Difference between revisions of "Cool Solution - Move UCC Objects in UDM"

From Univention Wiki

Jump to: navigation, search
Line 4: Line 4:
 
= Introduction =
 
= Introduction =
  
When moving a joined client to a new container in UDM, users are unable to login from that terminal until re-join.
+
When moving a joined UCC Thin or Fat Client to a new container in UDM, the Client is unable to authenticate against the management system. Consequences are that changes in the central management are not applied and users are unable to login until re-join.
 
The reason is, the current location of the client computer in the directory (DN or Distinguished Name) is needed during user authentication, such location is stored in the UCR variable '''ldap/hostdn''' when the client joins the domain. If a client is moved from the original container, the old value won't match the expected credentials.  
 
The reason is, the current location of the client computer in the directory (DN or Distinguished Name) is needed during user authentication, such location is stored in the UCR variable '''ldap/hostdn''' when the client joins the domain. If a client is moved from the original container, the old value won't match the expected credentials.  
  
 
An automatic script to update the new DN can be set for environments with large amount of clients without need to rejoin each time a computer changes its LDAP container.
 
An automatic script to update the new DN can be set for environments with large amount of clients without need to rejoin each time a computer changes its LDAP container.
  
One way of manage it is to tell the clients (in a startup cron) to ask the LDAP master whether its location changed and update the local variable. Anonymous bind to LDAP should be enabled for this.
+
One way of manage it is to tell the clients (in a startup cron) to ask the LDAP master whether its location changed and update the local variable. Anonymous read access to LDAP must be enabled on all UCS DCs for this.
  
 
= On the Master =
 
= On the Master =

Revision as of 17:32, 2 September 2013

Produktlogo UCC Version 1.0

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.


Introduction

When moving a joined UCC Thin or Fat Client to a new container in UDM, the Client is unable to authenticate against the management system. Consequences are that changes in the central management are not applied and users are unable to login until re-join. The reason is, the current location of the client computer in the directory (DN or Distinguished Name) is needed during user authentication, such location is stored in the UCR variable ldap/hostdn when the client joins the domain. If a client is moved from the original container, the old value won't match the expected credentials.

An automatic script to update the new DN can be set for environments with large amount of clients without need to rejoin each time a computer changes its LDAP container.

One way of manage it is to tell the clients (in a startup cron) to ask the LDAP master whether its location changed and update the local variable. Anonymous read access to LDAP must be enabled on all UCS DCs for this.

On the Master

Enable anonymous bind

With UCS 3.0 the anonymous ldap search has to be allowed, otherwise ldap can't find the DN of the computer. To enable the anonymous ldap search in the UMC, search for *anonymous* in the UCR-module and set the variable ldap/acl/read/anonymous to yes. To enable the anonymous ldap search in the command shell, the following command is needed:

ucr set ldap/acl/read/anonymous=yes

Restart LDAP service

service slapd restart

On the client

Old DN

ucr get ldap/hostdn
 cn=thinclient01,cn=computers,dc=example,dc=com

A cron to update ldap location

Create a new cron task to update the ldap/hostdn (The openldap port is 389 if alone and 7389 if Samba4 is installed)

ucr set cron/hostdnupdate/command=$'sleep 120;\
ucr set ldap/hostdn=$(ldapsearch -x -H ldap://$(ucr get ldap/master):7389 -LLL\
"(&(objectClass=univentionHost)(cn=$(hostname)))" dn | grep ^dn\
| sed -e \'s/dn: //\')'

Run that job every time the system starts

ucr set cron/hostdnupdate/time='@reboot'

The new cronjob should appear in

cat /etc/cron.d/univention-ucr-cronjobs

Check new DN

ucr get ldap/hostdn
cn=thinclient01,cn=thinclients,ou=MyOU,dc=example,dc=com

Read More

Personal tools