Hi, these three patches should make sure that we add dns records the right way. It will also serve for the ipa-dns-install command that's almost ready, patch will be coming soon.
Thanks Martin
>From edbd834dab63b86c04d9b1bb736c64cda3e38b2a Mon Sep 17 00:00:00 2001 From: Martin Nagy <mn...@redhat.com> Date: Thu, 3 Dec 2009 16:32:56 +0100 Subject: [PATCH 1/3] Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns. --- install/tools/ipa-server-install | 45 ++++++++++++++++++------------------- 1 files changed, 22 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 0694d6e..21bead1 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -481,18 +481,12 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + # Configuration for ipalib, we will bootstrap and finalize later, after + # we are sure we have the configuration file ready. cfg = dict( in_server=True, - webui_assets_dir=ASSETS_DIR, debug=options.debug ) - if not options.uninstall: - if options.ca: - cfg['ra_plugin'] = 'dogtag' - else: - cfg['ra_plugin'] = 'selfsign' - api.bootstrap(**cfg) - api.finalize() if options.uninstall: if not options.unattended: @@ -502,6 +496,8 @@ def main(): print "Aborting uninstall operation." sys.exit(1) + api.bootstrap(**cfg) + api.finalize() return uninstall(not certs.ipa_self_signed()) # This will override any settings passed in on the cmdline @@ -662,6 +658,24 @@ def main(): else: dns_forwarders = () + # Create the management framework config file and finalize api + fstore.backup_file("/etc/ipa/default.conf") + fd = open("/etc/ipa/default.conf", "w") + fd.write("[global]\n") + fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n") + fd.write("realm=" + realm_name + "\n") + fd.write("domain=" + domain_name + "\n") + fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name) + fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name)) + fd.write("enable_ra=True\n") + if options.ca: + fd.write("ra_plugin=dogtag\n") + fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') + fd.close() + + api.bootstrap(**cfg) + api.finalize() + if not options.unattended: print "" print "The following operations may take some minutes to complete." @@ -749,21 +763,6 @@ def main(): http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca) ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"]) - # Create the management framework config file - fstore.backup_file("/etc/ipa/default.conf") - fd = open("/etc/ipa/default.conf", "w") - fd.write("[global]\n") - fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n") - fd.write("realm=" + realm_name + "\n") - fd.write("domain=" + domain_name + "\n") - fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name) - fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name)) - fd.write("enable_ra=True\n") - if options.ca: - fd.write("ra_plugin=dogtag\n") - fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') - fd.close() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg("Applying LDAP updates") -- 1.6.2.5
>From c601970aff98645e5c9d82b490d5b90acb26313f Mon Sep 17 00:00:00 2001 From: Martin Nagy <mn...@redhat.com> Date: Tue, 10 Nov 2009 13:21:09 +0100 Subject: [PATCH 2/3] Use the dns plug-in for addition of records during installation Fixes #528943 --- install/share/Makefile.am | 1 - install/share/dns.ldif | 88 ---------------------------- install/share/dns_reverse.ldif | 24 -------- ipaserver/install/bindinstance.py | 113 ++++++++++++++++++++++++++---------- 4 files changed, 81 insertions(+), 145 deletions(-) delete mode 100644 install/share/dns_reverse.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b74f990..e3e7cf6 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,7 +16,6 @@ app_DATA = \ default-keytypes.ldif \ delegation.ldif \ dns.ldif \ - dns_reverse.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 8ce9d69..cb783b8 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,91 +4,3 @@ objectClass: nsContainer objectClass: top cn: dns aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";) - -dn: idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: top -objectClass: idnsZone -objectClass: idnsRecord -idnsName: $DOMAIN -idnsZoneActive: TRUE -idnsAllowDynUpdate: TRUE -idnsUpdatePolicy: grant $REALM krb5-self * A; -idnsSOAmName: $FQDN. -idnsSOArName: root.$FQDN. -idnsSOAserial: 1 -idnsSOArefresh: 10800 -idnsSOAretry: 900 -idnsSOAexpire: 604800 -idnsSOAminimum: 86400 -NSRecord: $HOST - -dn: idnsName=$HOST,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: $HOST -ARecord: $IP - -dn: idnsName=_ldap._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _ldap._tcp -SRVRecord: 0 100 389 $HOST - -dn: idnsName=_kerberos,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _kerberos -TXTRecord: $REALM - -dn: idnsName=_kerberos._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _kerberos._tcp -SRVRecord: 0 100 88 $HOST - -dn: idnsName=_kerberos._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _kerberos._udp -SRVRecord: 0 100 88 $HOST - -dn: idnsName=_kerberos-master._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _kerberos-master._tcp -SRVRecord: 0 100 88 $HOST - -dn: idnsName=_kerberos-master._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _kerberos-master._udp -SRVRecord: 0 100 88 $HOST - -dn: idnsName=_kpasswd._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _kpasswd._tcp -SRVRecord: 0 100 464 $HOST - -dn: idnsName=_kpasswd._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _kpasswd._udp -SRVRecord: 0 100 464 $HOST - -dn: idnsName=_ntp._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: _ntp._udp -SRVRecord: 0 100 123 $HOST diff --git a/install/share/dns_reverse.ldif b/install/share/dns_reverse.ldif deleted file mode 100644 index 02d45a4..0000000 --- a/install/share/dns_reverse.ldif +++ /dev/null @@ -1,24 +0,0 @@ -dn: idnsName=$REVERSE_SUBNET.in-addr.arpa,cn=dns,$SUFFIX -changetype: add -objectClass: top -objectClass: idnsZone -objectClass: idnsRecord -idnsName: $REVERSE_SUBNET.in-addr.arpa -idnsZoneActive: TRUE -idnsAllowDynUpdate: TRUE -idnsUpdatePolicy: grant $REALM krb5-subdomain $REVERSE_SUBNET.in-addr.arpa. PTR; -idnsSOAmName: $FQDN. -idnsSOArName: root.$FQDN. -idnsSOAserial: 1 -idnsSOArefresh: 10800 -idnsSOAretry: 900 -idnsSOAexpire: 604800 -idnsSOAminimum: 86400 -NSRecord: $FQDN. - -dn: idnsName=$REVERSE_HOST,idnsName=$REVERSE_SUBNET.in-addr.arpa,cn=dns,$SUFFIX -changetype: add -objectClass: idnsRecord -objectClass: top -idnsName: $REVERSE_HOST -PTRRecord: $FQDN. diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index e2edcd3..54cddc9 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -28,6 +28,8 @@ import service from ipaserver import ipaldap from ipapython import sysrestore from ipapython import ipautil + +import ipalib from ipalib import api, util def check_inst(unattended): @@ -51,6 +53,57 @@ def check_inst(unattended): return True +def get_reverse_zone(ip_address): + tmp = ip_address.split(".") + tmp.reverse() + name = tmp.pop(0) + zone = ".".join(tmp) + ".in-addr.arpa" + + return zone, name + +def add_zone(name, update_policy=None): + if not update_policy: + update_policy = "grant %s krb5-self * A;" % api.env.realm + + try: + api.Command.dns_add(unicode(name), + idnssoamname=unicode(api.env.host), + idnsallowdynupdate=True, + idnsupdatepolicy=unicode(update_policy)) + except ipalib.errors.DuplicateEntry: + pass + + add_rr(name, "@", "NS", api.env.host+".") + + return name + +def add_reverze_zone(ip_address, update_policy=None): + zone, name = get_reverse_zone(ip_address) + if not update_policy: + update_policy = "grant %s krb5-subdomain %s. PTR;" % (api.env.realm, zone) + try: + api.Command.dns_add(unicode(zone), + idnssoamname=unicode(api.env.host), + idnsallowdynupdate=True, + idnsupdatepolicy=unicode(update_policy)) + except ipalib.errors.DuplicateEntry: + pass + + add_rr(zone, "@", "NS", api.env.host) + + return zone + +def add_rr(zone, name, type, rdata): + try: + api.Command.dns_add_rr(unicode(zone), unicode(name), + unicode(type), unicode(rdata)) + except ipalib.errors.DuplicateEntry: + pass + +def add_ptr_rr(ip_address, fqdn): + zone, name = get_reverse_zone(ip_address) + add_rr(zone, name, "PTR", fqdn+".") + class BindInstance(service.Service): def __init__(self, fstore=None, dm_password=None): service.Service.__init__(self, "named", dm_password=dm_password) @@ -101,6 +154,8 @@ class BindInstance(service.Service): pass self.__add_zone_steps() + self.step("setting up our zone", self.__setup_zone) + self.step("setting up reverse zone", self.__setup_reverse_zone) self.step("setting up kerberos principal", self.__setup_principal) self.step("setting up named.conf", self.__setup_named_conf) @@ -113,8 +168,7 @@ class BindInstance(service.Service): def __add_zone_steps(self): """ - Add steps necessary to add records and zones, if they don't exist - already. + Add a DNS container if it doesn't exist. """ def object_exists(dn): @@ -128,23 +182,11 @@ class BindInstance(service.Service): else: return True - zone_dn = "idnsName=%s,cn=dns,%s" % (self.domain, self.suffix) - reverse_zone_dn = "idnsName=%s.in-addr.arpa,cn=dns,%s" % (self.reverse_subnet, self.suffix) - a_rr_dn = "idnsName=%s,%s" % (self.host, zone_dn) - ptr_rr_dn = "idnsName=%s,%s" % (self.reverse_host, reverse_zone_dn) - server = ldap.initialize("ldap://" + self.fqdn) server.simple_bind_s() - if object_exists(zone_dn): - if not object_exists(a_rr_dn): - self.step("adding our A record", self.__setup_a_record) - else: - self.step("setting up our zone", self.__setup_zone) - if object_exists(reverse_zone_dn): - if not object_exists(ptr_rr_dn): - self.step("adding our PTR record", self.__setup_ptr_record) - else: - self.step("setting up reverse zone", self.__setup_reverse_zone) + + if not object_exists("cn=dns,%s" % self.suffix): + self.step("adding DNS container", self.