Package: bind9-dyndb-ldap
Version: 6.0-4
Severity: important
Dear Maintainer,
I have bind in freeipa setup with 389 directory server as backend. Everything
worked fine until yesterday's restart of whole server, after which bind can't
see LDAP zones contents any more. Configuration haven't changed so I suspect
some of the updates that came in after last restart (must have happend before
11-1). The bind log contains these entries:
named[18922]: LDAP instance 'ipa' is being synchronized, please ignore message
'all zones loaded'
reloading configuration succeeded
any newly configured zones are now loaded
LDAP error: Server is unwilling to perform: Too many active synchronization
sessions: unable to start SyncRepl session
ldap_syncrepl will reconnect in 60 seconds
received control channel command 'reconfig'
ldap_sync_prepare() failed, retrying in 1 second: shutting down
...
LDAP server error log is empty, but access log shows there is some problem with
search operation:
conn=39352 fd=110 slot=110 connection from local to /var/run/slapd-REALM.socket
conn=39352 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=39352 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=39352 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=39352 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=39352 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=39352 op=2 RESULT err=0 tag=97 nentries=0 etime=0
dn="krbprincipalname=dns/hostname@domain,cn=services,cn=accounts,dc=domain,dc=xx"
conn=39351 op=3 SRCH base="cn=dns,dc=domain,dc=xx" scope=2
filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))"
attrs=AL
conn=39351 op=4 UNBIND
conn=39351 op=4 fd=108 closed - U1
conn=39351 op=3 RESULT err=53 tag=101 nentries=0 etime=0
If I try to use ldapsearch with same parameters (kinit -k -t
/etc/bind/named.keytab DNS/hostname and than ldapsearch -Y GSSAPI) I get the
correct result and LDAP log contains:
conn=39404 op=3 RESULT err=0 tag=101 nentries=85 etime=0
So it seems bind sets some connection or search parameters that cause the
problem when querying LDAP. I've tried to increase bind log verbosity. but it
didn't help as it seems it doesn't affect this plugin.
Bind config is set as:
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-REALM.socket";
arg "base cn=dns, dc=domain,dc=xx";
arg "fake_mname hostname.;
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/hostname";
arg "serial_autoincrement yes";
};
If there is a way I could help debugging the problem, I can add more
information here.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (650, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bind9-dyndb-ldap depends on:
ii bind9 1:9.9.5.dfsg-12+b1
ii libc6 2.19-22
ii libdns100 1:9.9.5.dfsg-12+b1
ii libkrb5-3 1.13.2+dfsg-4
ii libldap-2.4-2 2.4.42+dfsg-2
bind9-dyndb-ldap recommends no packages.
bind9-dyndb-ldap suggests no packages.
-- no debconf information
