Hello, Disallow all dynamic updates if update policy configuration failed.
Without this patch the old update policy stays in effect when re-configuration failed. -- Petr^2 Spacek
From b21eb8a84e2c02e7dd090d24d68f1e385b0604c3 Mon Sep 17 00:00:00 2001 From: Petr Spacek <[email protected]> Date: Mon, 15 Apr 2013 14:27:03 +0200 Subject: [PATCH] Disallow all dynamic updates if update policy configuration failed. Without this patch the old update policy stays in effect when re-configuration failed. Signed-off-by: Petr Spacek <[email protected]> --- src/ldap_helper.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index b59fd8e90cd225f7e45ce49a379d77dbc277a6c9..70833b2e25ef15f89a9e5ffc4ec776ebbade1d86 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -766,6 +766,9 @@ cleanup: static isc_result_t configure_zone_ssutable(dns_zone_t *zone, const char *update_str) { + isc_result_t result; + isc_result_t result2; + REQUIRE(zone != NULL); /* @@ -784,7 +787,23 @@ configure_zone_ssutable(dns_zone_t *zone, const char *update_str) #endif /* Set simple update table. */ - return acl_configure_zone_ssutable(update_str, zone); + result = acl_configure_zone_ssutable(update_str, zone); + if (result != ISC_R_SUCCESS) { + dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_ERROR, + "disabling all updates because of error in " + "update policy configuration: %s", + isc_result_totext(result)); + result2 = acl_configure_zone_ssutable("", zone); + if (result2 != ISC_R_SUCCESS) { + dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_CRITICAL, + "cannot disable all updates: %s", + isc_result_totext(result2)); + FATAL_ERROR(__FILE__, __LINE__, + "insecure state detected"); + } + } + + return result; } static isc_result_t -- 1.7.11.7
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
