diff options
| -rw-r--r-- | ipaserver/install/bindinstance.py | 25 | ||||
| -rw-r--r-- | ipaserver/install/plugins/dns.py | 49 |
2 files changed, 71 insertions, 3 deletions
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index fa3864a22..caac8b4f2 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -475,7 +475,12 @@ class BindInstance(service.Service): # We do not let the system start IPA components on its own, # Instead we reply on the IPA init script to start only enabled # components as found in our LDAP configuration tree - self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix) + try: + self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix) + except errors.DuplicateEntry: + # service already exists (forced DNS reinstall) + # don't crash, just report error + root_logger.error("DNS service already exists") def __setup_sub_dict(self): if self.forwarders: @@ -586,8 +591,22 @@ class BindInstance(service.Service): except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception, e: - root_logger.critical("Could not modify principal's %s entry" % dns_principal) - raise e + root_logger.critical("Could not modify principal's %s entry: %s" \ + % (dns_principal, str(e))) + raise + + # bind-dyndb-ldap persistent search feature requires both size and time + # limit-free connection + mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'), + (ldap.MOD_REPLACE, 'nsSizeLimit', '-1'), + (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), + (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] + try: + self.admin_conn.modify_s(dns_principal, mod) + except Exception, e: + root_logger.critical("Could not set principal's %s LDAP limits: %s" \ + % (dns_principal, str(e))) + raise def __setup_named_conf(self): self.fstore.backup_file('/etc/named.conf') diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 886f7f051..928ecc06e 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -23,6 +23,7 @@ from ipaserver.install.plugins import baseupdate from ipalib import api, errors, util from ipalib.dn import DN from ipalib.plugins.dns import dns_container_exists +from ipapython.ipa_log_manager import * class update_dnszones(PostUpdate): """ @@ -142,3 +143,51 @@ class update_dns_permissions(PostUpdate): return (False, True, [dnsupdates]) api.register(update_dns_permissions) + +class update_dns_limits(PostUpdate): + """ + bind-dyndb-ldap persistent search queries LDAP for all DNS records. + The LDAP connection must have no size or time limits to work + properly. This plugin updates limits of the existing DNS service + principal to match there requirements. + """ + limit_attributes = ['nsTimeLimit', 'nsSizeLimit', 'nsIdleTimeout', 'nsLookThroughLimit'] + limit_value = '-1' + + def execute(self, **options): + ldap = self.obj.backend + + if not dns_container_exists(ldap): + return (False, False, []) + + dns_principal = 'DNS/%s@%s' % (self.env.host, self.env.realm) + dns_service_dn = str(DN(('krbprincipalname', dns_principal), + self.env.container_service, + self.env.basedn)) + + try: + (dn, entry) = ldap.get_entry(dns_service_dn, self.limit_attributes) + except errors.NotFound: + # this host may not have DNS service set + root_logger.debug("DNS: service %s not found, no need to update limits" % dns_service_dn) + return (False, False, []) + + if all(entry.get(limit.lower(), [None])[0] == self.limit_value for limit in self.limit_attributes): + root_logger.debug("DNS: limits for service %s already set" % dns_service_dn) + # service is already updated + return (False, False, []) + + limit_updates = [] + + for limit in self.limit_attributes: + limit_updates.append('only:%s:%s' % (limit, self.limit_value)) + + dnsupdates = {} + dnsupdates[dns_service_dn] = {'dn': dns_service_dn, + 'updates': limit_updates} + root_logger.debug("DNS: limits for service %s will be updated" % dns_service_dn) + + + return (False, True, [dnsupdates]) + +api.register(update_dns_limits) |