Problem:
You can’t install an app from the Appcenter on your memberserver/Managed-Node
If you find this traceback in /var/log/univention/appcenter.log
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
result = self.main(namespace)
File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/install.py", line 84, in main
return self.do_it(args)
File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/install_base.py", line 119, in do_it
self._do_it(app, args)
File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/docker_install.py", line 63, in _do_it
ret = super(Install, self)._do_it(app, args)
File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/install.py", line 104, in _do_it
self._register_app(app, args)
File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 432, in _register_app
ldap_object.add_localhost()
File "/usr/lib/python2.7/dist-packages/univention/appcenter/udm.py", line 245, in add_localhost
self._udm_obj.modify()
File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 642, in modify
dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1312, in _modify
self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 891, in modify
raise univention.admin.uexceptions.permissionDenied
permissionDenied
Solution:
You may notice the permissionDenied
This shows, that the memberserver/Managed-Node don´t have the permission to register or install the Appsettings on the DC-Master/Primary Node.
You should check the location from this Object and it have to be in:
cn=memberserver,cn=computers,$ldap_base or
cn=dc,cn=computers,$ldap_base
univention-ldapsearch cn=<memberservername> dn
see also
http://forge.univention.org/bugzilla/show_bug.cgi?id=48984
Solution for Microsoft AD
If the Managed Node system is located in a Microsoft AD (Memberserver - samba-memberserver), it probably cannot be changed in the LDAP directory because the AD system is the leading system.
The other reason why the object cannot be managed via LDAP is that the following attribute is set on the member server.
univention-ldapsearch cn=ucs5managed '+' '*' | grep univentionObject
univentionObjectFlag: synced
Get the dn from the object
univention-ldapsearch cn=ucs5managed | grep dn
dn: cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org
To remove the attribute so that the managed node can be moved, you can create an ldif like:
remove.ldif
dn: cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org
changetype: modify
delete: univentionObjectFlag
univentionObjectFlag: synced
And use this command to modify the object:
ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f remove.ldif
Now you can change the position from the Managed Node to the correct position in the UMC / LDAP directory
cn=memberserver,cn=computers,$ldap_base
udm computers/memberserver move --dn cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org --position cn=memberserver,cn=computers,dc=example-ad,dc=org
Hint
The default / correct position in the Microsoft Active Directory for the systems, will be:
cn=computers, $get/ldap_base
With the moving of the position in the LDAP-Directory, the join-status will be unsuccessfully and the system have to be joined again with:
univention-join
Now you will be able to install and remove app installation from the appcenter.
If you want the default setting you could attach the attribute to the object again and you could use an add.ldif for that.
dn: cn=ucs5managed,cn=memberserver,cn=computers,dc=example-ad,dc=org
changetype: modify
add: univentionObjectFlag
univentionObjectFlag: synced
Again to modify the object.
ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f add.ldif