[Solved] Upgrade 5.0.9 to 5.2.1 (check.sh: Cannot get LDAP credentials from '/etc/ldap.secret')

Hi - the upgrade worked for my primary and backup DC. Just on the primary I had to follow the following article to get the upgrade stared → Remove legacy UDM / LDAP objects with upgrade to UCS-5.2.
In a nut-shell - I just downloaded the “chech.sh” file and:

• sudo bash check.sh update_check_legacy_objects
• sudo bash check.sh delete_legacy_objects

On the backup it was not needed to follow this step.

Now on the replica server, I got asked to delete as well the same “objects”:

legacy_objects:
	The following objects are no longer supported with UCS 5.2:
		dn: cn=24x7,cn=nagios,dc=privat-net,dc=intranet
		dn: cn=WorkHours,cn=nagios,dc=privat-net,dc=intranet
		dn: cn=NonWorkHours,cn=nagios,dc=privat-net,dc=intranet
	They must be removed before the update can be done.

On the replica server the script “sudo bash check.sh delete_legacy_objects” is forcing an error → check.sh: Cannot get LDAP credentials from ‘/etc/ldap.secret’

I have just basic understand of linux - so no idea what is needed to get that fixed.

If you know the right commands - you will be my hero for one day

Thank you in advance

Quick update - facing also the same issues on the second replica server.

I did a system status check as well and noticed the following message:

grafik920×244 32.6 KB

I followed the activity to re-join → univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server

But the result stays the same. Primary and backup are showing no errors.

FYI: I did the upgrade to 5.2.1 for the primary 2 weeks ago - and the backup last week.

You can remove the legacy nagios objects via (execute it on the primary):

univention-ldapsearch -LLL 'objectClass=univentionNagiosTimeperiodClass' 1.1 | sed -rne 's#^dn: ##p' | while read -r dn; do udm nagios/timeperiod remove --dn "$dn"; done

Hi @Best : The primary is already on 5.2.1 and I checked again with the check.sh script if there is anything left with “sudo bash check.sh update_check_legacy_objects” - and it is not.
Than I checked you “script” as well on the primary → univention-ldapsearch -LLL ‘objectClass=univentionNagiosTimeperiodClass’ 1.1 | sed -rne ‘s#^dn: ##p’ | while read -r dn; do udm nagios/timeperiod remove --dn “$dn”; done

Result is → unknown module nagios/timeperiod (more details below):

unknown module nagios/timeperiod.

Available Modules are:
  appcenter/app
  blocklists/all
  blocklists/entry
  blocklists/list
  computers/computer
  computers/domaincontroller_backup
  computers/domaincontroller_master
  computers/domaincontroller_slave
  computers/ipmanagedclient
  computers/linux
  computers/macos
  computers/memberserver
  computers/trustaccount
  computers/ubuntu
  computers/windows
  computers/windows_domaincontroller
  container/cn
  container/dc
  container/msgpo
  container/ou
  dhcp/dhcp
  dhcp/host
  dhcp/pool
  dhcp/server
  dhcp/service
  dhcp/shared
  dhcp/sharedsubnet
  dhcp/subnet
  dns/alias
  dns/dns
  dns/forward_zone
  dns/host_record
  dns/ns_record
  dns/ptr_record
  dns/reverse_zone
  dns/srv_record
  dns/txt_record
  groups/group
  kerberos/kdcentry
  mail/domain
  mail/folder
  mail/lists
  mail/mail
  monitoring/alert
  ms/domainpolicy
  ms/gpipsec-filter
  ms/gpipsec-isakmp-policy
  ms/gpipsec-negotiation-policy
  ms/gpipsec-nfa
  ms/gpipsec-policy
  ms/gpsi-category-registration
  ms/gpsi-class-store
  ms/gpsi-package-registration
  ms/gpwl-wired
  ms/gpwl-wireless
  ms/gpwl-wireless-blob
  nagios/nagios
  nagios/service
  networks/network
  policies/admin_container
  policies/desktop
  policies/dhcp_boot
  policies/dhcp_dns
  policies/dhcp_dnsupdate
  policies/dhcp_leasetime
  policies/dhcp_netbios
  policies/dhcp_routing
  policies/dhcp_scope
  policies/dhcp_statements
  policies/ldapserver
  policies/maintenance
  policies/masterpackages
  policies/memberpackages
  policies/nfsmounts
  policies/policy
  policies/printserver
  policies/pwhistory
  policies/registry
  policies/release
  policies/repositoryserver
  policies/repositorysync
  policies/share_userquota
  policies/slavepackages
  policies/umc
  portals/all
  portals/announcement
  portals/category
  portals/entry
  portals/folder
  portals/portal
  saml/idpconfig
  saml/serviceprovider
  settings/cn
  settings/data
  settings/default
  settings/directory
  settings/extended_attribute
  settings/extended_options
  settings/ldapacl
  settings/ldapschema
  settings/license
  settings/lock
  settings/msprintconnectionpolicy
  settings/mswmifilter
  settings/packages
  settings/printermodel
  settings/printeruri
  settings/prohibited_username
  settings/sambaconfig
  settings/sambadomain
  settings/service
  settings/settings
  settings/syntax
  settings/udm_hook
  settings/udm_module
  settings/udm_syntax
  settings/umc_operationset
  settings/usertemplate
  shares/print
  shares/printer
  shares/printergroup
  shares/share
  users/contact
  users/ldap
  users/passwd
  users/self
  users/user

unknown module nagios/timeperiod.

