Upgrade 5.0 fails due to office365 remnants

UCS - Univention Corporate Server
#1

Hi there! I’m excited about the UCS-5.0 availability. Unfortunately, my update attempts from v.4.8 stop at what I understand is what’s left from installing and later removing the office365 connector:

Checking minimum_ucs_version_of_all_systems_in_domain … FAIL

minimum_ucs_version_of_all_systems_in_domain:
The following extensions are incompatible with UCS 5.0:
cn=office365,cn=udm_syntax,cn=univention,dc=corp,dc=xxxxxx,dc=com: [unspecified…unspecified)
cn=office365/profile,cn=udm_module,cn=univention,dc=corp,dc=xxxxxx,dc=com: [unspecified…unspecified)
cn=office365/ad-connection,cn=udm_module,cn=univention,dc=corp,dc=xxxxxx,dc=com: [unspecified…unspecified)

I tried to purge few packages, but it did not help and reports the same issue.

apt purge univention-office365 univention-management-console-module-office365

If I can successfully hunt down anything manually, I’ll report here.

Thanks!

#2

No luck so far… Reinstalled the MS 365 connector and re-uninstalled it to see what else was listed among involved packages to make sure to purge them all by hand thereafter. Looked around more, restarted the server a few times… Clean installation works. Upgrade is not cooperating. If anyone knows what I’m missing, I’m all ears.

Cheers!

#3

OK. I managed to clean up the pesky office365 remnants and upgrade four of mine UCS virtual servers. The following command helped identify the associated files.

univention-ldapsearch | grep office365

office365/profile, udm_module, univention
dn: cn=office365/profile,cn=udm_module,cn=univention,dc=corp,dc=xxxxxx,dc=com
cn: office365/profile
univentionUDMModuleFilename: office365/profile.py
univentionOwnedByPackage: univention-office365

office365/ad-connection, udm_module, univention
dn: cn=office365/ad-connection,cn=udm_module,cn=univention,dc=corp,dc=xxxxxx,dc=com
cn: office365/ad-connection
univentionUDMModuleFilename: office365/ad-connection.py
univentionOwnedByPackage: univention-office365

office365, udm_syntax, univention
dn: cn=office365,cn=udm_syntax,cn=univention,dc=corp,dc=xxxxxx,dc=com
univentionUDMSyntaxFilename: office365.py
cn: office365
univentionOwnedByPackage: univention-office365

These files ended up among python2.7 dist-packages.

updatedb && locate office365

/usr/lib/python2.7/dist-packages/univention/admin/handlers/office365/ad-connection.py
/usr/lib/python2.7/dist-packages/univention/admin/handlers/office365/profile.py
/usr/lib/python2.7/dist-packages/univention/admin/syntax.d/office365.py

Moving these files out of there alone did not resolve the issue. LDAP had to be modified as well.

ldapdelete -x -D “cn=admin,$(ucr get ldap/base)” -y /etc/ldap.secret “cn=office365,cn=udm_syntax,cn=univention,dc=corp,dc=xxxxxx,dc=com”

ldapdelete -x -D “cn=admin,$(ucr get ldap/base)” -y /etc/ldap.secret “cn=office365/profile,cn=udm_module,cn=univention,dc=corp,dc=xxxxxx,dc=com”

ldapdelete -x -D “cn=admin,$(ucr get ldap/base)” -y /etc/ldap.secret “cn=office365/ad-connection,cn=udm_module,cn=univention,dc=corp,dc=xxxxxx,dc=com”

Do not forget to backup/image your servers prior to messing with them!

Good luck!

#4

Hi.
I’ve followed your tutorial and deleted ad-connector too.

I’ve got an error on each reboot since 0365 plugin uninstallation :

Traceback (most recent call last):
  File "/usr/share/univention-updater/updater-statistics", line 114, in <module>
    main()
  File "/usr/share/univention-updater/updater-statistics", line 108, in main
    'updater/statistics': encode_additional_info(users=get_users(), role=get_role()),
  File "/usr/share/univention-updater/updater-statistics", line 100, in get_users
    lo, _ = getReadonlyAdminConnection()
  File "/usr/share/univention-updater/updater-statistics", line 88, in getReadonlyAdminConnection
    lo, position = univention.admin.uldap.getAdminConnection()
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 166, in getAdminConnection
    lo = univention.uldap.getAdminConnection(start_tls, decode_ignorelist=decode_ignorelist)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 121, in getAdminConnection
    return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=admin,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 283, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 367, in __open
    self.__starttls()
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 207, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 381, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 954, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 935, in _apply_method_s
    self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 911, in reconnect
    raise e
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"}

The Ldap sever runs good since I can connect with Apache directory Studio.
Any hints ?

There are many other ldap entries relative to 0365 :

-saml-serviceprovider > univention-office365
-univention > default-saml-idp : univentionOffice365Enabled, univentionOffice365userPrincipalName
-univention > apps > office365
-univention > ldapschema > office365
-univention > portal > office365
-univention > templates > Microsoft 365 Account
-univention > udm_hook > office365_user_ADConnections_hook
-univention > udm_module > office365/profile,office365/ad-connection
-univention > udm_syntax > office365

Are they safe to delete ?
Regards

#5

Hey there. You rig seems a little bit more cluttered than mine, but should be manageable too. This upgrade is no longer fresh in my head unfortunately. I installed four more UCS servers from scratch at that time to start new projects in clean environment and have a couple of upgraded machines still running fine to this day. If you are able to backup the server you certainly can go ahead and “kill” old components. Try to do one at a time initially to make sure you are moving in the right direction. I actually created a folder and was moving such files there while noting their original paths in case I would want to put them right back. Figuring out ldap-delete took some time as I recall. I’m sorry for not being specific enough. Good luck!

Mastodon