Hello,

Disallow all dynamic updates if update policy configuration failed.

Without this patch the old update policy stays in effect
when re-configuration failed.

--
Petr^2 Spacek
From b21eb8a84e2c02e7dd090d24d68f1e385b0604c3 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Mon, 15 Apr 2013 14:27:03 +0200
Subject: [PATCH] Disallow all dynamic updates if update policy configuration
 failed.

Without this patch the old update policy stays in effect
when re-configuration failed.

Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
 src/ldap_helper.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index b59fd8e90cd225f7e45ce49a379d77dbc277a6c9..70833b2e25ef15f89a9e5ffc4ec776ebbade1d86 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -766,6 +766,9 @@ cleanup:
 static isc_result_t
 configure_zone_ssutable(dns_zone_t *zone, const char *update_str)
 {
+	isc_result_t result;
+	isc_result_t result2;
+
 	REQUIRE(zone != NULL);
 
 	/*
@@ -784,7 +787,23 @@ configure_zone_ssutable(dns_zone_t *zone, const char *update_str)
 #endif
 
 	/* Set simple update table. */
-	return acl_configure_zone_ssutable(update_str, zone);
+	result = acl_configure_zone_ssutable(update_str, zone);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_ERROR,
+			      "disabling all updates because of error in "
+			      "update policy configuration: %s",
+			      isc_result_totext(result));
+		result2 = acl_configure_zone_ssutable("", zone);
+		if (result2 != ISC_R_SUCCESS) {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_CRITICAL,
+				      "cannot disable all updates: %s",
+				      isc_result_totext(result2));
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "insecure state detected");
+		}
+	}
+
+	return result;
 }
 
 static isc_result_t
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to