> On Thu, Dec 01, 2011 at 09:00:18AM -0500, Jiri Kuncar wrote:
> > I've added an attribute "idnsAllowSyncPTR" to "idnsZone" to enable
> > or disable synchronization of PTR records. However the
> > bind-dyndb-ldap plugin option "sync_ptr" has to be included in
> > /etc/named.conf to run synchronization feature.
> 
> Hello,
> 
> This doesn't seem too user-friendly for me. In my opinion better is
> to allow PTR
> synchronization when sync_ptr is "no" and idnsAllowSyncPTR is set to
> "TRUE". So
> admin can either set sync_ptr to allow updates for all zones or set
> per-zone
> idnsAllowSyncPTR attr.

I agree. Please check my corrections and comments inside the patch.

Regards, 
Jiri
From d52e4c9db6e9f6f75264295044d184ca3a768a2a Mon Sep 17 00:00:00 2001
From: Jiri Kuncar <jkun...@redhat.com>
Date: Thu, 1 Dec 2011 08:32:34 -0500
Subject: [PATCH] Enable/disable PTR synchronization per zone. Class
 idnsRecord has new attribute idnsAllowSyncPTR (BOOLEAN).
 Changed sync_ptr option behavior as follows: - "yes" always
 sync PTR records; - "no" first check "idnsAllowSyncPTR"
 attribute in a zone.

Signed-off-by: Jiri Kuncar <jkun...@redhat.com>
---
 README             |    9 ++++++---
 src/ldap_convert.c |    4 ++++
 src/ldap_helper.c  |   51 ++++++++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/README b/README
index b28fd32..3ee0b40 100644
--- a/README
+++ b/README
@@ -192,9 +192,12 @@ ldap_hostname (default "")
 	/bin/hostname output.
 
 sync_ptr (default no)
-	Keeps PTR record synchronized with coresponding A/AAAA record.
-	When an A/AAAA record is deleted the PTR record must point 
-	to the same hostname.
+	Set this option to "yes" if you would like to keep PTR record 
+	synchronized with coresponding A/AAAA record for all zones.
+	If this option is set to "no", the LDAP driver will check
+	the idnsAllowSyncPTR attribute which specifies the synchronization
+	policy for PTR records in a zone. When an A/AAAA record is deleted 
+	the PTR record must point to the same hostname. 
 
 5.2 Sample configuration
 ------------------------
diff --git a/src/ldap_convert.c b/src/ldap_convert.c
index 85b572e..b5cf4cf 100644
--- a/src/ldap_convert.c
+++ b/src/ldap_convert.c
@@ -227,6 +227,10 @@ dnsname_to_dn(zone_register_t *zr, dns_name_t *name, ld_string_t *target)
 
 		CHECK(str_cat_char(target, "idnsName="));
 		CHECK(str_cat_isc_buffer(target, &buffer));
+		/* 
+		 * Modification of following line can affect modify_ldap_common().
+		 * See line with: char *zone_dn = strstr(str_buf(owner_dn),", ") + 1;  
+		 */
 		CHECK(str_cat_char(target, ", "));
 	}
 	CHECK(str_cat_char(target, zone_dn));
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index b60cf11..8a10068 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1,6 +1,7 @@
 /*
  * Authors: Martin Nagy <mn...@redhat.com>
  *          Adam Tkac <at...@redhat.com>
+ *          Jiri Kuncar <jkun...@redhat.com>
  *
  * Copyright (C) 2008, 2009  Red Hat
  * see file 'COPYING' for use and warranty information
@@ -1798,19 +1799,58 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst,
 	CHECK(ldap_modify_do(ldap_conn, str_buf(owner_dn), change, delete_node));
 
 	/* Keep the PTR of corresponding A/AAAA record synchronized. */
-	if (ldap_inst->sync_ptr == ISC_TRUE && 
-	    (rdlist->type == dns_rdatatype_a || rdlist->type == dns_rdatatype_aaaa)) {
+	if (rdlist->type == dns_rdatatype_a || rdlist->type == dns_rdatatype_aaaa) {
 		
+		/* Look for zone "idnsAllowSyncPTR" attribute when plugin 
+		 * option "sync_ptr" is set to "no" otherwise the synchronization
+		 * is always enabled for all zones. */
+		if (ldap_inst->sync_ptr == ISC_FALSE) {
+			/* 
+			 * Find parent zone entry.
+			 * @todo Try the cache first and improve split.
+			 */
+			char *zone_dn = strstr(str_buf(owner_dn),", ") + 1;
+			ldap_entry_t *entry;
+			ldap_valuelist_t values;
+			char *attrs[] = {"idnsAllowSyncPTR", NULL};
+			
+			CHECK(ldap_query(ldap_inst, ldap_conn, zone_dn,
+							 LDAP_SCOPE_BASE, attrs, 0,
+							 "(&(objectClass=idnsZone)(idnsZoneActive=TRUE))"));
+			
+			/* Search for zone entry with 'idnsAllowSyncPTR == "TRUE"'. */
+			for (entry = HEAD(ldap_conn->ldap_entries);
+				 entry != NULL;
+				 entry = NEXT(entry, link)) {
+				result = ldap_entry_getvalues(entry, "idnsAllowSyncPTR", &values);
+				if (result != ISC_R_SUCCESS) 
+					continue;
+
+				if (strcmp(HEAD(values)->value, "TRUE") != 0) {
+					entry = NULL;
+				}
+				break;
+			}
+			/* Any valid zone was found. */
+			if (entry == NULL) {
+				log_debug(3, "Sync PTR is not allowed in zone %s", zone_dn);
+				goto cleanup;
+			}
+			log_debug(3, "Sync PTR is allowed for zone %s", zone_dn);
+		}
+
 		/* Get string with IP address from change request
 		 * and convert it to in_addr structure. */
 		in_addr_t ip;
 		if ((ip = inet_addr(change[0]->mod_values[0])) == 0) {
-			log_bug("Could not convert IP address from string '%s'.", change[0]->mod_values[0]);
+			log_bug("Could not convert IP address from string '%s'.",
+			        change[0]->mod_values[0]);
 		}
 		
 		/* Use internal net address representation. */
 		isc_netaddr_t isc_ip;
-		isc_netaddr_fromin(&isc_ip,(struct in_addr *) &ip); /* Only copy data to isc_ip stucture. */
+		/* Only copy data to isc_ip stucture. */
+		isc_netaddr_fromin(&isc_ip,(struct in_addr *) &ip);
 		
 		/*
 		 * Convert IP address to PTR record.
@@ -1832,7 +1872,8 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst,
 	
 		/* Check the value of PTR entry. */	
 		if (mod_op == LDAP_MOD_DELETE && result == ISC_R_SUCCESS) {
-			result = ldapdb_rdatalist_findrdatatype(&rdlist_search, dns_rdatatype_ptr, &rdlist_ptr);
+			result = ldapdb_rdatalist_findrdatatype(&rdlist_search, 
+			                                        dns_rdatatype_ptr, &rdlist_ptr);
 		}
 
 		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
-- 
1.7.7.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to