diff options
author | Martin Nagy <mnagy@redhat.com> | 2009-05-12 15:20:24 +0200 |
---|---|---|
committer | Martin Nagy <mnagy@redhat.com> | 2009-06-02 12:32:01 +0200 |
commit | 1bc786e379ed5575cf4dffaa23bf7d66f42e44d7 (patch) | |
tree | 88e2027f90907587f7138704776db8264441f966 | |
parent | 1893a802c78399c27c99523edcac4de0ab2a0ef0 (diff) | |
download | freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.gz freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.xz freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.zip |
Use LDAP instead of flat file for zone storage
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/bind.named.conf.template | 15 | ||||
-rw-r--r-- | install/share/dns.ldif | 93 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 10 | ||||
-rw-r--r-- | ipaserver/install/bindinstance.py | 31 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 1 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 1 | ||||
-rw-r--r-- | ipaserver/install/service.py | 2 |
8 files changed, 121 insertions, 33 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 754da8ee..511f8f3a 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -13,6 +13,7 @@ app_DATA = \ caJarSigningCert.cfg.template \ default-aci.ldif \ default-keytypes.ldif \ + dns.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index c1d2817e..a04fc181 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -1,10 +1,4 @@ options { - /* make named use port 53 for the source of all queries, to allow - * firewalls to block all ports except 53: - */ - query-source port 53; - query-source-v6 port 53; - // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; @@ -34,8 +28,9 @@ zone "." IN { include "/etc/named.rfc1912.zones"; -zone "$DOMAIN" { - type master; - file "$DOMAIN.zone.db"; +dynamic-db "ipa" { + library "ldap.so"; + arg "uri ldap://$FQDN"; + arg "base cn=dns, $SUFFIX"; + arg "auth_method none"; }; - diff --git a/install/share/dns.ldif b/install/share/dns.ldif new file mode 100644 index 00000000..939f80dd --- /dev/null +++ b/install/share/dns.ldif @@ -0,0 +1,93 @@ +dn: cn=dns,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: dns + +dn: idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: top +objectClass: idnsZone +objectClass: idnsRecord +idnsName: $DOMAIN +idnsZoneActive: True +idnsAllowDynUpdate: True +idnsUpdatePolicy: grant $REALM krb5-self * A; +idnsSOAmName: $HOST.$DOMAIN. +idnsSOArName: root.$HOST.$DOMAIN. +idnsSOAserial: 1 +idnsSOArefresh: 10800 +idnsSOAretry: 900 +idnsSOAexpire: 604800 +idnsSOAminimum: 86400 +NSRecord: $HOST + +dn: idnsName=$HOST,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: $HOST +ARecord: $IP + +dn: idnsName=_ldap._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _ldap._tcp +SRVRecord: 0 100 389 $HOST + +dn: idnsName=_kerberos,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _kerberos +TXTRecord: $REALM + +dn: idnsName=_kerberos._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _kerberos._tcp +SRVRecord: 0 100 88 $HOST + +dn: idnsName=_kerberos._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _kerberos._udp +SRVRecord: 0 100 88 $HOST + +dn: idnsName=_kerberos-master._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _kerberos-master._tcp +SRVRecord: 0 100 88 $HOST + +dn: idnsName=_kerberos-master._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _kerberos-master._udp +SRVRecord: 0 100 88 $HOST + +dn: idnsName=_kpasswd._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _kpasswd._tcp +SRVRecord: 0 100 464 $HOST + +dn: idnsName=_kpasswd._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _kpasswd._udp +SRVRecord: 0 100 464 $HOST + +dn: idnsName=_ntp._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX +changetype: add +objectClass: idnsRecord +objectClass: top +idnsName: _ntp._udp +SRVRecord: 0 100 123 $HOST diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6cdb5bdc..a19d8f44 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -236,7 +236,7 @@ def read_realm_name(domain_name, unattended): print "The kerberos protocol requires a Realm name to be defined." print "This is typically the domain name converted to uppercase." print "" - + if unattended: return domain_name.upper() realm_name = user_input("Please provide a realm name", domain_name.upper()) @@ -392,8 +392,9 @@ def main(): # check bind packages are installed if options.setup_bind: if not bindinstance.check_inst(): - print "--setup-bind was specified but bind is not installed on the system" - print "Please install bind and restart the setup program" + print "--setup-bind was specified but bind or the BIND LDAP plug-in" + print "is not installed on the system" + print "Please install bind and the LDAP plug-in and restart the setup program" return 1 # check the hostname is correctly configured, it must be as the kldap @@ -575,7 +576,8 @@ def main(): fd.write("enable_ra=True\n") fd.close() - bind = bindinstance.BindInstance(fstore) + # Create a BIND instance + bind = bindinstance.BindInstance(fstore, dm_password) bind.setup(host_name, ip_address, realm_name, domain_name) if options.setup_bind: bind.create_instance() diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 08b781d2..72d1102b 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -27,20 +27,26 @@ import logging import service from ipapython import sysrestore from ipapython import ipautil +from ipalib import util def check_inst(): # So far this file is always present in both RHEL5 and Fedora if all the necessary # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver) if not os.path.exists('/etc/named.rfc1912.zones'): - return False + return False + + # Also check for the LDAP BIND plug-in + if not os.path.exists('/usr/lib/bind/ldap.so') and \ + not os.path.exists('/usr/lib64/bind/ldap.so'): + return False return True class BindInstance(service.Service): - def __init__(self, fstore=None): - service.Service.__init__(self, "named") + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "named", dm_password=dm_password) self.fqdn = None - self.domain = None + self.domain = None self.host = None self.ip_address = None self.realm = None @@ -57,6 +63,7 @@ class BindInstance(service.Service): self.realm = realm_name self.domain = domain_name self.host = fqdn.split(".")[0] + self.suffix = util.realm_to_suffix(self.realm) self.__setup_sub_dict() @@ -99,15 +106,12 @@ class BindInstance(service.Service): IP=self.ip_address, DOMAIN=self.domain, HOST=self.host, - REALM=self.realm) + REALM=self.realm, + SUFFIX=self.suffix) def __setup_zone(self): self.backup_state("domain", self.domain) - zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) - self.fstore.backup_file('/var/named/'+self.domain+'.zone.db') - zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w') - zone_fd.write(zone_txt) - zone_fd.close() + self._ldap_mod("dns.ldif", self.sub_dict) def __setup_named_conf(self): self.fstore.backup_file('/etc/named.conf') @@ -135,13 +139,6 @@ class BindInstance(service.Service): if not running is None: self.stop() - if not domain is None: - try: - self.fstore.restore_file(os.path.join ("/var/named/", domain + ".zone.db")) - except ValueError, error: - logging.debug(error) - pass - for f in ["/etc/named.conf", "/etc/resolv.conf"]: try: self.fstore.restore_file(f) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 7bd9aa69..b9b74e68 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -26,7 +26,6 @@ import sys import os import re import time -import tempfile import stat from ipapython import ipautil diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 66ee63f8..1c348972 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -19,7 +19,6 @@ import subprocess import string -import tempfile import shutil import logging import fileinput diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 41e77a73..a07a382a 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -18,6 +18,8 @@ # import logging, sys +import os +import tempfile from ipapython import sysrestore from ipapython import ipautil |