On 6.10.2015 10:10, Martin Basti wrote: > On 10/06/2015 09:46 AM, Petr Spacek wrote: >> Hello, >> >> Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding >> LDAP limits. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1268027 >> > NACK > > ************* Module ipa-dnskeysync-replica > daemons/dnssec/ipa-dnskeysync-replica:156: [E0602(undefined-variable), ] > Undefined variable 'api') > ************* Module ipa-ods-exporter > daemons/dnssec/ipa-ods-exporter:505: [E0602(undefined-variable), ] Undefined > variable 'api')
Sorry, I'm idiot. Fixed patch is attached. -- Petr^2 Spacek
From e3eef31e37ee67555b7a913342c79f30a35d5ea5 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 6 Oct 2015 09:43:43 +0200 Subject: [PATCH] Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits ldap2 internally does LDAP search to find out what LDAP search limits should be used (!). The problem is that this internal search has hardcoded limits and throws LimitExceeded exception when DS is too slow. DNSSEC daemons do not need any abstractions from ldap2 so we are going to use ipaldap directly. This will avoid the unnecessary search and associated risks. https://bugzilla.redhat.com/show_bug.cgi?id=1268027 --- daemons/dnssec/ipa-dnskeysync-replica | 6 ++---- daemons/dnssec/ipa-ods-exporter | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 77b962414e8754779f8655064031da454856ae14..b6f4be5ec449e2167be8ec3ef12ad24977985f43 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -28,7 +28,6 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython import ipaldap from ipapython import ipautil -from ipaserver.plugins.ldap2 import ldap2 from ipaplatform.paths import paths from ipapython.dnssec.abshsm import sync_pkcs11_metadata, ldap2p11helper_api_params, wrappingmech_name2id @@ -154,10 +153,9 @@ os.environ['KRB5CCNAME'] = ccache_filename log.debug('Got TGT') # LDAP initialization -ldap = ipalib.api.Backend[ldap2] -# fixme +ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri) log.debug('Connecting to LDAP') -ldap.connect(ccache=ccache_filename) +ldap.gssapi_bind() log.debug('Connected') diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index c8d7dbeee2879548793677652c208b7979c88197..b90157c4e271098ae42fb3e02a01fa910ec373fc 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -38,7 +38,6 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython import ipaldap from ipapython import ipautil -from ipaserver.plugins.ldap2 import ldap2 from ipaplatform.paths import paths from ipapython.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id @@ -503,10 +502,9 @@ log.debug('Got TGT') # LDAP initialization dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn) -ldap = ipalib.api.Backend[ldap2] -# fixme +ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri) log.debug('Connecting to LDAP') -ldap.connect(ccache=ccache_name) +ldap.gssapi_bind() log.debug('Connected') -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code