diff options
| author | Petr Spacek <pspacek@redhat.com> | 2015-10-06 09:43:43 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2015-10-07 14:28:50 +0200 |
| commit | 0b797da56095801bfa80653465c04bae0809df8d (patch) | |
| tree | 73c4ebdd016926220c009c858daece4ca136d0a0 | |
| parent | f82d3da1e8e5dc1d0716201af5abb724a8e78fde (diff) | |
| download | freeipa-0b797da56095801bfa80653465c04bae0809df8d.tar.gz freeipa-0b797da56095801bfa80653465c04bae0809df8d.tar.xz freeipa-0b797da56095801bfa80653465c04bae0809df8d.zip | |
Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits
ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.
DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.
https://fedorahosted.org/freeipa/ticket/5342
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rwxr-xr-x | daemons/dnssec/ipa-dnskeysync-replica | 6 | ||||
| -rwxr-xr-x | daemons/dnssec/ipa-ods-exporter | 6 |
2 files changed, 4 insertions, 8 deletions
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 77b962414..b6f4be5ec 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -28,7 +28,6 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython import ipaldap from ipapython import ipautil -from ipaserver.plugins.ldap2 import ldap2 from ipaplatform.paths import paths from ipapython.dnssec.abshsm import sync_pkcs11_metadata, ldap2p11helper_api_params, wrappingmech_name2id @@ -154,10 +153,9 @@ os.environ['KRB5CCNAME'] = ccache_filename log.debug('Got TGT') # LDAP initialization -ldap = ipalib.api.Backend[ldap2] -# fixme +ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri) log.debug('Connecting to LDAP') -ldap.connect(ccache=ccache_filename) +ldap.gssapi_bind() log.debug('Connected') diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index c8d7dbeee..b90157c4e 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -38,7 +38,6 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython import ipaldap from ipapython import ipautil -from ipaserver.plugins.ldap2 import ldap2 from ipaplatform.paths import paths from ipapython.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id @@ -503,10 +502,9 @@ log.debug('Got TGT') # LDAP initialization dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn) -ldap = ipalib.api.Backend[ldap2] -# fixme +ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri) log.debug('Connecting to LDAP') -ldap.connect(ccache=ccache_name) +ldap.gssapi_bind() log.debug('Connected') |