diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-05-10 09:28:02 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-05-22 12:28:21 +0200 |
| commit | 9a5c2090eb996f131a6d96e997b0db8e762716ba (patch) | |
| tree | 8d45eb45fbab6932c77da5ac6ba304cc133189f2 /ipaserver/install/plugins/dns.py | |
| parent | aa9ea477af7be67d59f204af4e0da67fd8cfd862 (diff) | |
| download | freeipa-9a5c2090eb996f131a6d96e997b0db8e762716ba.tar.gz freeipa-9a5c2090eb996f131a6d96e997b0db8e762716ba.tar.xz freeipa-9a5c2090eb996f131a6d96e997b0db8e762716ba.zip | |
Remove LDAP limits from DNS service
bind-dyndb-ldap persistent search queries LDAP for all DNS records.
The LDAP connection must have no size or time limits to work
properly.
This patch updates limits both for existing service principal
on updated machine and for new service principals added
as a part of DNS installation.
https://fedorahosted.org/freeipa/ticket/2531
Diffstat (limited to 'ipaserver/install/plugins/dns.py')
| -rw-r--r-- | ipaserver/install/plugins/dns.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 886f7f051..928ecc06e 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -23,6 +23,7 @@ from ipaserver.install.plugins import baseupdate from ipalib import api, errors, util from ipalib.dn import DN from ipalib.plugins.dns import dns_container_exists +from ipapython.ipa_log_manager import * class update_dnszones(PostUpdate): """ @@ -142,3 +143,51 @@ class update_dns_permissions(PostUpdate): return (False, True, [dnsupdates]) api.register(update_dns_permissions) + +class update_dns_limits(PostUpdate): + """ + bind-dyndb-ldap persistent search queries LDAP for all DNS records. + The LDAP connection must have no size or time limits to work + properly. This plugin updates limits of the existing DNS service + principal to match there requirements. + """ + limit_attributes = ['nsTimeLimit', 'nsSizeLimit', 'nsIdleTimeout', 'nsLookThroughLimit'] + limit_value = '-1' + + def execute(self, **options): + ldap = self.obj.backend + + if not dns_container_exists(ldap): + return (False, False, []) + + dns_principal = 'DNS/%s@%s' % (self.env.host, self.env.realm) + dns_service_dn = str(DN(('krbprincipalname', dns_principal), + self.env.container_service, + self.env.basedn)) + + try: + (dn, entry) = ldap.get_entry(dns_service_dn, self.limit_attributes) + except errors.NotFound: + # this host may not have DNS service set + root_logger.debug("DNS: service %s not found, no need to update limits" % dns_service_dn) + return (False, False, []) + + if all(entry.get(limit.lower(), [None])[0] == self.limit_value for limit in self.limit_attributes): + root_logger.debug("DNS: limits for service %s already set" % dns_service_dn) + # service is already updated + return (False, False, []) + + limit_updates = [] + + for limit in self.limit_attributes: + limit_updates.append('only:%s:%s' % (limit, self.limit_value)) + + dnsupdates = {} + dnsupdates[dns_service_dn] = {'dn': dns_service_dn, + 'updates': limit_updates} + root_logger.debug("DNS: limits for service %s will be updated" % dns_service_dn) + + + return (False, True, [dnsupdates]) + +api.register(update_dns_limits) |