Problem: Memberserver - univention.admin.uexceptions.permissionDenied

Problem:

You can’t install an app from the Appcenter on your memberserver/Managed-Node
If you find this traceback in /var/log/univention/appcenter.log

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/install.py", line 84, in main
    return self.do_it(args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/install_base.py", line 119, in do_it
    self._do_it(app, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/docker_install.py", line 63, in _do_it
    ret = super(Install, self)._do_it(app, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/install.py", line 104, in _do_it
    self._register_app(app, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 432, in _register_app
    ldap_object.add_localhost()
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/udm.py", line 245, in add_localhost
    self._udm_obj.modify()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 642, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1312, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 891, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

Solution:

You may notice the permissionDenied
This shows, that the memberserver/Managed-Node don´t have the permission to register or install the Appsettings on the DC-Master/Primary Node.

You should check the location from this Object and it have to be in:

cn=memberserver,cn=computers,$ldap_base or
cn=dc,cn=computers,$ldap_base

univention-ldapsearch cn=<memberservername> dn

see also
http://forge.univention.org/bugzilla/show_bug.cgi?id=48984

Solution for Microsoft AD

If the Managed Node system is located in a Microsoft AD (Memberserver - samba-memberserver), it probably cannot be changed in the LDAP directory because the AD system is the leading system.

The other reason why the object cannot be managed via LDAP is that the following attribute is set on the member server.

univention-ldapsearch cn=ucs5managed '+' '*' |  grep univentionObject
univentionObjectFlag: synced 

Get the dn from the object

univention-ldapsearch cn=ucs5managed | grep dn
dn: cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org

To remove the attribute so that the managed node can be moved, you can create an ldif like:
remove.ldif

dn: cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org
changetype: modify
delete: univentionObjectFlag
univentionObjectFlag: synced

And use this command to modify the object:

ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f remove.ldif

Now you can change the position from the Managed Node to the correct position in the UMC / LDAP directory

cn=memberserver,cn=computers,$ldap_base

udm computers/memberserver move --dn cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org --position cn=memberserver,cn=computers,dc=example-ad,dc=org

Hint

The default / correct position in the Microsoft Active Directory for the systems, will be:
cn=computers, $get/ldap_base

With the moving of the position in the LDAP-Directory, the join-status will be unsuccessfully and the system have to be joined again with:
univention-join

Now you will be able to install and remove app installation from the appcenter.

If you want the default setting you could attach the attribute to the object again and you could use an add.ldif for that.

dn: cn=ucs5managed,cn=memberserver,cn=computers,dc=example-ad,dc=org
changetype: modify
add: univentionObjectFlag
univentionObjectFlag: synced

Again to modify the object.

ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f add.ldif
1 Like
Mastodon