Use LDAP instead of flat file for zone storage

2025-02-25 18:55:28 -06:00 · 2009-05-12 15:20:24 +02:00 · 2009-05-12 15:20:24 +02:00 · 1bc786e379
commit 1bc786e379
parent 1893a802c7
8 changed files with 121 additions and 33 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@ -13,6 +13,7 @@ app_DATA =				\
 	caJarSigningCert.cfg.template	\
 	default-aci.ldif		\
 	default-keytypes.ldif		\
 	dns.ldif			\
 	kerberos.ldif			\
 	indices.ldif			\
 	bind.named.conf.template	\
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@ -1,10 +1,4 @@
 options {
 	/* make named use port 53 for the source of all queries, to allow
 	 * firewalls to block all ports except 53:
 	 */
 	query-source    port 53;
 	query-source-v6 port 53;
 	// Put files that named is allowed to write in the data/ directory:
 	directory "/var/named"; // the default
 	dump-file               "data/cache_dump.db";
@ -34,8 +28,9 @@ zone "." IN {
 include "/etc/named.rfc1912.zones";
-zone "$DOMAIN" {
+dynamic-db "ipa" {
-	type master;
+	library "ldap.so";
-	file "$DOMAIN.zone.db";
+	arg "uri ldap://$FQDN";
 	arg "base cn=dns, $SUFFIX";
 	arg "auth_method none";
 };
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@ -0,0 +1,93 @@
 dn: cn=dns,$SUFFIX
 changetype: add
 objectClass: nsContainer
 objectClass: top
 cn: dns
 dn: idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: idnsZone
 objectClass: idnsRecord
 idnsName: $DOMAIN
 idnsZoneActive: True
 idnsAllowDynUpdate: True
 idnsUpdatePolicy: grant $REALM krb5-self * A;
 idnsSOAmName: $HOST.$DOMAIN.
 idnsSOArName: root.$HOST.$DOMAIN.
 idnsSOAserial: 1
 idnsSOArefresh: 10800
 idnsSOAretry: 900
 idnsSOAexpire: 604800
 idnsSOAminimum: 86400
 NSRecord: $HOST
 dn: idnsName=$HOST,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: $HOST
 ARecord: $IP
 dn: idnsName=_ldap._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _ldap._tcp
 SRVRecord: 0 100 389 $HOST
 dn: idnsName=_kerberos,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _kerberos
 TXTRecord: $REALM
 dn: idnsName=_kerberos._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _kerberos._tcp
 SRVRecord: 0 100 88 $HOST
 dn: idnsName=_kerberos._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _kerberos._udp
 SRVRecord: 0 100 88 $HOST
 dn: idnsName=_kerberos-master._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _kerberos-master._tcp
 SRVRecord: 0 100 88 $HOST
 dn: idnsName=_kerberos-master._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _kerberos-master._udp
 SRVRecord: 0 100 88 $HOST
 dn: idnsName=_kpasswd._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _kpasswd._tcp
 SRVRecord: 0 100 464 $HOST
 dn: idnsName=_kpasswd._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _kpasswd._udp
 SRVRecord: 0 100 464 $HOST
 dn: idnsName=_ntp._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add
 objectClass: idnsRecord
 objectClass: top
 idnsName: _ntp._udp
 SRVRecord: 0 100 123 $HOST
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -236,7 +236,7 @@ def read_realm_name(domain_name, unattended):
    print "The kerberos protocol requires a Realm name to be defined."
    print "This is typically the domain name converted to uppercase."
    print ""
-    
+
    if unattended:
        return domain_name.upper()
    realm_name = user_input("Please provide a realm name", domain_name.upper())
@ -392,8 +392,9 @@ def main():
    # check bind packages are installed
    if options.setup_bind:
        if not bindinstance.check_inst():
-            print "--setup-bind was specified but bind is not installed on the system"
+            print "--setup-bind was specified but bind or the BIND LDAP plug-in"
-            print "Please install bind and restart the setup program"
+            print "is not installed on the system"
            print "Please install bind and the LDAP plug-in and restart the setup program"
            return 1
    # check the hostname is correctly configured, it must be as the kldap
@ -575,7 +576,8 @@ def main():
        fd.write("enable_ra=True\n")
    fd.close()
-    bind = bindinstance.BindInstance(fstore)
+    # Create a BIND instance
    bind = bindinstance.BindInstance(fstore, dm_password)
    bind.setup(host_name, ip_address, realm_name, domain_name)
    if options.setup_bind:
        bind.create_instance()
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@ -27,20 +27,26 @@ import logging
 import service
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipalib import util
 def check_inst():
    # So far this file is always present in both RHEL5 and Fedora if all the necessary
    # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
    if not os.path.exists('/etc/named.rfc1912.zones'):
-         return False
+        return False
    # Also check for the LDAP BIND plug-in
    if not os.path.exists('/usr/lib/bind/ldap.so') and \
       not os.path.exists('/usr/lib64/bind/ldap.so'):
        return False
    return True
 class BindInstance(service.Service):
-    def __init__(self, fstore=None):
+    def __init__(self, fstore=None, dm_password=None):
-        service.Service.__init__(self, "named")
+        service.Service.__init__(self, "named", dm_password=dm_password)
        self.fqdn = None
-	self.domain = None
+        self.domain = None
        self.host = None
        self.ip_address = None
        self.realm = None
@ -57,6 +63,7 @@ class BindInstance(service.Service):
        self.realm = realm_name
        self.domain = domain_name
        self.host = fqdn.split(".")[0]
        self.suffix = util.realm_to_suffix(self.realm)
        self.__setup_sub_dict()
@ -99,15 +106,12 @@ class BindInstance(service.Service):
                             IP=self.ip_address,
                             DOMAIN=self.domain,
                             HOST=self.host,
-                             REALM=self.realm)
+                             REALM=self.realm,
                             SUFFIX=self.suffix)
    def __setup_zone(self):
        self.backup_state("domain", self.domain)
-        zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+        self._ldap_mod("dns.ldif", self.sub_dict)
        self.fstore.backup_file('/var/named/'+self.domain+'.zone.db')
        zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w')
        zone_fd.write(zone_txt)
        zone_fd.close()
    def __setup_named_conf(self):
        self.fstore.backup_file('/etc/named.conf')
@ -135,13 +139,6 @@ class BindInstance(service.Service):
        if not running is None:
            self.stop()
 	if not domain is None:
            try:
                self.fstore.restore_file(os.path.join ("/var/named/", domain + ".zone.db"))
            except ValueError, error:
                logging.debug(error)
                pass
        for f in ["/etc/named.conf", "/etc/resolv.conf"]:
            try:
                self.fstore.restore_file(f)
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -26,7 +26,6 @@ import sys
 import os
 import re
 import time
 import tempfile
 import stat
 from ipapython import ipautil
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -19,7 +19,6 @@
 import subprocess
 import string
 import tempfile
 import shutil
 import logging
 import fileinput
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -18,6 +18,8 @@
 #
 import logging, sys
 import os
 import tempfile
 from ipapython import sysrestore
 from ipapython import ipautil