Available Modules are:
  appcenter/app
  blocklists/all
  blocklists/entry
  blocklists/list
  computers/computer
  computers/domaincontroller_backup
  computers/domaincontroller_master
  computers/domaincontroller_slave
  computers/ipmanagedclient
  computers/linux
  computers/macos
  computers/memberserver
  computers/trustaccount
  computers/ubuntu
  computers/windows
  computers/windows_domaincontroller
  container/cn
  container/dc
  container/msgpo
  container/ou
  dhcp/dhcp
  dhcp/host
  dhcp/pool
  dhcp/server
  dhcp/service
  dhcp/shared
  dhcp/sharedsubnet
  dhcp/subnet
  dns/alias
  dns/dns
  dns/forward_zone
  dns/host_record
  dns/ns_record
  dns/ptr_record
  dns/reverse_zone
  dns/srv_record
  dns/txt_record
  groups/group
  kerberos/kdcentry
  mail/domain
  mail/folder
  mail/lists
  mail/mail
  monitoring/alert
  ms/domainpolicy
  ms/gpipsec-filter
  ms/gpipsec-isakmp-policy
  ms/gpipsec-negotiation-policy
  ms/gpipsec-nfa
  ms/gpipsec-policy
  ms/gpsi-category-registration
  ms/gpsi-class-store
  ms/gpsi-package-registration
  ms/gpwl-wired
  ms/gpwl-wireless
  ms/gpwl-wireless-blob
  nagios/nagios
  nagios/service
  networks/network
  policies/admin_container
  policies/desktop
  policies/dhcp_boot
  policies/dhcp_dns
  policies/dhcp_dnsupdate
  policies/dhcp_leasetime
  policies/dhcp_netbios
  policies/dhcp_routing
  policies/dhcp_scope
  policies/dhcp_statements
  policies/ldapserver
  policies/maintenance
  policies/masterpackages
  policies/memberpackages
  policies/nfsmounts
  policies/policy
  policies/printserver
  policies/pwhistory
  policies/registry
  policies/release
  policies/repositoryserver
  policies/repositorysync
  policies/share_userquota
  policies/slavepackages
  policies/umc
  portals/all
  portals/announcement
  portals/category
  portals/entry
  portals/folder
  portals/portal
  saml/idpconfig
  saml/serviceprovider
  settings/cn
  settings/data
  settings/default
  settings/directory
  settings/extended_attribute
  settings/extended_options
  settings/ldapacl
  settings/ldapschema
  settings/license
  settings/lock
  settings/msprintconnectionpolicy
  settings/mswmifilter
  settings/packages
  settings/printermodel
  settings/printeruri
  settings/prohibited_username
  settings/sambaconfig
  settings/sambadomain
  settings/service
  settings/settings
  settings/syntax
  settings/udm_hook
  settings/udm_module
  settings/udm_syntax
  settings/umc_operationset
  settings/usertemplate
  shares/print
  shares/printer
  shares/printergroup
  shares/share
  users/contact
  users/ldap
  users/passwd
  users/self
  users/user

Should I run it on the replica server maybe?

I tried it as root (univention-ldapsearch -LLL ‘objectClass=univentionNagiosTimeperiodClass’ 1.1 | sed -rne ‘s#^dn: ##p’ | while read -r dn; do udm nagios/timeperiod remove --dn “$dn”; done) as well on the replica-server - but I got the following message:

# sudo univention-ldapsearch -LLL 'objectClass=univentionNagiosTimeperiodClass' 1.1 | sed -rne 's#^dn: ##p' | while read -r dn; do udm nagios/timeperiod remove --dn "$dn"; done
Permission denied.
Permission denied.
Permission denied.

Hi, I’m facing a similar issue. In my case, the udm command cannot be found. Does this mean I should delete the keys via the LDAP interface?

Hi @jasc : You are facing the issue on a primary, backup or replica server?

Primary. I haven’t touched the replica or backup nodes yet because the update to the primary failed.

if the primary is already on UCS 5.2 you can instead run the following on the primary (to be able to upgrade the replica):
univention-ldapsearch -LLL 'objectClass=univentionNagiosTimeperiodClass' 1.1 | sed -rne 's#^dn: ##p' | while read -r dn; do ldapdelete -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret "$dn"; done

THX - looks like the blocking point is gone.
I excluded “univention-ldapsearch -LLL ‘objectClass=univentionNagiosTimeperiodClass’ 1.1 | sed -rne ‘s#^dn: ##p’ | while read -r dn; do ldapdelete -D “cn=admin,$(ucr get ldap/base)” -y /etc/ldap.secret “$dn”; done” on the primary.

I checked on the replica “sudo bash check.sh update_check_legacy_objects”.

I started the upgrade - and now I’m waiting

Upgrade is done - I had to re-join some services:

grafik887×297 15.1 KB

reboot - and finally the system diagnostic check on master/backup/replica → all fine (incl the SAML-cert).

Will do now the seconds replica the same way - fingers clrossed

@jasc are you logged in as “root”? Administrator is not enough.

yes always as root on UCS systems - but based on my very basic skills with linux I’m using sudo very time

FYI: Also the seconds one is currently upgrading. It looks like, that with your code (univention-ldapsearch -LLL ‘objectClass=univentionNagiosTimeperiodClass’ 1.1 | sed -rne ‘s#^dn: ##p’ | while read -r dn; do ldapdelete -D “cn=admin,$(ucr get ldap/base)” -y /etc/ldap.secret “$dn”) the blocking bits has also been removed to the second replica. Nothing came up by using “sudo bash check.sh update_check_legacy_objects”.

I have to re-join now and I beleave that also the final diagnostic check on all systems will be OK.

If yo - I will close this post here - and as mentioned above - you @Best are my hero for one day

FYI: The re-join via web-interface failed - I had to do it via root on the command line.