Enable SOA serial autoincrement

SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554

3 files changed, 45 insertions, 39 deletions

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 3ff593298..9faf17698 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -467,7 +467,7 @@ class BindInstance(service.Service):
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
               reverse_zone, named_user="named", zonemgr=None,
-              zone_refresh=0, persistent_search=True):
+              zone_refresh=0, persistent_search=True, serial_autoincrement=True):
         self.named_user = named_user
         self.fqdn = fqdn
         self.ip_address = ip_address
@@ -480,6 +480,7 @@ class BindInstance(service.Service):
         self.reverse_zone = reverse_zone
         self.zone_refresh = zone_refresh
         self.persistent_search = persistent_search
+        self.serial_autoincrement = True
 
         if not zonemgr:
             self.zonemgr = 'hostmaster.%s' % self.domain
@@ -576,7 +577,10 @@ class BindInstance(service.Service):
             optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host_in_rr
         else:
             optional_ntp = ""
-        persistent_search = "yes" if self.persistent_search else "no"
+
+        boolean_var = {}
+        for var in ('persistent_search', 'serial_autoincrement'):
+            boolean_var[var] = "yes" if getattr(self, var, False) else "no"
 
         self.sub_dict = dict(FQDN=self.fqdn,
                              IP=self.ip_address,
@@ -589,7 +593,8 @@ class BindInstance(service.Service):
                              OPTIONAL_NTP=optional_ntp,
                              ZONEMGR=self.zonemgr,
                              ZONE_REFRESH=self.zone_refresh,
-                             PERSISTENT_SEARCH=persistent_search)
+                             PERSISTENT_SEARCH=boolean_var['persistent_search'],
+                             SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
 
     def __setup_dns_container(self):
         self._ldap_mod("dns.ldif", self.sub_dict)
diff --git a/ipaserver/install/plugins/fix_replica_memberof.py b/ipaserver/install/plugins/fix_replica_memberof.py
index 04152d360..23bde0c9f 100644
--- a/ipaserver/install/plugins/fix_replica_memberof.py
+++ b/ipaserver/install/plugins/fix_replica_memberof.py
@@ -25,28 +25,24 @@ from ipaserver import ipaldap
 from ipaserver.install import replication
 from ipalib import api
 
-class update_replica_memberof(PreUpdate):
+class update_replica_exclude_attribute_list(PreUpdate):
     """
-    Run through all replication agreements and ensure that memberOf is
-    included in the EXCLUDE list so we don't cause replication storms.
+    Run through all replication agreements and ensure that EXCLUDE list
+    has all the required attributes so that we don't cause replication
+    storms.
     """
     order=MIDDLE
 
     def execute(self, **options):
-        totalexcludes = ('entryusn',
-                         'krblastsuccessfulauth',
-                         'krblastfailedauth',
-                         'krbloginfailedcount')
-        excludes = ('memberof', ) + totalexcludes
-
         # We need an IPAdmin connection to the backend
+        self.log.debug("Start replication agreement exclude list update task")
         conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm)
         conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
 
