On 03/12/2013 03:38 PM, Petr Spacek wrote: > On 12.3.2013 10:40, Martin Kosek wrote: >> On 03/11/2013 04:58 PM, Petr Spacek wrote: >>> Hello list! >>> >>> My first patch for FreeIPA is attached :-) >>> >>> I managed to add new 389 DS plugin to build system, but the LDAP magic in >>> installer and updater is too much for my brain. >>> >>> Could somebody show me how installer and updater should add new object to >>> cn=config ? Plugin configuration is static (example is in comments in >>> ipa_dns.c). >>> >>> This patch implements minimal necessary support for idnsSOASerial >>> replication. >>> I investigating more advanced techniques, but I still see problems with >>> locking >>> and so on. >>> >>> Anyway, this patch should be sufficient for now. >>> >>> Commit message: >>> >>> Add 389 DS plugin for special idnsSOASerial attribute handling >>> >>> Default value "1" is added to replicated idnsZone objects >>> if idnsSOASerial attribute is missing. >>> >>> https://fedorahosted.org/freeipa/ticket/3347 >>> >> >> I did not review the actual plugin yet, I just added a code to configure this >> plugin during new install and upgrade. Patch attached. >> >> >> Just in daemons/ipa-slapi-plugins/ipa-dns/Makefile.am I noticed some >> copy&paste >> errors: >> >> >> +libipa_uuid_la_LIBADD = \ <<< libipa_uuid?? >> + $(LDAP_LIBS) \ >> + $(UUID_LIBS) \ >> + $(NULL) >> + >> >> +EXTRA_DIST = \ >> + $(app_DATA) \ <<< not defined, not needed (I will add it in my >> patch) >> + $(NULL) >> + > > Fixed version is attached. >
Sending a rebased version of my installer/updater patch. Martin
From 2e11e91bbe04db93b96cfbc6078926e923cec06c Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 13 Mar 2013 15:15:41 +0100 Subject: [PATCH] Configure ipa_dns DS plugin on install and upgrade The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347 --- daemons/ipa-slapi-plugins/ipa-dns/Makefile.am | 6 ++++++ daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif | 15 +++++++++++++++ install/updates/40-dns.update | 16 ++++++++++++++++ ipaserver/install/dsinstance.py | 6 ++++++ 4 files changed, 43 insertions(+) create mode 100644 daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am index 319c6676e9df1434feee468fa3861910a28f86dc..1b9f649b2151d380fc4fb188df1f1138167bc4b1 100644 --- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am @@ -32,7 +32,13 @@ libipa_dns_la_LIBADD = \ $(LDAP_LIBS) \ $(NULL) +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-dns-conf.ldif \ + $(NULL) + EXTRA_DIST = \ + $(app_DATA) \ $(NULL) MAINTAINERCLEANFILES = \ diff --git a/daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif b/daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif new file mode 100644 index 0000000000000000000000000000000000000000..808cc966db301e0b2b465e1a99ec37f2e33cd768 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif @@ -0,0 +1,15 @@ +dn: cn=IPA DNS,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsslapdPlugin +objectclass: extensibleObject +cn: IPA DNS +nsslapd-plugindescription: IPA DNS support plugin +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_dns +nsslapd-plugininitfunc: ipadns_init +nsslapd-pluginpath: libipa_dns.so +nsslapd-plugintype: preoperation +nsslapd-pluginvendor: Red Hat, Inc. +nsslapd-pluginversion: 1.0 +nsslapd-plugin-depends-on-type: database diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 3478a03ca27fc38c3c08d556fcd7af851aea8b9b..7ad366e6099aed5cfd240fa2068d9e41bc2af9aa 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -41,3 +41,19 @@ replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dn # replace DNS tree deny rule with managedBy enhanced allow rule dn: cn=dns, $SUFFIX replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)' + +# add DNS plugin +dn: cn=IPA DNS,cn=plugins,cn=config +default: objectclass: top +default: objectclass: nsslapdPlugin +default: objectclass: extensibleObject +default: cn: IPA DNS +default: nsslapd-plugindescription: IPA DNS support plugin +default: nsslapd-pluginenabled: on +default: nsslapd-pluginid: ipa_dns +default: nsslapd-plugininitfunc: ipadns_init +default: nsslapd-pluginpath: libipa_dns.so +default: nsslapd-plugintype: preoperation +default: nsslapd-pluginvendor: Red Hat, Inc. +default: nsslapd-pluginversion: 1.0 +default: nsslapd-plugin-depends-on-type: database diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 23843d75920044ba97a5df10d451140529dbfd7b..d02ef90e697e74f0aa2e63ebf697f5221cfff9aa 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -202,6 +202,7 @@ class DsInstance(service.Service): self.step("configuring uniqueness plugin", self.__set_unique_attrs) self.step("configuring uuid plugin", self.__config_uuid_module) self.step("configuring modrdn plugin", self.__config_modrdn_module) + self.step("configuring DNS plugin", self.__config_dns_module) self.step("enabling entryUSN plugin", self.__enable_entryusn) self.step("configuring lockout plugin", self.__config_lockout_module) self.step("creating indices", self.__create_indices) @@ -502,6 +503,11 @@ class DsInstance(service.Service): self._ldap_mod("modrdn-conf.ldif") self._ldap_mod("modrdn-krbprinc.ldif", self.sub_dict) + def __config_dns_module(self): + # Configure DNS plugin unconditionally as we would otherwise have + # troubles if other replica just configured DNS with ipa-dns-install + self._ldap_mod("ipa-dns-conf.ldif") + def __config_lockout_module(self): self._ldap_mod("lockout-conf.ldif") -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel