Remove LDAP limits from DNS service

bind-dyndb-ldap persistent search queries LDAP for all DNS records. The LDAP connection must have no size or time limits to work properly. This patch updates limits both for existing service principal on updated machine and for new service principals added as a part of DNS installation. https://fedorahosted.org/freeipa/ticket/2531
2025-01-27 16:46:42 -06:00 · 2012-05-10 09:28:02 +02:00 · 2012-05-10 09:28:02 +02:00 · 9a5c2090eb
commit 9a5c2090eb
parent aa9ea477af
2 changed files with 71 additions and 3 deletions
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@ -475,7 +475,12 @@ class BindInstance(service.Service):
        # We do not let the system start IPA components on its own,
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
-        self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix)
+        try:
+            self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix)
+        except errors.DuplicateEntry:
+            # service already exists (forced DNS reinstall)
+            # don't crash, just report error
+            root_logger.error("DNS service already exists")

    def __setup_sub_dict(self):
        if self.forwarders:
@ -586,8 +591,22 @@ class BindInstance(service.Service):
        except ldap.TYPE_OR_VALUE_EXISTS:
            pass
        except Exception, e:
-            root_logger.critical("Could not modify principal's %s entry" % dns_principal)
-            raise e
+            root_logger.critical("Could not modify principal's %s entry: %s" \
+                    % (dns_principal, str(e)))
+            raise
+
+        # bind-dyndb-ldap persistent search feature requires both size and time
+        # limit-free connection
+        mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
+               (ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
+               (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
+               (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
+        try:
+            self.admin_conn.modify_s(dns_principal, mod)
+        except Exception, e:
+            root_logger.critical("Could not set principal's %s LDAP limits: %s" \
+                    % (dns_principal, str(e)))
+            raise

    def __setup_named_conf(self):
        self.fstore.backup_file('/etc/named.conf')
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@ -23,6 +23,7 @@ from ipaserver.install.plugins import baseupdate
 from ipalib import api, errors, util
 from ipalib.dn import DN
 from ipalib.plugins.dns import dns_container_exists
+from ipapython.ipa_log_manager import *

 class update_dnszones(PostUpdate):
    """
@ -142,3 +143,51 @@ class update_dns_permissions(PostUpdate):
        return (False, True, [dnsupdates])

 api.register(update_dns_permissions)
+
+class update_dns_limits(PostUpdate):
+    """
+    bind-dyndb-ldap persistent search queries LDAP for all DNS records.
+    The LDAP connection must have no size or time limits to work
+    properly. This plugin updates limits of the existing DNS service
+    principal to match there requirements.
+    """
+    limit_attributes = ['nsTimeLimit', 'nsSizeLimit', 'nsIdleTimeout', 'nsLookThroughLimit']
+    limit_value = '-1'
+
+    def execute(self, **options):
+        ldap = self.obj.backend
+
+        if not dns_container_exists(ldap):
+            return (False, False, [])
+
+        dns_principal = 'DNS/%s@%s' % (self.env.host, self.env.realm)
+        dns_service_dn = str(DN(('krbprincipalname', dns_principal),
+                                self.env.container_service,
+                                self.env.basedn))
+
+        try:
+            (dn, entry) = ldap.get_entry(dns_service_dn, self.limit_attributes)
+        except errors.NotFound:
+            # this host may not have DNS service set
+            root_logger.debug("DNS: service %s not found, no need to update limits" % dns_service_dn)
+            return (False, False, [])
+
+        if all(entry.get(limit.lower(), [None])[0] == self.limit_value for limit in self.limit_attributes):
+            root_logger.debug("DNS: limits for service %s already set" % dns_service_dn)
+            # service is already updated
+            return (False, False, [])
+
+        limit_updates = []
+
+        for limit in self.limit_attributes:
+            limit_updates.append('only:%s:%s' % (limit, self.limit_value))
+
+        dnsupdates = {}
+        dnsupdates[dns_service_dn] = {'dn': dns_service_dn,
+                                      'updates': limit_updates}
+        root_logger.debug("DNS: limits for service %s will be updated" % dns_service_dn)
+
+
+        return (False, True, [dnsupdates])
+
+api.register(update_dns_limits)