         repl = replication.ReplicationManager(api.env.realm, api.env.host,
                                               None, conn=conn)
         entries = repl.find_replication_agreements()
-        self.log.debug("Found %d agreement(s)" % len(entries))
+        self.log.debug("Found %d agreement(s)", len(entries))
         for replica in entries:
             self.log.debug(replica.description)
             attrlist = replica.getValue('nsDS5ReplicatedAttributeList')
@@ -55,28 +51,33 @@ class update_replica_memberof(PreUpdate):
                 current = replica.toDict()
                 # Need to add it altogether
                 replica.setValues('nsDS5ReplicatedAttributeList',
-                    '(objectclass=*) $ EXCLUDE %s' % " ".join(excludes))
+                    '(objectclass=*) $ EXCLUDE %s' % " ".join(replication.EXCLUDES))
                 replica.setValues('nsDS5ReplicatedAttributeListTotal',
-                    '(objectclass=*) $ EXCLUDE %s' % " ".join(totalexcludes))
+                    '(objectclass=*) $ EXCLUDE %s' % " ".join(replication.TOTAL_EXCLUDES))
                 try:
                     repl.conn.updateEntry(replica.dn, current, replica.toDict())
                     self.log.debug("Updated")
                 except Exception, e:
-                    self.log.error("Error caught updating replica: %s" % str(e))
-            elif 'memberof' not in attrlist.lower():
-                self.log.debug("Attribute list needs updating")
-                current = replica.toDict()
-                replica.setValue('nsDS5ReplicatedAttributeList',
-                    replica.nsDS5ReplicatedAttributeList + ' memberof')
-                try:
-                    repl.conn.updateEntry(replica.dn, current, replica.toDict())
-                    self.log.debug("Updated")
-                except Exception, e:
-                    self.log.error("Error caught updating replica: %s" % str(e))
+                    self.log.error("Error caught updating replica: %s", str(e))
             else:
-                self.log.debug("No update necessary")
+                attrlist_normalized = attrlist.lower()
+                missing = [attr for attr in replication.EXCLUDES
+                                if attr not in attrlist_normalized]
+
+                if missing:
+                    self.log.debug("Attribute list needs updating")
+                    current = replica.toDict()
+                    replica.setValue('nsDS5ReplicatedAttributeList',
+                        replica.nsDS5ReplicatedAttributeList + ' %s' % ' '.join(missing))
+                    try:
+                        repl.conn.updateEntry(replica.dn, current, replica.toDict())
+                        self.log.debug("Updated")
+                    except Exception, e:
+                        self.log.error("Error caught updating replica: %s", str(e))
+                else:
+                    self.log.debug("No update necessary")
         self.log.debug("Done updating agreements")
 
         return (False, False, []) # No restart, no apply now, no updates
 
-api.register(update_replica_memberof)
+api.register(update_replica_exclude_attribute_list)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 417b7a0c5..38abfe210 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -43,6 +43,15 @@ REPL_MAN_DN = "cn=replication manager,cn=config"
 IPA_REPLICA = 1
 WINSYNC = 2
 
+# List of attributes that need to be excluded from replication initialization.
+TOTAL_EXCLUDES = ('entryusn',
+                 'krblastsuccessfulauth',
+                 'krblastfailedauth',
+                 'krbloginfailedcount')
+
+# List of attributes that need to be excluded from normal replication.
+EXCLUDES = ('memberof', 'idnssoaserial') + TOTAL_EXCLUDES
+
 def replica_conn_check(master_host, host_name, realm, check_ca,
                        admin_password=None):
     """
@@ -467,15 +476,6 @@ class ReplicationManager(object):
         except errors.NotFound:
             pass
 
-        # List of attributes that need to be excluded from replication initialization.
-        totalexcludes = ('entryusn',
-                         'krblastsuccessfulauth',
-                         'krblastfailedauth',
-                         'krbloginfailedcount')
-
-        # List of attributes that need to be excluded from normal replication.
-        excludes = ('memberof', ) + totalexcludes
-
         entry = ipaldap.Entry(dn)
         entry.setValues('objectclass', "nsds5replicationagreement")
         entry.setValues('cn', cn)
@@ -485,7 +485,7 @@ class ReplicationManager(object):
         entry.setValues('nsds5replicaroot', self.suffix)
         if master is None:
             entry.setValues('nsDS5ReplicatedAttributeList',
-                            '(objectclass=*) $ EXCLUDE %s' % " ".join(excludes))
+                            '(objectclass=*) $ EXCLUDE %s' % " ".join(EXCLUDES))
         entry.setValues('description', "me to %s" % b_hostname)
         if isgssapi:
             entry.setValues('nsds5replicatransportinfo', 'LDAP')
@@ -503,7 +503,7 @@ class ReplicationManager(object):
 
         try:
             mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal',
-                   '(objectclass=*) $ EXCLUDE %s' % " ".join(totalexcludes))]
+                   '(objectclass=*) $ EXCLUDE %s' % " ".join(TOTAL_EXCLUDES))]
             a_conn.modify_s(dn, mod)
         except ldap.LDAPError, e:
             # Apparently there are problems set the total list