DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal

Command "ldap-cleanup <zone name>" is called to remove all key metadata from
LDAP. This command is now called when disabling DNSSEC on a DNS zone. The stale
metadata were causing problems when re-enabling DNSSEC on the same zone.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/ipapython/dnssec/odsmgr.py b/ipapython/dnssec/odsmgr.py
index 041ad1fc9..fb6d696af 100644
--- a/ipapython/dnssec/odsmgr.py
+++ b/ipapython/dnssec/odsmgr.py
@@ -151,12 +151,18 @@ class ODSMgr(object):
         output = self.ksmutil(cmd)
         self.log.info(output)
         self.notify_enforcer()
+        self.cleanup_signer(name)
 
     def notify_enforcer(self):
         cmd = ['notify']
         output = self.ksmutil(cmd)
         self.log.info(output)
 
+    def cleanup_signer(self, zone_name):
+        cmd = ['ods-signer', 'ldap-cleanup', str(zone_name)]
+        output = ipautil.run(cmd, capture_output=True)
+        self.log.info(output)
+
     def ldap_event(self, op, uuid, attrs):
         """Record single LDAP event - zone addition or deletion.