Hello, Improve error logging for zones with idnsAllowDynUpdate == FALSE.
Zones with dynamic updates disabled are re-configured with empty update policy string, so the update is refused by BIND and an error is logged. -- Petr Spacek
From 88a472349aec5216467aa1e30a35b8689b1cd439 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 16 Apr 2013 10:49:11 +0200 Subject: [PATCH] Improve error logging for zones with idnsAllowDynUpdate == FALSE. Zones with dynamic updates disabled are re-configured with empty update policy string, so the update is refused by BIND and an error is logged. Signed-off-by: Petr Spacek <pspa...@redhat.com> --- src/ldap_helper.c | 48 ++++++++++++++++++++++++++---------------------- src/settings.c | 7 +++++++ 2 files changed, 33 insertions(+), 22 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 70833b2e25ef15f89a9e5ffc4ec776ebbade1d86..d6061f247db625326ce09e75b1c7ca5c1f259ba5 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1242,6 +1242,7 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) isc_boolean_t unlock = ISC_FALSE; isc_boolean_t publish = ISC_FALSE; isc_boolean_t published = ISC_FALSE; + isc_boolean_t ssu_changed; isc_task_t *task = inst->task; isc_uint32_t ldap_serial; isc_uint32_t zr_serial; /* SOA serial value from in-memory zone register */ @@ -1311,25 +1312,35 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) "idnsAllowDynUpdate", entry, inst->task); if (result != ISC_R_SUCCESS && result != ISC_R_IGNORE) goto cleanup; + ssu_changed = (result == ISC_R_SUCCESS); result = setting_update_from_ldap_entry("sync_ptr", zone_settings, "idnsAllowSyncPTR", entry, inst->task); if (result != ISC_R_SUCCESS && result != ISC_R_IGNORE) goto cleanup; - log_debug(2, "Setting SSU table for %p: %s", zone, dn); - /* Get the update policy and update the zone with it. */ - result = ldap_entry_getvalues(entry, "idnsUpdatePolicy", &values); - if (result == ISC_R_SUCCESS) - CHECK(configure_zone_ssutable(zone, HEAD(values)->value)); - else - /* We need to declare zone as 'dynamic' - * for dns_zone_isdynamic() to prevent unwanted - * zone_postload() calls and warnings about serial and so on. - * - * Created SSU table contains no rules => - * dns_ssutable_checkrules() will return deny. */ - CHECK(configure_zone_ssutable(zone, "")); + result = setting_update_from_ldap_entry("update_policy", zone_settings, + "idnsUpdatePolicy", entry, inst->task); + if (result != ISC_R_SUCCESS && result != ISC_R_IGNORE) + goto cleanup; + + if (result == ISC_R_SUCCESS || ssu_changed) { + isc_boolean_t ssu_enabled; + const char *ssu_policy = NULL; + + log_debug(2, "Setting SSU table for %p: %s", zone, dn); + CHECK(setting_get_bool("dyn_update", zone_settings, &ssu_enabled)); + if (ssu_enabled) { + /* Get the update policy and update the zone with it. */ + CHECK(setting_get_str("update_policy", zone_settings, + &ssu_policy)); + CHECK(configure_zone_ssutable(zone, ssu_policy)); + } else { + /* Empty policy will prevent the update from reaching + * LDAP driver and error will be logged. */ + CHECK(configure_zone_ssutable(zone, "")); + } + } /* Fetch allow-query and allow-transfer ACLs */ log_debug(2, "Setting allow-query for %p: %s", zone, dn); @@ -2869,13 +2880,6 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, CLEANUP_WITH(DNS_R_NOTAUTH); } - CHECK(setting_get_bool("dyn_update", zone_settings, &zone_dyn_update)); - if (!zone_dyn_update) { - log_debug(3, "dynamic update is not allowed in zone '%s'", - zone_dn); - CLEANUP_WITH(DNS_R_REFUSED); - } - if (rdlist->type == dns_rdatatype_soa && mod_op == LDAP_MOD_DELETE) CLEANUP_WITH(ISC_R_SUCCESS); @@ -2991,8 +2995,8 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, CHECK(setting_get_bool("dyn_update", zone_settings, &zone_dyn_update)); if (!zone_dyn_update) { - log_debug(3, "dynamic update is not allowed in zone " - "'%s'", zone_dn); + log_error("dynamic update is not allowed in zone " + "'%s'", zone_dn); CLEANUP_WITH(ISC_R_NOPERM); } diff --git a/src/settings.c b/src/settings.c index 8ced5fe9bff4beb70e8a6f5e8880aa34eae7c045..1f718d82788ed307dd0ecdb43570d7ce32395941 100644 --- a/src/settings.c +++ b/src/settings.c @@ -67,6 +67,13 @@ static const setting_t settings_default[] = { { "ldap_hostname", default_string("") }, { "sync_ptr", default_boolean(ISC_FALSE) }, { "dyn_update", default_boolean(ISC_FALSE) }, + /* Empty string as default update_policy declares zone as 'dynamic' + * for dns_zone_isdynamic() to prevent unwanted + * zone_postload() calls and warnings about serial and so on. + * + * SSU table defined by empty string contains no rules => + * dns_ssutable_checkrules() will return deny. */ + { "update_policy", default_string("") }, { "serial_autoincrement", default_boolean(ISC_FALSE) }, { "verbose_checks", default_boolean(ISC_FALSE) }, end_of_settings -- 1.7.11.7
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel