[Freeipa-devel] DNS SOA serial managed by 389 DS plugin: design

2013-02-11 Thread Petr Spacek 

Hello,

please take a look at

http://freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation

Overview  chapter IPA 3.0 summarize current state and problems. Next chapter 
contains proposal combined from Simo's and my ideas. User interface part is 
still an open question. Any ideas are welcome!


I copied only 3.1 part to make e-mail shorter:



 Design in IPA 3.1

Move SOA serial maintenance from bind-dyndb-ldap to (new?) 389 DS plugin: IPA 
ticket #3347.


DS plugin watches cn=dns sub-tree for changes.

Any change in DNS record in this subtree will increment idnsSOAserial 
attribute in record's parent zone.



Basic idea

if objectClass is idnsConfig
change is ignored and idnsSOAserial is not incremented
else if objectClass is idnsZone
increment idnsSOAserial in the same object
else if objectClass is idnsRecord
increment idnsSOAserial in object's immediate parent
e.g. change in idnsName=test, idnsName=example.com, cn=dns will increment 
idnsSOAserial in object idnsName=example.com, cn=dns

if parent's objectClass is not idnsZone
 log an error (This should never happen :-))


SOA serial incrementation algorithm

OLDserial = actual idnsSOAserial value
timestamp = actual UNIX timestamp
if (OLDserial != timestamp)
newSerial = timestamp
else
newSerial = oldSerial + 1
Write newSerial value to particular idnsSOAserial attribute


Implementation details

BIND does direct SOA serial update (not trigerred by serial autoincrement 
feature) after any dynamic update. We have to catch those attempts and ignore 
them:


A plugin can intercept any modify and manipulate it, including 
suppressing changes to SOA Serial.
It should be possible to catch  discard SOA serial modifications inside 
BIND. This will save some load from LDAP server.



Possible optimization

Increment serial value at most once per second.

Basic idea: Write current timestamp (no incrementation) and write serial value 
to the database with one second delay.


Problem: How to solve LDAP server crash? Write timestamp immediately and 
(while reading) subtract 1 if timestamp == serial?


--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 356 Add trusconfig-show and trustconfig-mod commands

2013-02-11 Thread Martin Kosek 
On 02/08/2013 05:30 PM, Alexander Bokovoy wrote:
 On Fri, 01 Feb 2013, Martin Kosek wrote:
 On 02/01/2013 03:55 PM, Alexander Bokovoy wrote:
 On Tue, 29 Jan 2013, Martin Kosek wrote:
 trust_output_params = (
 @@ -482,3 +499,158 @@ api.register(trust_mod)
 api.register(trust_del)
 api.register(trust_find)
 api.register(trust_show)
 +
 +
 +_trust_type_option = (
 +StrEnum('trust_type',
 +cli_name='type',
 +label=_('Trust type (ad for Active Directory, default)'),
 +values=(u'ad',),
 +default=u'ad',
 +autofill=True,
 +),
 +)
 We already have various trust type definitions in the same file. Maybe
 it makes sense to unify those somehow?

 Right, I unified those 2 separate trust_type option definitions.


 +def get_dn(self, *keys, **kwargs):
 +trust_type = kwargs.get('trust_type')
 +if trust_type is None:
 +raise errors.RequirementError(name='trust_type')
 +if kwargs['trust_type'] == u'ad':
 Perhaps better to define constants for the trust type values...

 I changed it a bit and now it uses a dict instead. I think its now more 
 general
 and extensible.


 +except ValueError:
 +# The search is performed for groups with posixgroup
 objectclass
 +# and not ipausergroup so that it can also match groups like
 +# Default SMG Group which does not have this objectclass.
 'Default SM_B_ Group'

 Fixed.


 Thanks for the unit tests too!


 You are welcome! I also generated API.txt which I forgot to do last time.
 Updated patch attached.
 ACK for the code but please add more documentation (below).
 
 Works like sharm. I tried also changing default fallback group to
 some IPA group, then back to Default SMB Group and it worked well. Also
 specifying non-existing group was noted and rejected.
 
 Please make sure to mention in the design page magic value 'Default SMB
 Group' and also that you can use any group with 'posixgroup'
 objectclass, and that 'Default SMB Group' is not visible through normal
 IPA tools.
 
 We need to write better documentation (online help) for trustconfig-mod.
 Basically, right now it helps no one to understand what is supposed to
 be done here.
 
 Once help is added, ACK.

Thanks for the review! RFE updated with information you mentioned.

I also added more info to trust online help (which you verified off-list).

Pushed to master, ipa-3-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] ipa-kdb: Free talloc autofree context when module is closed

2013-02-11 Thread Sumit Bose 
Hi,

this patch should fix https://fedorahosted.org/freeipa/ticket/3410 . See
commit message for details.

bye,
Sumit
From 4892c10b273119e20c536285663f1ded6b6ff3fe Mon Sep 17 00:00:00 2001
From: sbose sbose@ipa18-devel.ipa18.devel
Date: Mon, 11 Feb 2013 15:39:22 +0100
Subject: [PATCH] ipa-kdb: Free talloc autofree context when module is closed

Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts
are configured. The reason is the talloc autofree context which get initialised
during the ndr_push_union_blob() call. On exit the KDC module is unloaded an
later on atexit() tries to free the context, but all related symbols are
already unloaded with the module.

This patch frees the talloc autofree context during the cleanup routine of the
module. Since this is called only at exit and not during normal operations this
is safe even if other KDC plugins use the talloc autofree context, e.g. via
some Samba libraries, as well.

Fixes https://fedorahosted.org/freeipa/ticket/3410
---
 daemons/ipa-kdb/ipa_kdb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 
3527cefa10df67d3f17c730ab4483410c736a44f..0b769f7ed76488c5febf9e610450815534398f4d
 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -20,6 +20,8 @@
  * along with this program.  If not, see http://www.gnu.org/licenses/.
  */
 
+#include talloc.h
+
 #include ipa_kdb.h
 
 struct ipadb_context *ipadb_get_context(krb5_context kcontext)
@@ -452,6 +454,7 @@ static krb5_error_code ipadb_fini_module(krb5_context 
kcontext)
 
 ipactx = ipadb_get_context(kcontext);
 ipadb_context_free(kcontext, ipactx);
+talloc_free(talloc_autofree_context());
 
 return 0;
 }
-- 
1.8.0.2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNS SOA serial managed by 389 DS plugin: design

2013-02-11 Thread Simo Sorce 
On Mon, 2013-02-11 at 15:37 +0100, Petr Spacek wrote:
 Possible optimization
 
 Increment serial value at most once per second.
 
 Basic idea: Write current timestamp (no incrementation) and write
 serial value 
 to the database with one second delay.
 
 Problem: How to solve LDAP server crash? Write timestamp immediately
 and 
 (while reading) subtract 1 if timestamp == serial?
 
I am not sure I understand the solution here ?

Maybe a simpler solution is to always write the serial as time() + 1 ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel