Cool Solution - Move UCC Objects in UDM
From Univention Wiki
When moving a joined UCC Thin or Fat Client to a new container in UDM, the Client is unable to authenticate against the management system. Consequences are that changes in the central management are not applied and users are unable to login until re-join. The reason is, the current location of the client computer in the directory (DN or Distinguished Name) is needed during user authentication, such location is stored in the UCR variable ldap/hostdn when the client joins the domain. If a client is moved from the original container, the old value won't match the expected credentials.
An automatic script to update the new DN can be set for environments with large amount of clients without need to rejoin each time a computer changes its LDAP container.
One way of manage it is to tell the clients (in a startup cron) to ask the LDAP master whether its location changed and update the local variable. Anonymous read access to LDAP must be enabled on the choosen UCS DC for this, in the example it is enabled on the UCS DC Master.
On the UCS LDAP server
The following steps are needed on all LDAP servers the UCC clients might use.
Enable anonymous bind
With UCS 3.0 the anonymous ldap search has to be allowed, otherwise ldap can't find the DN of the computer. To enable the anonymous ldap search in the UMC, search for *anonymous* in the UCR-module and set the variable ldap/acl/read/anonymous to yes. To enable the anonymous ldap search in the command shell, the following command is needed:
ucr set ldap/acl/read/anonymous=yes
Restart LDAP service
service slapd restart
On the client
ucr get ldap/hostdn cn=thinclient01,cn=computers,dc=example,dc=com
Define Cron-job to update ldap location
Create a new cron task to update the ldap/hostdn (The openldap port is 389 if alone and 7389 if Samba4 is installed)
On the Terminal run
ucr set cron/hostdnupdate/command=$'sleep 120;\ ldapsearch -x -H ldap://$(ucr get ldap/master):7389 cn=$(hostname) | grep numEntries > /dev/null && \ ucr set ldap/hostdn=$(ldapsearch -x -H ldap://$(ucr get ldap/master):7389 -LLL\ "(&(objectClass=univentionHost)(cn=$(hostname)))" dn | sed -e ':a;N;$!ba;s/\n //g' -e 's/dn: \(.*\)/\1/')'
Run that job every time the system starts
ucr set cron/hostdnupdate/time='@reboot'
The new cronjob should appear in
Check new DN
ucr get ldap/hostdn cn=thinclient01,cn=thinclients,ou=MyOU,dc=example,dc=com
In the Univention-Management-Console
Create a Univention Configuration Registry Policy with following values: Variable | Value cron/hostdnupdate/command | sleep 120; ldapsearch -x -H ldap://$(ucr get ldap/master):7389 cn=$(hostname) | grep numEntries > /dev/null && ucr set ldap/hostdn=$(ldapsearch -x -H ldap://$(ucr get ldap/master):7389 -LLL "(&(objectClass=univentionHost)(cn=$(hostname)))" dn | sed -e ':a;N;$!ba;s/\n //g' -e 's/dn: \(.*\)/\1/') cron/hostdnupdate/time | @reboot
Define Cron-Job for all clients
The above defined UCR variables can applied to all UCC objects by using a UCR policy in UDM. It's strongly recommended to not apply this setting to UCS Server objects.
- If the UCR Policy is used, a UCC host needs to reboot to apply it. Moving the Object in UDM will only be noticed afterwards.
- The Cron Job in the example will generate a mail each time it runs, either it is successfull or not, which is stored locally by default. Change the script and/or the Cron-settings according to your needs.
- The Cron Job waits 120 seconds until it tries to reach the LDAP server to give the network some time to connect; this might need adjustments too.
- If the client can't communicate with the UCS Master when the cron job is run, the hostdn variable with get an empty string. In such case, restart the client once a connection to the UCS Master has been restored.