diff options
| author | Martin Kosek <mkosek@redhat.com> | 2013-03-13 15:15:41 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-03-22 14:31:22 +0100 |
| commit | b5b040e68f571a858dfe85b65b58687ffc816649 (patch) | |
| tree | 694da7fe90feb5397e6caf5d0854a3c699db4aeb | |
| parent | 952a7ac9f55e09eeaa7a24400957aac684a616fb (diff) | |
| download | freeipa-b5b040e68f571a858dfe85b65b58687ffc816649.tar.gz freeipa-b5b040e68f571a858dfe85b65b58687ffc816649.tar.xz freeipa-b5b040e68f571a858dfe85b65b58687ffc816649.zip | |
Configure ipa_dns DS plugin on install and upgrade
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-dns/Makefile.am | 6 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif | 15 | ||||
| -rw-r--r-- | install/updates/40-dns.update | 16 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 6 |
4 files changed, 43 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am index 319c6676e..1b9f649b2 100644 --- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am @@ -32,7 +32,13 @@ libipa_dns_la_LIBADD = \ $(LDAP_LIBS) \ $(NULL) +appdir = $(IPA_DATA_DIR) +app_DATA = \ + ipa-dns-conf.ldif \ + $(NULL) + EXTRA_DIST = \ + $(app_DATA) \ $(NULL) MAINTAINERCLEANFILES = \ diff --git a/daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif b/daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif new file mode 100644 index 000000000..808cc966d --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-dns/ipa-dns-conf.ldif @@ -0,0 +1,15 @@ +dn: cn=IPA DNS,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsslapdPlugin +objectclass: extensibleObject +cn: IPA DNS +nsslapd-plugindescription: IPA DNS support plugin +nsslapd-pluginenabled: on +nsslapd-pluginid: ipa_dns +nsslapd-plugininitfunc: ipadns_init +nsslapd-pluginpath: libipa_dns.so +nsslapd-plugintype: preoperation +nsslapd-pluginvendor: Red Hat, Inc. +nsslapd-pluginversion: 1.0 +nsslapd-plugin-depends-on-type: database diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 3478a03ca..7ad366e60 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -41,3 +41,19 @@ replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dn # replace DNS tree deny rule with managedBy enhanced allow rule dn: cn=dns, $SUFFIX replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)' + +# add DNS plugin +dn: cn=IPA DNS,cn=plugins,cn=config +default: objectclass: top +default: objectclass: nsslapdPlugin +default: objectclass: extensibleObject +default: cn: IPA DNS +default: nsslapd-plugindescription: IPA DNS support plugin +default: nsslapd-pluginenabled: on +default: nsslapd-pluginid: ipa_dns +default: nsslapd-plugininitfunc: ipadns_init +default: nsslapd-pluginpath: libipa_dns.so +default: nsslapd-plugintype: preoperation +default: nsslapd-pluginvendor: Red Hat, Inc. +default: nsslapd-pluginversion: 1.0 +default: nsslapd-plugin-depends-on-type: database diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index c744c9ca9..84c1da0c8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -202,6 +202,7 @@ class DsInstance(service.Service): self.step("configuring uniqueness plugin", self.__set_unique_attrs) self.step("configuring uuid plugin", self.__config_uuid_module) self.step("configuring modrdn plugin", self.__config_modrdn_module) + self.step("configuring DNS plugin", self.__config_dns_module) self.step("enabling entryUSN plugin", self.__enable_entryusn) self.step("configuring lockout plugin", self.__config_lockout_module) self.step("creating indices", self.__create_indices) @@ -501,6 +502,11 @@ class DsInstance(service.Service): self._ldap_mod("modrdn-conf.ldif") self._ldap_mod("modrdn-krbprinc.ldif", self.sub_dict) + def __config_dns_module(self): + # Configure DNS plugin unconditionally as we would otherwise have + # troubles if other replica just configured DNS with ipa-dns-install + self._ldap_mod("ipa-dns-conf.ldif") + def __config_lockout_module(self): self._ldap_mod("lockout-conf.ldif") |