Cool Solution - Move UCC Objects in UDM

From Univention Wiki

Revision as of 09:47, 5 October 2016 by Hpeter (talk | contribs)
Jump to: navigation, search
Produktlogo UCC Version 1.0

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

When moving a joined UCC Thin or Fat Client to a new container in UDM, the Client is unable to authenticate against the management system. Consequences are that changes in the central management are not applied and users are unable to login until re-join. The reason is, the current location of the client computer in the directory (DN or Distinguished Name) is needed during user authentication, such location is stored in the UCR variable ldap/hostdn when the client joins the domain. If a client is moved from the original container, the old value won't match the expected credentials.

An automatic script to update the new DN can be set for environments with large amount of clients without need to rejoin each time a computer changes its LDAP container.

One way of manage it is to tell the clients (in a startup cron) to ask the LDAP master whether its location changed and update the local variable. Anonymous read access to LDAP must be enabled on the choosen UCS DC for this, in the example it is enabled on the UCS DC Master.

On the UCS LDAP server

The following steps are needed on all LDAP servers the UCC clients might use.

Enable anonymous bind

With UCS 3.0 the anonymous ldap search has to be allowed, otherwise ldap can't find the DN of the computer. To enable the anonymous ldap search in the UMC, search for *anonymous* in the UCR-module and set the variable ldap/acl/read/anonymous to yes. To enable the anonymous ldap search in the command shell, the following command is needed:

ucr set ldap/acl/read/anonymous=yes

Restart LDAP service

service slapd restart

On the client

Old DN

ucr get ldap/hostdn

Define Cron-job to update ldap location

Create a new cron task to update the ldap/hostdn either on the terminal or in the Univention-Management-Console. (The openldap port is 389 if alone and 7389 if Samba4 is installed)

On the Terminal run

ucr set cron/hostdnupdate/command=$'sleep 120;\
  ldapsearch -x -H ldap://$(ucr get ldap/master):7389 cn=$(hostname) | grep numEntries > /dev/null && \
  ucr set ldap/hostdn=$(ldapsearch -x -H ldap://$(ucr get ldap/master):7389 -LLL\
  "(&(objectClass=univentionHost)(cn=$(hostname)))" dn | ldapsearch-wrapper | sed -e 's/dn: \(.*\)/\1/')'

Run that job every time the system starts

ucr set cron/hostdnupdate/time='@reboot'

The new cronjob should appear in

cat /etc/cron.d/univention-ucr-cronjobs

Check new DN

ucr get ldap/hostdn

In the Univention-Management-Console

Create a Univention Configuration Registry Policy with following values (Note: Paste the values without linebreaks!):

Variable + Value
cron/hostdnupdate/command +
sleep 120; ldapsearch -x -H ldap://$(ucr get ldap/master):7389 cn=$(hostname) | 
grep numEntries > /dev/null && 
ucr set ldap/hostdn=$(ldapsearch -x -H ldap://$(ucr get ldap/master):7389 -LLL 
"(&(objectClass=univentionHost)(cn=$(hostname)))" dn | ldapsearch-wrapper | sed -e 's/dn: \(.*\)/\1/')
cron/hostdnupdate/time + @reboot

Define Cron-Job for all clients

The above defined UCR variables can applied to all UCC objects by using a UCR policy in UDM. It's strongly recommended to not apply this setting to UCS Server objects.


  • If the UCR Policy is used, a UCC host needs to reboot to apply it. Moving the Object in UDM will only be noticed afterwards.
  • The Cron Job in the example will generate a mail each time it runs, either it is successfull or not, which is stored locally by default. Change the script and/or the Cron-settings according to your needs.
  • The Cron Job waits 120 seconds until it tries to reach the LDAP server to give the network some time to connect; this might need adjustments too.
  • If the client can't communicate with the UCS Master when the cron job is run, the hostdn variable with get an empty string. In such case, restart the client once a connection to the UCS Master has been restored.

Read More

Personal tools