bind-dyndb-ldap persistent search queries LDAP for all DNS records. The LDAP connection must have no size or time limits to work properly.
This patch updates limits both for existing service principal on updated machine and for new service principals added as a part of DNS installation. https://fedorahosted.org/freeipa/ticket/2531
>From acfaccabd08338cf16dd8df768c1855622d42b0a Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Thu, 10 May 2012 09:28:02 +0200 Subject: [PATCH] Remove LDAP limits from DNS service bind-dyndb-ldap persistent search queries LDAP for all DNS records. The LDAP connection must have no size or time limits to work properly. This patch updates limits both for existing service principal on updated machine and for new service principals added as a part of DNS installation. https://fedorahosted.org/freeipa/ticket/2531 --- ipaserver/install/bindinstance.py | 25 ++++++++++++++++-- ipaserver/install/plugins/dns.py | 49 +++++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index fa3864a22b3a28a00da4d0ef8d6ea37bbb77aa36..caac8b4f25368203e2a5f6c0d19cc9d7d02087df 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -475,7 +475,12 @@ class BindInstance(service.Service): # We do not let the system start IPA components on its own, # Instead we reply on the IPA init script to start only enabled # components as found in our LDAP configuration tree - self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix) + try: + self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix) + except errors.DuplicateEntry: + # service already exists (forced DNS reinstall) + # don't crash, just report error + root_logger.error("DNS service already exists") def __setup_sub_dict(self): if self.forwarders: @@ -586,8 +591,22 @@ class BindInstance(service.Service): except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception, e: - root_logger.critical("Could not modify principal's %s entry" % dns_principal) - raise e + root_logger.critical("Could not modify principal's %s entry: %s" \ + % (dns_principal, str(e))) + raise + + # bind-dyndb-ldap persistent search feature requires both size and time + # limit-free connection + mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'), + (ldap.MOD_REPLACE, 'nsSizeLimit', '-1'), + (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), + (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] + try: + self.admin_conn.modify_s(dns_principal, mod) + except Exception, e: + root_logger.critical("Could not set principal's %s LDAP limits: %s" \ + % (dns_principal, str(e))) + raise def __setup_named_conf(self): self.fstore.backup_file('/etc/named.conf') diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 886f7f051e91147969034350c69d956f3b43345a..6f0c3b3279d3cbabf1bdaee0e62d2de943a82581 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -23,6 +23,7 @@ from ipaserver.install.plugins import baseupdate from ipalib import api, errors, util from ipalib.dn import DN from ipalib.plugins.dns import dns_container_exists +from ipapython.ipa_log_manager import * class update_dnszones(PostUpdate): """ @@ -142,3 +143,51 @@ class update_dns_permissions(PostUpdate): return (False, True, [dnsupdates]) api.register(update_dns_permissions) + +class update_dns_limits(PostUpdate): + """ + bind-dyndb-ldap persistent search queries LDAP for all DNS records. + The LDAP connection must have no size or time limits to work + properly. This plugin updates limits of the existing DNS service + principal to match there requirements. + """ + limit_attributes = ['nsTimeLimit', 'nsSizeLimit', 'nsIdleTimeout', 'nsLookThroughLimit'] + limit_value = '-1' + + def execute(self, **options): + ldap = self.obj.backend + + if not dns_container_exists(ldap): + return (False, False, []) + + dns_principal = 'DNS/%s@%s' % (self.env.host, self.env.realm) + dns_service_dn = str(DN(('krbprincipalname', dns_principal), + self.env.container_service, + self.env.basedn)) + + try: + (dn, entry) = ldap.get_entry(dns_service_dn, self.limit_attributes) + except errors.NotFound: + # this host may not have DNS service set + root_logger.debug("DNS: service %s not found, no need to update limits" % dns_service_dn) + return (False, False, []) + + if all(entry.get(limit.lower(), [None])[0] == self.limit_value for limit in self.limit_attributes): + root_logger.debug("DNS: limits for service %s already set" % dns_service_dn) + # service is already updated + return (False, False, []) + + limit_updates = [] + + for limit in self.limit_attributes: + limit_updates.append('only:%s:%s' % (limit, self.limit_value)) + + dnsupdates = {} + dnsupdates[dns_service_dn] = {'dn' : dns_service_dn, + 'updates' : limit_updates} + root_logger.debug("DNS: limits for service %s will be updated" % dns_service_dn) + + + return (False, True, [dnsupdates]) + +api.register(update_dns_limits) -- 1.7.7.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
