summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Nagy <mnagy@redhat.com>2009-05-12 15:20:24 +0200
committerMartin Nagy <mnagy@redhat.com>2009-06-02 12:32:01 +0200
commit1bc786e379ed5575cf4dffaa23bf7d66f42e44d7 (patch)
tree88e2027f90907587f7138704776db8264441f966
parent1893a802c78399c27c99523edcac4de0ab2a0ef0 (diff)
downloadfreeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.gz
freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.tar.xz
freeipa-1bc786e379ed5575cf4dffaa23bf7d66f42e44d7.zip
Use LDAP instead of flat file for zone storage
-rw-r--r--install/share/Makefile.am1
-rw-r--r--install/share/bind.named.conf.template15
-rw-r--r--install/share/dns.ldif93
-rwxr-xr-xinstall/tools/ipa-server-install10
-rw-r--r--ipaserver/install/bindinstance.py31
-rw-r--r--ipaserver/install/dsinstance.py1
-rw-r--r--ipaserver/install/krbinstance.py1
-rw-r--r--ipaserver/install/service.py2
8 files changed, 121 insertions, 33 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 754da8ee..511f8f3a 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -13,6 +13,7 @@ app_DATA = \
caJarSigningCert.cfg.template \
default-aci.ldif \
default-keytypes.ldif \
+ dns.ldif \
kerberos.ldif \
indices.ldif \
bind.named.conf.template \
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index c1d2817e..a04fc181 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -1,10 +1,4 @@
options {
- /* make named use port 53 for the source of all queries, to allow
- * firewalls to block all ports except 53:
- */
- query-source port 53;
- query-source-v6 port 53;
-
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
@@ -34,8 +28,9 @@ zone "." IN {
include "/etc/named.rfc1912.zones";
-zone "$DOMAIN" {
- type master;
- file "$DOMAIN.zone.db";
+dynamic-db "ipa" {
+ library "ldap.so";
+ arg "uri ldap://$FQDN";
+ arg "base cn=dns, $SUFFIX";
+ arg "auth_method none";
};
-
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
new file mode 100644
index 00000000..939f80dd
--- /dev/null
+++ b/install/share/dns.ldif
@@ -0,0 +1,93 @@
+dn: cn=dns,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: dns
+
+dn: idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: idnsZone
+objectClass: idnsRecord
+idnsName: $DOMAIN
+idnsZoneActive: True
+idnsAllowDynUpdate: True
+idnsUpdatePolicy: grant $REALM krb5-self * A;
+idnsSOAmName: $HOST.$DOMAIN.
+idnsSOArName: root.$HOST.$DOMAIN.
+idnsSOAserial: 1
+idnsSOArefresh: 10800
+idnsSOAretry: 900
+idnsSOAexpire: 604800
+idnsSOAminimum: 86400
+NSRecord: $HOST
+
+dn: idnsName=$HOST,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: $HOST
+ARecord: $IP
+
+dn: idnsName=_ldap._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _ldap._tcp
+SRVRecord: 0 100 389 $HOST
+
+dn: idnsName=_kerberos,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos
+TXTRecord: $REALM
+
+dn: idnsName=_kerberos._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos._tcp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kerberos._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos._udp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kerberos-master._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos-master._tcp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kerberos-master._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kerberos-master._udp
+SRVRecord: 0 100 88 $HOST
+
+dn: idnsName=_kpasswd._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kpasswd._tcp
+SRVRecord: 0 100 464 $HOST
+
+dn: idnsName=_kpasswd._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _kpasswd._udp
+SRVRecord: 0 100 464 $HOST
+
+dn: idnsName=_ntp._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
+changetype: add
+objectClass: idnsRecord
+objectClass: top
+idnsName: _ntp._udp
+SRVRecord: 0 100 123 $HOST
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 6cdb5bdc..a19d8f44 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -236,7 +236,7 @@ def read_realm_name(domain_name, unattended):
print "The kerberos protocol requires a Realm name to be defined."
