[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450698 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450699 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: New Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind9 source package in Lunar: New Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450679
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250
Title:
Insufficient access in dyndb DEP8 test
Status in bind-dyndb-ldap package in Ubuntu:
In Progress
Status in bind9 package in Ubuntu:
In Progress
Bug description:
Caught this in a run of the dyndb-ldap DEP8 test:
280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error:
Insufficient access: while modifying(replace) entry
'idnsName=example.internal,ou=dns,dc=example,dc=internal'
Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
and not just read from it. Looking at the code, that can happen for
some SOA attributes, and perhaps other cases too. The documentation
isn't immediately clear.
A re-run of this test cleared the error, but we all dislike flaky
tests, so it's probably best to adjust the ACL and allow the bind9
user to write to the DNS tree. Production deployments will definitely
want to fine tune this ACL and list explicit attribites and entry
types that can be modified, but for a DEP8 test, this is enough.
```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" write by * none
EOF
}
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450665
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250
Title:
Insufficient access in dyndb DEP8 test
Status in bind-dyndb-ldap package in Ubuntu:
In Progress
Status in bind9 package in Ubuntu:
In Progress
Bug description:
Caught this in a run of the dyndb-ldap DEP8 test:
280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error:
Insufficient access: while modifying(replace) entry
'idnsName=example.internal,ou=dns,dc=example,dc=internal'
Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
and not just read from it. Looking at the code, that can happen for
some SOA attributes, and perhaps other cases too. The documentation
isn't immediately clear.
A re-run of this test cleared the error, but we all dislike flaky
tests, so it's probably best to adjust the ACL and allow the bind9
user to write to the DNS tree. Production deployments will definitely
want to fine tune this ACL and list explicit attribites and entry
types that can be modified, but for a DEP8 test, this is enough.
```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" write by * none
EOF
}
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034251] Re: Incorrect rdn in the bind9 dn entry in the DEP8 test
Oops, this was fixed in bind9 already.
** No longer affects: bind9 (Ubuntu)
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034251
Title:
Incorrect rdn in the bind9 dn entry in the DEP8 test
Status in bind-dyndb-ldap package in Ubuntu:
In Progress
Bug description:
There is a small mistake in the bind9 DN entry, it should have an
attribute matching the dn, but instead it mentions a "replicator"
entity that doesn't exist.
It doesn't fail the test, but it's an incorrect LDAP entry and should
be fixed:
diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap
index 5482bc0..019bf24 100644
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -8,6 +8,7 @@ myhostname="dep8"
ldap_admin_dn="cn=admin,${ldap_suffix}"
ldap_admin_pw="secret"
ldap_bind9_dn="uid=bind9,${ldap_suffix}"
+ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn
ldap_bind9_pw="secretagain"
cleanup() {
@@ -122,7 +123,7 @@ EOF
create_bind9_uid() {
ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}"
[Freeipa] [Bug 2034251] Re: Incorrect rdn in the bind9 dn entry in the DEP8 test
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450665
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034251
Title:
Incorrect rdn in the bind9 dn entry in the DEP8 test
Status in bind-dyndb-ldap package in Ubuntu:
In Progress
Bug description:
There is a small mistake in the bind9 DN entry, it should have an
attribute matching the dn, but instead it mentions a "replicator"
entity that doesn't exist.
It doesn't fail the test, but it's an incorrect LDAP entry and should
be fixed:
diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap
index 5482bc0..019bf24 100644
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -8,6 +8,7 @@ myhostname="dep8"
ldap_admin_dn="cn=admin,${ldap_suffix}"
ldap_admin_pw="secret"
ldap_bind9_dn="uid=bind9,${ldap_suffix}"
+ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn
ldap_bind9_pw="secretagain"
cleanup() {
@@ -122,7 +123,7 @@ EOF
create_bind9_uid() {
ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}"
[Freeipa] [Bug 2034251] [NEW] Incorrect rdn in the bind9 dn entry in the DEP8 test
Public bug reported:
There is a small mistake in the bind9 DN entry, it should have an
attribute matching the dn, but instead it mentions a "replicator"
entity that doesn't exist.
