Migration tool blindly removes external user domain

[DavidePrincipi]

⚠ I found a failure scenario:

• Start migration of NS7-A to ldap domain ns7.test
• Start migration of NS7-B to ldap domain ns7.test

In NS8 the external domain created by NS7-A is replaced.

• I'd expect an error message if the external domain is already bound to a working NS7 node, or to an external LDAP service. Before removing any existing domain, we must check if the domain is in use or not.
• As alternative, if an automatic check is too difficult, abort the join step completely and ask the user to manually remove the domain on NS8.

NOTE: I run the test with an old RPM nethserver-ns8-migration-1.0.18-1.9.pr94.g965a884.ns7.x86_64

Originally posted by @DavidePrincipi in #7103

Discussion: https://mattermost.nethesis.it/nethesis/pl/84unkibbo3rg7cbcrs454f5ksc

[nethbot]

in 7.9.2009/testing:

• nethserver-ns8-migration-1.0.18-1.29.gfafd227.ns7.x86_64.rpm x86_64

[stephdl]

QA
For this test you need two NS7 (NS7-1 and NS7-2) and one NS8

The migration rpm to test :

yum install http://packages.nethserver.org/nethserver/7.9.2009/testing/x86_64/Packages/nethserver-ns8-migration-1.0.18-1.32.g5c37353.ns7.x86_64.rpm

case 1 openldap

• Install NS7-1 with an account provider (openldap)
• Install nethserver-ns8-migration from testing
• Join the NS8 node with ldap.domain.com
• Now the test continue another NS7-2
• Install NS7-2 with an account provider (openldap)
• Install nethserver-ns8-migration from testing
• join the NS8 node with ldap.domain.com

The validator must prevent to join the node with NS7-2 and the domain ldap.domain.com

case 2 SAMBA AD

• Install NS7-1 with an account provider (samba ad), set ad.domain.com as the DN of the LDAP
• Install nethserver-ns8-migration from testing
• Join the NS8 node
• Now the test continue with another NS7-2
• Install NS7-2 with an account provider (samba ad), set ad.domain.com as the DN of the LDAP
• Install nethserver-ns8-migration from testing
• join the NS8 node

The validator must prevent to join the node with NS7-2 and the domain ad.domain.com

[nrauso]

test case 1: VERIFIED
test case 2: NOT VERIFIED

[nrauso]

Wait, I noticed something strange in test case 2 (with AD).
When I try to join the second NS7, the NS8 UI returns an error.
However, after refreshing the browser page, I see that the second NS7 is joined successfully.
Here's a video that demonstrates the issue:
https://github.com/user-attachments/assets/6dd8f99b-3033-4962-b98a-9afb65171088

I put the issue back to testing.

[stephdl]

ok I saw it, I am on it

[nethbot]

in 7.9.2009/testing:

• nethserver-ns8-migration-1.0.18-1.32.g5c37353.ns7.x86_64.rpm x86_64

[stephdl]

@nrauso could you verify the point 2 with this rpm as above

[nrauso]

Ok, the attempt to join the second NS7 with the same AD configuration is now correctly handled.
However, I noticed an issue: even though the join was prevented, the wireguard peer created for the second NS7 remains in the NS8 configuration.

Here’s the output:

~]# redis-cli keys \*vpn\*
1) "node/2/vpn"                                     <== both correct
2) "node/1/vpn"

~]# wg
interface: wg0
  public key: 6Hb4GgAPjhYhQHLECadYmVoh7b22BEvaqx1cTIMC5BQ=
  private key: (hidden)
  listening port: 55820

peer: tafPEfUGkikAwR1MjdIBQfzZY+6TU/hMpKajKrrmZhE=
  endpoint: 192.168.122.10:46331
  allowed ips: 192.168.122.50/32, 10.5.4.2/32
  latest handshake: 7 seconds ago
  transfer: 9.44 KiB received, 8.02 KiB sent
  persistent keepalive: every 25 seconds

peer: m5OCRdDhksM4qsIEucNN4/5CqbmMyAof3RMmyUY0Cls=                      <== this one should not exist
  endpoint: 192.168.122.20:33762
  allowed ips: 192.168.122.60/32
  latest handshake: 3 minutes, 10 seconds ago
  transfer: 8.22 KiB received, 10.92 KiB sent
  persistent keepalive: every 25 seconds

Is this behavior expected?

[stephdl]

@DavidePrincipi what do you think ?

[stephdl]

well I tried again, I cannot reproduce both on openLDAP and Samba AD

What I tried

perform bad login, we trigger the error message, the ns8-leave clean the ns8 esmith property, triggering wg on NS7 and NS8 does not show me what you saw
perform with a DN existing on the NS8, we trigger the error message, the ns8-leave clean the ns8 esmith property, triggering wg on NS7 and NS8 does not show me what you saw
succeed to login, we succeed migrate the account provider, the ns8-leave clean the ns8 esmith property, triggering wg on NS7 and NS8 does not show me what you saw

can you explain how you find this, could you try to reproduce @nrauso ?

[nrauso]

@stephdl, in simple words: the second NS7 didn't join the NS8 cluster, there is no wireguard active configuration on the second NS7, but inside the wg.conf on NS8 side I found an additional peer that is related to the not-joined NS7.
Here is a part of the wg.conf file from NS8:

  endpoint: 192.168.122.20:33762
  allowed ips: 192.168.122.60/32
  latest handshake: 3 minutes, 10 seconds ago
  transfer: 8.22 KiB received, 10.92 KiB sent
  persistent keepalive: every 25 seconds

endpoint here, it is the ip of the NS7 bridge;
allowed ips contains the IP given to the DC container on NS7 side.

Anyway it seems this behavior could not lead to any regression and it is not directly connected to the issue aim, so I'll mark the issue verified.

[nethbot]

in 7.9.2009/updates:

• nethserver-ns8-migration-1.1.0-1.ns7.x86_64.rpm x86_64

[stephdl]

released as nethserver-ns8-migration-1.1.0-1.ns7.x86_64.rpm