NS7 join fails if user domain directory.nh exists

[nrauso]

Even though the renaming of the NS7 internal LDAP user base is already handled during migration to NS8, it is not possible to join an NS7 to an NS8 cluster if a user domain named directory.nh already exists on the NS8 system.

Steps to reproduce

• Install a fresh NS8 node;
• Create a new user domain on NS8 and name it directory.nh;
• Attempt to join an NS7 with an internal LDAP user account provider to the NS8 cluster.

Expected behavior

You should be able to join the NS7 to the NS8 cluster, renaming the internal LDAP user domain on NS8 to avoid conflicts.

Actual behavior

The NS8 UI displays an error, and the join operation fails:

Components

• nethserver-ns8-migration-1.1.0-1.ns7.x86_64

[DavidePrincipi]

Test case

• Check the bug is not reproducible with the migration tool RPM from testing repo.
• Check the 4 account provider use cases, with/without domain name conflict on the NS8 side (8 scenarios).

[stephdl]

be aware of this change also

[stephdl]

• test 1 local AD provider
  migration OK to a NS8 node

• test 2 case external AD provider
  migration ok to a ns8 node of an application

• test 3 local openldap provider
  migration OK to a NS8 node

• test 4 case external openldap provider
  migration ok to a ns8 node of an application

• test 5 case no account provider
  migration OK of mattermost

test of failure

• case 6 external openldap provider
  no tests if the ldap exists on the NS8 (normal scenario)

[stephdl]

@DavidePrincipi could you state on the 8 cases to verify, I do not understand what could the 3 other cases

[DavidePrincipi]

Test 1-4 are verified, ok 👍

I'm happy the test 5 you did has no regressions.

We have to check scenarios where:

A) We have a local account provider and a domain name conflict exists, and an error message is expected and must be displayed (OpenLDAP + Samba).
B) We have a remote account provider, and a domain name with the same name is wanted (OpenLDAP + Samba) as the manual says.

The code change has removed the old error message logic completely, and I expect the remaining code is already doing the job.

[stephdl]

test A :
A) We have a local account provider and a domain name conflict exists, and an error message is expected and must be displayed (OpenLDAP + Samba).
ns7 openldap -> NS8 openldap OK, we have an error message
NS7 samba AD -> NS8 samba AD OK with same DN OK, we have an error message

test B
B) We have a remote account provider, and a domain name with the same name is wanted (OpenLDAP + Samba) as the manual says.

• NS7 samba AD remote ad.domain.com on server IP 1.1.1.1 (not the remote NS8 domain one) -> NS8 samba AD local ad.domain.com with IP 2.2.2.2 => no error message displayed we can login to the cluster

• NS7 openldap remote directory.nh on server IP 1.1.1.1 (not the remote NS8 domain one) -> NS8 openldap local directory.nh with IP 2.2.2.2 => no error message displayed we can login to the cluster

• Connect a remote openldap to a NS7, connect the same remote openldap to a ns8, connect to the cluster to migrate -> no issue nor error we can login to the cluster

• Connect a remote samba ad to a NS7, connect the same remote samba ad to a ns8, connect to the cluster to migrate -> no issue nor error we can login to the cluster

[stephdl]

Case A verified

Case B I am not sure, could you state @DavidePrincipi

[nethbot]

in 7.9.2009/testing:

• nethserver-ns8-migration-1.1.0-1.28.g92ade93.ns7.x86_64.rpm x86_64

[DavidePrincipi]

Case B I am not sure

For external domains, the only condition is that on NS8 a domain with the same BaseDN exists. We cannot distinguish them by address because they can differ even if the LDAP DB is the same (e.g. different DNS records, LDAP replica, multi-homed servers...)

https://docs.nethserver.org/projects/ns8/en/main/migration.html#account-provider

I think the verification is ok so far, but we must check what happens if the remote domain is not configured in NS8.

[stephdl]

set not verified

we must check what happens if the remote domain is not configured in NS8.

Capture.video.du.2025-01-15.11-34-12.mp4

create a remote ldap in NS7, this remote ldap in NS8 is not set
We must fail to join or to migrate if the remote LDAP is not set in NS8, this was the pevious case before

[DavidePrincipi]

List of cases/abbreviations:

• NAP: No Account Provider configured on NS7.
• LAD: Local NS7 Active Directory account provider.
• LOP: Local OPenldap account provider.
• RAD: Remote NS7 Active Directory account provider.
• RLP: Remote (generic) LDAP provider.
• EX: existing domain on the NS8 side. Existence is checked against domain name for AD. For local LDAP domain name again, whilst for remote LDAP the check is performed on BaseDN/entryUUID attribute.
• NX: non-existing domain on the NS8.

Test cases

Check NS7 join.

1. NAP. Both EX and NX succeed.
2. LAD. EX fails.
3. LAD. NX succeeds (at least one cluster node has no DC on it).
4. LAD. NX fails (all nodes already has a DC).
5. LOP. EX fails for same domain name.
6. LOP. NX succeeds.
7. RAD. NX fails.
8. RAD. EX succeeds.
9. RLP. NX fails.
10. RLP. EX succeeds.
11. RLP. EX fails if multiple remote user domains match the NS7 BaseDN.

If the join succeeds, verify that the correct domain name and local/remote setting has been recorded in this file:

/var/lib/nethserver/nethserver-ns8-migration/environment

[nethbot]

in 7.9.2009/testing:

• nethserver-ns8-migration-1.1.0-1.35.g97bb9ed.ns7.x86_64.rpm x86_64

[nrauso]

All test cases verified but 7 and 8.
In both those cases NS7 join fails with this message:

~]# tail -f /var/log/ns8-migration.log
Error: 'int' object is not subscriptable

[DavidePrincipi]

This is a regression introduced by #7226 that I overlooked during QA. Fixed in NethServer/nethserver-ns8-migration@21b37b5

[nethbot]

in 7.9.2009/testing:

• nethserver-ns8-migration-1.1.0-1.36.g21b37b5.ns7.x86_64.rpm x86_64

[nrauso]

all test cases: VERIFIED

[nethbot]

in 7.9.2009/updates:

• nethserver-ns8-migration-1.2.0-1.ns7.x86_64.rpm x86_64

[DavidePrincipi]

Released as 1.2.0