__setup_dns_container) server.unbind_s() @@ -174,25 +216,32 @@ class BindInstance(service.Service): HOST=self.host, REALM=self.realm, FORWARDERS=fwds, - SUFFIX=self.suffix, - REVERSE_HOST=self.reverse_host, - REVERSE_SUBNET=self.reverse_subnet) + SUFFIX=self.suffix) - def __setup_zone(self): - self.backup_state("domain", self.domain) + def __setup_dns_container(self): self._ldap_mod("dns.ldif", self.sub_dict) - def __setup_reverse_zone(self): - self._ldap_mod("dns_reverse.ldif", self.sub_dict) - - def __setup_a_record(self): - api.Command.dns_add_rr(unicode(self.domain), unicode(self.host), - u'A', unicode(self.ip_address)) + def __setup_zone(self): + resource_records = ( + (self.host, "A", self.ip_address), + ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host), + ("_kerberos", "TXT", self.realm), + ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host), + ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host), + ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host), + ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host), + ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host), + ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host), + ) + + zone = add_zone(self.domain) + for (host, type, rdata) in resource_records: + add_rr(zone, host, type, rdata) + add_rr(zone, "_ntp._udp", "SRV", "0 100 123 "+self.host) - def __setup_ptr_record(self): - api.Command.dns_add_rr(unicode(self.reverse_subnet + ".in-addr.arpa"), - unicode(self.reverse_host), u'PTR', - unicode(self.host)) + def __setup_reverse_zone(self): + add_reverze_zone(self.ip_address) + add_ptr_rr(self.ip_address, self.fqdn) def __setup_principal(self): dns_principal = "DNS/" + self.fqdn + "@" + self.realm -- 1.6.2.5
>From 03c29a3e6fbc4d60f7fed184bab19b07d433b7d1 Mon Sep 17 00:00:00 2001 From: Martin Nagy <mn...@redhat.com> Date: Tue, 10 Nov 2009 15:16:38 +0100 Subject: [PATCH 3/3] Only add an NTP SRV record if we really are setting up NTP The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238 --- install/share/bind.zone.db.template | 4 +--- install/tools/ipa-replica-install | 3 ++- install/tools/ipa-server-install | 2 +- ipaserver/install/bindinstance.py | 15 ++++++++++++--- 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template index b3aa7b9..71fa10b 100644 --- a/install/share/bind.zone.db.template +++ b/install/share/bind.zone.db.template @@ -23,6 +23,4 @@ _kerberos-master._tcp IN SRV 0 100 88 $HOST _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST - -;ntp server -_ntp._udp IN SRV 0 100 123 $HOST +$OPTIONAL_NTP diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 33d3726..5dfa8c4 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -218,7 +218,8 @@ def install_bind(config, options): forwarders = () bind = bindinstance.BindInstance(dm_password=config.dirman_password) ip_address = resolve_host(config.host_name) - bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name, forwarders) + bind.setup(config.host_name, ip_address, config.realm_name, + config.domain_name, forwarders, options.conf_ntp) bind.create_instance() def check_dirsrv(): diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 21bead1..abc7214 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -781,7 +781,7 @@ def main(): # Create a BIND instance bind = bindinstance.BindInstance(fstore, dm_password) - bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders) + bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, options.conf_ntp) if options.setup_dns: api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 54cddc9..f96a1c4 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -121,7 +121,7 @@ class BindInstance(service.Service): else: self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, named_user="named"): + def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, named_user="named"): self.named_user = named_user self.fqdn = fqdn self.ip_address = ip_address @@ -130,6 +130,7 @@ class BindInstance(service.Service): self.forwarders = forwarders self.host = fqdn.split(".")[0] self.suffix = util.realm_to_suffix(self.realm) + self.ntp = ntp tmp = ip_address.split(".") tmp.reverse() @@ -210,13 +211,20 @@ class BindInstance(service.Service): else: fwds = " " + if self.ntp: + optional_ntp = "\n;ntp server\n" + optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host + else: + optional_ntp = "" + self.sub_dict = dict(FQDN=self.fqdn, IP=self.ip_address, DOMAIN=self.domain, HOST=self.host, REALM=self.realm, FORWARDERS=fwds, - SUFFIX=self.suffix) + SUFFIX=self.suffix, + OPTIONAL_NTP=optional_ntp) def __setup_dns_container(self): self._ldap_mod("dns.ldif", self.sub_dict) @@ -237,7 +245,8 @@ class BindInstance(service.Service): zone = add_zone(self.domain) for (host, type, rdata) in resource_records: add_rr(zone, host, type, rdata) - add_rr(zone, "_ntp._udp", "SRV", "0 100 123 "+self.host) + if self.ntp: + add_rr(zone, "_ntp._udp", "SRV", "0 100 123 "+self.host) def __setup_reverse_zone(self): add_reverze_zone(self.ip_address) -- 1.6.2.5
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel