Re: [Freeipa-devel] [PATCH 0058] Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limit

[Petr Spacek]

On 6.10.2015 10:10, Martin Basti wrote:
> On 10/06/2015 09:46 AM, Petr Spacek wrote:
>> Hello,
>>
>> Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding
>> LDAP limits.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1268027
>>
> NACK
> 
> ************* Module ipa-dnskeysync-replica
> daemons/dnssec/ipa-dnskeysync-replica:156: [E0602(undefined-variable), ]
> Undefined variable 'api')
> ************* Module ipa-ods-exporter
> daemons/dnssec/ipa-ods-exporter:505: [E0602(undefined-variable), ] Undefined
> variable 'api')

Sorry, I'm idiot. Fixed patch is attached.

-- 
Petr^2 Spacek

From e3eef31e37ee67555b7a913342c79f30a35d5ea5 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 6 Oct 2015 09:43:43 +0200
Subject: [PATCH] Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes
 caused by exceeding LDAP limits

ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.

DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.

https://bugzilla.redhat.com/show_bug.cgi?id=1268027
---
 daemons/dnssec/ipa-dnskeysync-replica | 6 ++----
 daemons/dnssec/ipa-ods-exporter       | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 77b962414e8754779f8655064031da454856ae14..b6f4be5ec449e2167be8ec3ef12ad24977985f43 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -28,7 +28,6 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipapython import ipaldap
 from ipapython import ipautil
-from ipaserver.plugins.ldap2 import ldap2
 from ipaplatform.paths import paths
 
 from ipapython.dnssec.abshsm import sync_pkcs11_metadata, ldap2p11helper_api_params, wrappingmech_name2id
@@ -154,10 +153,9 @@ os.environ['KRB5CCNAME'] = ccache_filename
 log.debug('Got TGT')
 
 # LDAP initialization
-ldap = ipalib.api.Backend[ldap2]
-# fixme
+ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
 log.debug('Connecting to LDAP')
-ldap.connect(ccache=ccache_filename)
+ldap.gssapi_bind()
 log.debug('Connected')
 
 
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index c8d7dbeee2879548793677652c208b7979c88197..b90157c4e271098ae42fb3e02a01fa910ec373fc 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -38,7 +38,6 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipapython import ipaldap
 from ipapython import ipautil
-from ipaserver.plugins.ldap2 import ldap2
 from ipaplatform.paths import paths
 
 from ipapython.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
@@ -503,10 +502,9 @@ log.debug('Got TGT')
 
 # LDAP initialization
 dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn)
-ldap = ipalib.api.Backend[ldap2]
-# fixme
+ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
 log.debug('Connecting to LDAP')
-ldap.connect(ccache=ccache_name)
+ldap.gssapi_bind()
 log.debug('Connected')
 
 
-- 
2.4.3


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code