On Thu, 2012-02-23 at 14:32 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2012-02-20 at 12:46 -0500, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Tue, 2012-02-14 at 09:10 -0500, Rob Crittenden wrote: > >>>> Simo Sorce wrote: > >>>>> On Tue, 2012-02-14 at 12:09 +0100, Martin Kosek wrote: > >>>>>> A new version of bind-dyndb-ldap has been released, sending fixed > >>>>>> patches with the following major changes: > >>>>>> - Since bind-dyndb-ldap supports only idnsForwarders global option at > >>>>>> this time, all other global options were removed from the API. They > >>>>>> were > >>>>>> left in the schema though so that the schema is consistent with > >>>>>> bind-dyndb-ldap supported schema and the support of these options in > >>>>>> the > >>>>>> future can be added more seamlessly > >>>>>> - idnsAllowQuery and idnsAllowTransfer format has changed to follow > >>>>>> BIND > >>>>>> format (ACI elements separated with semicolon). An example of such > >>>>>> element: > >>>>>> > >>>>>> ipa dnszone-mod example.com --allow-query="10.0.0.1;!10.0.0.0/8;any;" > >>>>>> > >>>>>> This ACI would forbid machine from any IP from 10.0.0.0/8 network > >>>>>> besides 10.0.0.1 to query the name server. All other machines are > >>>>>> allowed to issue queries. > >>>>> > >>>>> Any good reason why this is not a multi-value attribute ? > >>>>> Do these ACIs need to be ordered ? (that would be probably a good > >>>>> reason). > >>>> > >>>> That's exactly it! > >>>> > >>>> rob > >>>> > >>> > >>> Yup. Previous release of bind-dyndb-ldap followed the multi-valued LDAP > >>> attribute format, but we found out that we cannot do it this way as the > >>> ACI list need to be ordered. > >>> > >>> When bind evaluates if it should allow/reject query/tranfer request it > >>> simply traverses the ACI list, one by one, and accepts the result of the > >>> first match, i.e. the order is crucial there. > >>> > >>> Martin > >>> > >> > >> There is no help for dnsconfig. > > > > dnsconfig is defined in dns.py module and thus its help is defined in a > > scope of dns module: > > > > $ ipa help dns > > ... > > Show global DNS configuration: > > ipa dnsconfig-show > > > > Modify global DNS configuration and set a list of global forwarders: > > ipa dnsconfig-mod --forwarder=10.0.0.1 > > > > Topic commands: > > ... > > > >> > >> If you set global forwarders then named will fail to restart if there > >> forwarders is defined in named.conf. We should warn users when setting > >> this (and/or in the help). > > > > Yes, this is the problem that Petr Spacek mentioned. Adding him on the > > CC list. IIUC, he and Adam Tkac already have a patch that should fix > > this bug. > > > > There is not much we can do on IPA side in this case. named just must > > not crash when forwarders definitions (LDAP and named.conf) are both > > set. > > > >> > >> I can't get forwarded domains to work. I think I followed the test > >> instructions in the ticket but my bogus domain always resolves to the root. > > > > As investigated on the IRC, the problem was in too restrictive firewall > > on the side of the second DNS server. > > > > Martin > > > > Things are working for me today, ACK x4. > > rob
Thanks for the review Rob. I just hope you meant ACK x 5. I rebased the patches for current ipa-2-2 and master branches and pushed them to master, ipa-2-2. I fixed one merging left-over in our spec file in ipa-2-2 branch in the process. I created a ticket to add the rest of supported global options: https://fedorahosted.org/freeipa/ticket/2439 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel