Use LDAP instead of flat file for zone storage

author: Martin Nagy <mnagy@redhat.com> 2009-05-12 15:20:24 +0200
committer: Martin Nagy <mnagy@redhat.com> 2009-06-02 12:32:01 +0200
commit: 1bc786e379ed5575cf4dffaa23bf7d66f42e44d7 (patch)
tree: 88e2027f90907587f7138704776db8264441f966
parent: 1893a802c78399c27c99523edcac4de0ab2a0ef0 (diff)
download: freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.gz
freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.xz
freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.zip
8 files changed, 121 insertions, 33 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 754da8ee2..511f8f3ab 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -13,6 +13,7 @@ app_DATA =				\
 	caJarSigningCert.cfg.template	\
 	default-aci.ldif		\
 	default-keytypes.ldif		\
+	dns.ldif			\
 	kerberos.ldif			\
 	indices.ldif			\
 	bind.named.conf.template	\
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index c1d2817e0..a04fc1813 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -1,10 +1,4 @@
 options {
-	/* make named use port 53 for the source of all queries, to allow
-	 * firewalls to block all ports except 53:
-	 */
-	query-source    port 53;
-	query-source-v6 port 53;
-
 	// Put files that named is allowed to write in the data/ directory:
 	directory "/var/named"; // the default
 	dump-file               "data/cache_dump.db";
@@ -34,8 +28,9 @@ zone "." IN {
 
 include "/etc/named.rfc1912.zones";
 
-zone "$DOMAIN" {
-	type master;
-	file "$DOMAIN.zone.db";
+dynamic-db "ipa" {
+	library "ldap.so";
+	arg "uri ldap://$FQDN";
+	arg "base cn=dns, $SUFFIX";
+	arg "auth_method none";
 };
-
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
new file mode 100644
index 000000000..939f80dd2
--- /dev/null
+++ b/install/share/dns.ldif
@@ -0,0 +1,93 @@
+dn: cn=dns,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: dns
+
+dn: idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: idnsZone
+objectClass: idnsRecord
+idnsName: $DOMAIN
+idnsZoneActive: True
+idnsAllowDynUpdate: True
+idnsUpdatePolicy: grant $REALM krb5-self * A;
+idnsSOAmName: $HOST.$DOMAIN.
+idnsSOArName: root.$HOST.$DOMAIN.
+idnsSOAserial: 1
+idnsSOArefresh: 10800
+idnsSOAretry: 900
+idnsSOAexpire: 604800
+idnsSOAminimum: 86400
+NSRecord: $HOST
+
+dn: idnsName=$HOST,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: $HOST
+ARecord: $IP
+
+dn: idnsName=_ldap._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _ldap._tcp
+SRVRecord: 0 100 389 $HOST
+
+dn: idnsName=_kerberos,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos
+TXTRecord: $REALM
+
+dn: idnsName=_kerberos._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos._tcp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kerberos._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos._udp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kerberos-master._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos-master._tcp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kerberos-master._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos-master._udp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kpasswd._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kpasswd._tcp
+SRVRecord: 0 100 464 $HOST
+
+dn: idnsName=_kpasswd._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kpasswd._udp
+SRVRecord: 0 100 464 $HOST
+
+dn: idnsName=_ntp._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _ntp._udp
+SRVRecord: 0 100 123 $HOST
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 6cdb5bdca..a19d8f44c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -236,7 +236,7 @@ def read_realm_name(domain_name, unattended):
     print "The kerberos protocol requires a Realm name to be defined."
     print "This is typically the domain name converted to uppercase."
     print ""
-    
+
     if unattended:
         return domain_name.upper()
     realm_name = user_input("Please provide a realm name", domain_name.upper())
@@ -392,8 +392,9 @@ def main():
     # check bind packages are installed
     if options.setup_bind:
         if not bindinstance.check_inst():
-            print "--setup-bind was specified but bind is not installed on the system"
-            print "Please install bind and restart the setup program"
+            print "--setup-bind was specified but bind or the BIND LDAP plug-in"
+            print "is not installed on the system"
+            print "Please install bind and the LDAP plug-in and restart the setup program"
             return 1
 
     # check the hostname is correctly configured, it must be as the kldap
@@ -575,7 +576,8 @@ def main():
         fd.write("enable_ra=True\n")
     fd.close()
 
-    bind = bindinstance.BindInstance(fstore)
+    # Create a BIND instance
+    bind = bindinstance.BindInstance(fstore, dm_password)
     bind.setup(host_name, ip_address, realm_name, domain_name)
     if options.setup_bind:
         bind.create_instance()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 08b781d25..72d1102b6 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -27,20 +27,26 @@ import logging
 import service
 from ipapython import sysrestore
 from ipapython import ipautil
+from ipalib import util
 
 def check_inst():
     # So far this file is always present in both RHEL5 and Fedora if all the necessary
     # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
     if not os.path.exists('/etc/named.rfc1912.zones'):
-         return False
+        return False
+
+    # Also check for the LDAP BIND plug-in
+    if not os.path.exists('/usr/lib/bind/ldap.so') and \
+       not os.path.exists('/usr/lib64/bind/ldap.so'):
+        return False
 
     return True
 
 class BindInstance(service.Service):
-    def __init__(self, fstore=None):
-        service.Service.__init__(self, "named")
+    def __init__(self, fstore=None, dm_password=None):
+        service.Service.__init__(self, "named", dm_password=dm_password)
         self.fqdn = None
-	self.domain = None
+        self.domain = None
         self.host = None
         self.ip_address = None
         self.realm = None
@@ -57,6 +63,7 @@ class BindInstance(service.Service):
         self.realm = realm_name
         self.domain = domain_name
         self.host = fqdn.split(".")[0]
+        self.suffix = util.realm_to_suffix(self.realm)
 
         self.__setup_sub_dict()
 
@@ -99,15 +106,12 @@ class BindInstance(service.Service):
                              IP=self.ip_address,
                              DOMAIN=self.domain,
                              HOST=self.host,
-                             REALM=self.realm)
+                             REALM=self.realm,
+                             SUFFIX=self.suffix)
 
     def __setup_zone(self):
         self.backup_state("domain", self.domain)
-        zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
-        self.fstore.backup_file('/var/named/'+self.domain+'.zone.db')
-        zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w')
-        zone_fd.write(zone_txt)
-        zone_fd.close()
+        self._ldap_mod("dns.ldif", self.sub_dict)
 
     def __setup_named_conf(self):
         self.fstore.backup_file('/etc/named.conf')
@@ -135,13 +139,6 @@ class BindInstance(service.Service):
         if not running is None:
             self.stop()
 
-	if not domain is None:
-            try:
-                self.fstore.restore_file(os.path.join ("/var/named/", domain + ".zone.db"))
-            except ValueError, error:
-                logging.debug(error)
-                pass
-
         for f in ["/etc/named.conf", "/etc/resolv.conf"]:
             try:
                 self.fstore.restore_file(f)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 7bd9aa69e..b9b74e685 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -26,7 +26,6 @@ import sys
 import os
 import re
 import time
-import tempfile
 import stat
 
 from ipapython import ipautil
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 66ee63f81..1c3489725 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -19,7 +19,6 @@
 
 import subprocess
 import string
-import tempfile
 import shutil
 import logging
 import fileinput
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 41e77a73e..a07a382ab 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -18,6 +18,8 @@
 #
 
 import logging, sys
+import os
+import tempfile
 from ipapython import sysrestore
 from ipapython import ipautil
author	Martin Nagy <mnagy@redhat.com>	2009-05-12 15:20:24 +0200
committer	Martin Nagy <mnagy@redhat.com>	2009-06-02 12:32:01 +0200
commit	1bc786e379ed5575cf4dffaa23bf7d66f42e44d7 (patch)
tree	88e2027f90907587f7138704776db8264441f966
parent	1893a802c78399c27c99523edcac4de0ab2a0ef0 (diff)
download	freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.gz freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.xz freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.zip