Problem: Configured ldap connections were not used during server outage

Knowledge Base Community
, , ,
#1

Problem:

The preferred ldapserver was down, but the others were available and also configured for ldap connections. In the auth.log you can see, that the last connection via smbd was to the down server and no other server seems to be tried out.

Investigation:

  • ldap/server/addition was set on the memberserver
  • /etc/libnss-ldap.conf contains uri ldap://master.five.new:7389 ldap://backup.five.new:7389
  • important is that you have at least one nameserver that is reachable
  • check /var/log/univention/config-registry.replog

2024-05-09 00:06:32: unset --ldap-policy ‘ldap/server/addition’ old:master.five.new backup.five.new
2024-05-09 02:09:27: set --ldap-policy ldap/server/addition=‘master.five.new backup.five.new’ old:[Previously undefined]
2024-05-09 03:09:32: unset --ldap-policy ‘ldap/server/addition’ old:master.five.new backup.five.new
2024-05-09 03:09:36: set --ldap-policy ldap/server/addition=‘master.five.new backup.five.new’ old:[Previously undefined]
2024-05-09 04:08:38: unset --ldap-policy ‘ldap/server/addition’ old:master.five.new backup.five.new

That is not good, no ldap/server/addition between 2024-05-09 00:06:32 and 2024-05-09 02:09:27, why?

2024-05-09 00:06:32: unset --ldap-policy 'ldap/server/name' old:backup2.five.new
2024-05-09 02:09:27: set --ldap-policy ldap/server/name=backup2.five.new old:[Previously undefined]

and

more /etc/univention/base.conf| grep ldap\/server\/name
cron/fixwinbind/description: set ldap/server/name to a running ldap server and restart winbind
ldap/server/name: backup.five.new

So during the downtime of backup.five.new the configuration was ldap/server/name=backup.five.new and no ldap/server/addition, nice, that can not work

/usr/lib/univention-directory-policy/univention-policy-update-config-registry -s
Simulating update...
Setting ldap/acl/user/password/change=yes 
Unsetting ldap/server/addition
Unsetting ldap/server/name

Bug 57287

Solution /Workaround:

create a policy/registry setting for ldap/server/addition so that univention-policy-update-config-registry no longer removes this settings.

DN: cn=member,cn=config-registry,cn=policies,dc=five,dc=new
  ldapFilter: (univentionObjectType=computers/memberserver)
  name: member
  registry: ldap/server/addition backup.five.new
  registry: ldap/server/name master.five.new

Addition:

ucr policy does not apply on the memberserver

DN: cn=default-ldap-servers,cn=config-registry,cn=policies,dc=five,dc=new
  ldapFilter: (univentionServerRole=slave)
  name: default-ldap-servers
  registry: ldap/server/addition master.five.new backup.five.new backup2.five.new  requiredObjectClasses: univentionDomainController

you canuse this policy as a workaround, but you would have to remove the ldapFilter so that it applies to the memberserver, which such an ucr policy univention-policy-update-config-registry would no longer remove the settings

#2
Mastodon