Difference between revisions of "Cool Solution - Move UCC Objects in UDM"

From Univention Wiki

Jump to: navigation, search
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Version|UCC=1.0}}  
+
{{Version|UCC=1.0}}
{{Cool Solutions Disclaimer}}
+
{{Cool Solutions Disclaimer|Repository=no}}
 +
{{Out of Maintenance}}
  
= Introduction =
+
== Archive ==
  
When moving a joined UCC Thin or Fat Client to a new container in UDM, the Client is unable to authenticate against the management system. Consequences are that changes in the central management are not applied and users are unable to login until re-join.
+
There is a version of this article for [http://wiki.univention.com/index.php?title=Cool_Solution_-_Move_UCC_Objects_in_UDM&oldid=12466 UCC 1.0].
The reason is, the current location of the client computer in the directory (DN or Distinguished Name) is needed during user authentication, such location is stored in the UCR variable '''ldap/hostdn''' when the client joins the domain. If a client is moved from the original container, the old value won't match the expected credentials.
 
 
 
An automatic script to update the new DN can be set for environments with large amount of clients without need to rejoin each time a computer changes its LDAP container.
 
 
 
One way of manage it is to tell the clients (in a startup cron) to ask the LDAP master whether its location changed and update the local variable. Anonymous read access to LDAP must be enabled on the choosen UCS DC for this, in the example it is enabled on the UCS DC Master.
 
 
 
= On the UCS LDAP server =
 
 
 
The following steps are needed on all LDAP servers the UCC clients might use.
 
 
 
== Enable anonymous bind ==
 
 
 
With UCS 3.0 the anonymous ldap search has to be allowed, otherwise ldap can't find the DN of the computer. To enable the anonymous ldap search in the UMC, search for *anonymous* in the UCR-module and set the variable ldap/acl/read/anonymous to yes. To enable the anonymous ldap search in the command shell, the following command is needed:
 
 
 
ucr set ldap/acl/read/anonymous=yes
 
 
 
== Restart LDAP service ==
 
service slapd restart
 
 
 
= On the client =
 
 
 
Old DN
 
ucr get ldap/hostdn
 
  ''cn=thinclient01,cn=computers,dc=example,dc=com''
 
 
 
== Define Cron-job to update ldap location ==
 
 
 
Create a new cron task to update the ldap/hostdn either on the terminal or in the Univention-Management-Console.
 
(The openldap port is 389 if alone and 7389 if Samba4 is installed)
 
 
 
=== On the Terminal run ===
 
ucr set cron/hostdnupdate/command=$'sleep 120;\
 
  ldapsearch -x -H ldap://$(ucr get ldap/master):7389 cn=$(hostname) | grep numEntries > /dev/null && \
 
  ucr set ldap/hostdn=$(ldapsearch -x -H ldap://$(ucr get ldap/master):7389 -LLL\
 
  "(&(objectClass=univentionHost)(cn=$(hostname)))" dn | ldapsearch-wrapper | sed -e 's/dn: \(.*\)/\1/')'
 
 
 
Run that job every time the system starts
 
ucr set cron/hostdnupdate/time='@reboot'
 
 
 
The new cronjob should appear in
 
cat /etc/cron.d/univention-ucr-cronjobs
 
 
 
Check new DN
 
ucr get ldap/hostdn
 
''cn=thinclient01,cn=thinclients,ou=MyOU,dc=example,dc=com''
 
 
 
=== In the Univention-Management-Console ===
 
Create a Univention Configuration Registry Policy with following values (Note: Paste the values without linebreaks!):
 
Variable + Value
 
cron/hostdnupdate/command +
 
sleep 120; ldapsearch -x -H ldap://$(ucr get ldap/master):7389 cn=$(hostname) |
 
grep numEntries > /dev/null &&
 
ucr set ldap/hostdn=$(ldapsearch -x -H ldap://$(ucr get ldap/master):7389 -LLL
 
"(&(objectClass=univentionHost)(cn=$(hostname)))" dn | ldapsearch-wrapper | sed -e 's/dn: \(.*\)/\1/'
 
cron/hostdnupdate/time + @reboot
 
 
 
== Define Cron-Job for all clients ==
 
 
 
The above defined UCR variables can applied to all UCC objects by using a [http://docs.univention.de/manual-3.1-1.html#ucr::templates::policy UCR policy in UDM]. It's strongly recommended to not apply this setting to UCS Server objects.
 
 
 
= Troubleshooting =
 
 
 
* If the UCR Policy is used, a UCC host needs to reboot to apply it. Moving the Object in UDM will only be noticed afterwards.
 
* The Cron Job in the example will generate a mail each time it runs, either it is successfull or not, which is stored locally by default. Change the script and/or the Cron-settings according to your needs.
 
* The Cron Job waits 120 seconds until it tries to reach the LDAP server to give the network some time to connect; this might need adjustments too.
 
* If the client can't communicate with the UCS Master when the cron job is run, the hostdn variable with get an empty string. In such case, restart the client once a connection to the UCS Master has been restored.
 
 
 
= Read More =
 
 
 
* [http://wiki.univention.de/index.php?title=UCS_3.0_LDAP Anonymous LDAP binding in UCS 3]
 
 
 
* [http://docs.univention.de/manual-3.1-1.html#computers:Executing_recurring_actions_with_Cron Cron jobs in UCS]
 

Latest revision as of 11:22, 8 September 2017

Produktlogo UCC Version 1.0

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Out of Maintenance


Archive

There is a version of this article for UCC 1.0.

Personal tools