It doesn't fail the test, but it's an incorrect LDAP entry and should be
fixed:
diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap
index 5482bc0..019bf24 100644
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -8,6 +8,7 @@ myhostname="dep8"
ldap_admin_dn="cn=admin,${ldap_suffix}"
ldap_admin_pw="secret"
ldap_bind9_dn="uid=bind9,${ldap_suffix}"
+ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn
ldap_bind9_pw="secretagain"
cleanup() {
@@ -122,7 +123,7 @@ EOF
create_bind9_uid() {
ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" In Progress
** Changed in: bind-dyndb-ldap (Ubuntu)
Importance: Undecided => Low
** Changed in: bind-dyndb-ldap (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Summary changed:
- Incorrect rdn in the bind9 dn entry
+ Incorrect rdn in the bind9 dn entry in the DEP8 test
** Description changed:
There is a small mistake in the bind9 DN entry, it should have an
attribute matching the dn, but instead it mentions a "replicator"
entity that doesn't exist.
- It doesn't fail the test, but it's an incorrect LDAP entry:
+ It doesn't fail the test, but it's an incorrect LDAP entry and should be
+ fixed:
+
diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap
index 5482bc0..019bf24 100644
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -8,6 +8,7 @@ myhostname="dep8"
- ldap_admin_dn="cn=admin,${ldap_suffix}"
- ldap_admin_pw="secret"
- ldap_bind9_dn="uid=bind9,${ldap_suffix}"
+ ldap_admin_dn="cn=admin,${ldap_suffix}"
+ ldap_admin_pw="secret"
+ ldap_bind9_dn="uid=bind9,${ldap_suffix}"
+ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn
- ldap_bind9_pw="secretagain"
-
- cleanup() {
+ ldap_bind9_pw="secretagain"
+
+ cleanup() {
@@ -122,7 +123,7 @@ EOF
- create_bind9_uid() {
- ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}"
[Freeipa] [Bug 2034250] [NEW] Insufficient access in dyndb DEP8 test
Public bug reported:
Caught this in a run of the dyndb-ldap DEP8 test:
280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error:
Insufficient access: while modifying(replace) entry
'idnsName=example.internal,ou=dns,dc=example,dc=internal'
Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
and not just read from it. Looking at the code, that can happen for some
SOA attributes, and perhaps other cases too. The documentation isn't
immediately clear.
A re-run of this test cleared the error, but we all dislike flaky tests,
so it's probably best to adjust the ACL and allow the bind9 user to
write to the DNS tree. Production deployments will definitely want to
fine tune this ACL and list explicit attribites and entry types that can
be modified, but for a DEP8 test, this is enough.
```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" write by * none
EOF
}
```
** Affects: bind-dyndb-ldap (Ubuntu)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Affects: bind9 (Ubuntu)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Also affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: bind9 (Ubuntu)
Status: New => In Progress
** Changed in: bind9 (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250
Title:
Insufficient access in dyndb DEP8 test
Status in bind-dyndb-ldap package in Ubuntu:
In Progress
Status in bind9 package in Ubuntu:
In Progress
Bug description:
Caught this in a run of the dyndb-ldap DEP8 test:
280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error:
Insufficient access: while modifying(replace) entry
'idnsName=example.internal,ou=dns,dc=example,dc=internal'
Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
and not just read from it. Looking at the code, that can happen for
some SOA attributes, and perhaps other cases too. The documentation
isn't immediately clear.
A re-run of this test cleared the error, but we all dislike flaky
tests, so it's probably best to adjust the ACL and allow the bind9
user to write to the DNS tree. Production deployments will definitely
want to fine tune this ACL and list explicit attribites and entry
types that can be modified, but for a DEP8 test, this is enough.
```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" write by * none
EOF
}
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
