MUTEX_LOCKING or NOLOCK
Failed to open ./private/netlogon_creds_cli.tdb
Error while backing up ./private/netlogon_creds_cli.tdb with tdbbackup - status 1

Many thanks for the clarification!

BR,
TP


#4

See here. and here.
You can safely ignore them.


#5

Many thanks, @Christian_Voelker - I’ve tried the workaround.
So everything seems to be solved now.

Glad it went so smoothly after waiting for some time… :wink:

BR,
TP