print "This is typically the domain name converted to uppercase."
print ""
-
+
if unattended:
return domain_name.upper()
realm_name = user_input("Please provide a realm name", domain_name.upper())
@@ -392,8 +392,9 @@ def main():
# check bind packages are installed
if options.setup_bind:
if not bindinstance.check_inst():
- print "--setup-bind was specified but bind is not installed on the system"
- print "Please install bind and restart the setup program"
+ print "--setup-bind was specified but bind or the BIND LDAP plug-in"
+ print "is not installed on the system"
+ print "Please install bind and the LDAP plug-in and restart the setup program"
return 1
# check the hostname is correctly configured, it must be as the kldap
@@ -575,7 +576,8 @@ def main():
fd.write("enable_ra=True\n")
fd.close()
- bind = bindinstance.BindInstance(fstore)
+ # Create a BIND instance
+ bind = bindinstance.BindInstance(fstore, dm_password)
bind.setup(host_name, ip_address, realm_name, domain_name)
if options.setup_bind:
bind.create_instance()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 08b781d2..72d1102b 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -27,20 +27,26 @@ import logging
import service
from ipapython import sysrestore
from ipapython import ipautil
+from ipalib import util
def check_inst():
# So far this file is always present in both RHEL5 and Fedora if all the necessary
# bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
if not os.path.exists('/etc/named.rfc1912.zones'):
- return False
+ return False
+
+ # Also check for the LDAP BIND plug-in
+ if not os.path.exists('/usr/lib/bind/ldap.so') and \
+ not os.path.exists('/usr/lib64/bind/ldap.so'):
+ return False
return True
class BindInstance(service.Service):
- def __init__(self, fstore=None):
- service.Service.__init__(self, "named")
+ def __init__(self, fstore=None, dm_password=None):
+ service.Service.__init__(self, "named", dm_password=dm_password)
self.fqdn = None
- self.domain = None
+ self.domain = None
self.host = None
self.ip_address = None
self.realm = None
@@ -57,6 +63,7 @@ class BindInstance(service.Service):
self.realm = realm_name
self.domain = domain_name
self.host = fqdn.split(".")[0]
+ self.suffix = util.realm_to_suffix(self.realm)
self.__setup_sub_dict()
@@ -99,15 +106,12 @@ class BindInstance(service.Service):
IP=self.ip_address,
DOMAIN=self.domain,
HOST=self.host,
- REALM=self.realm)
+ REALM=self.realm,
+ SUFFIX=self.suffix)
def __setup_zone(self):
self.backup_state("domain", self.domain)
- zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
- self.fstore.backup_file('/var/named/'+self.domain+'.zone.db')
- zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w')
- zone_fd.write(zone_txt)
- zone_fd.close()
+ self._ldap_mod("dns.ldif", self.sub_dict)
def __setup_named_conf(self):
self.fstore.backup_file('/etc/named.conf')
@@ -135,13 +139,6 @@ class BindInstance(service.Service):
if not running is None:
self.stop()
- if not domain is None:
- try:
- self.fstore.restore_file(os.path.join ("/var/named/", domain + ".zone.db"))
- except ValueError, error:
- logging.debug(error)
- pass
-
for f in ["/etc/named.conf", "/etc/resolv.conf"]:
try:
self.fstore.restore_file(f)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 7bd9aa69..b9b74e68 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -26,7 +26,6 @@ import sys
import os
import re
import time
-import tempfile
import stat
from ipapython import ipautil
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 66ee63f8..1c348972 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -19,7 +19,6 @@
import subprocess
import string
-import tempfile
import shutil
import logging
import fileinput
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 41e77a73..a07a382a 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -18,6 +18,8 @@
#
import logging, sys
+import os
+import tempfile
from ipapython import sysrestore
from ipapython import ipautil