[Freeipa-devel] DNS SOA serial managed by 389 DS plugin: design
Hello, please take a look at http://freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation Overview chapter IPA 3.0 summarize current state and problems. Next chapter contains proposal combined from Simo's and my ideas. User interface part is still an open question. Any ideas are welcome! I copied only 3.1 part to make e-mail shorter: Design in IPA 3.1 Move SOA serial maintenance from bind-dyndb-ldap to (new?) 389 DS plugin: IPA ticket #3347. DS plugin watches cn=dns sub-tree for changes. Any change in DNS record in this subtree will increment idnsSOAserial attribute in record's parent zone. Basic idea if objectClass is idnsConfig change is ignored and idnsSOAserial is not incremented else if objectClass is idnsZone increment idnsSOAserial in the same object else if objectClass is idnsRecord increment idnsSOAserial in object's immediate parent e.g. change in idnsName=test, idnsName=example.com, cn=dns will increment idnsSOAserial in object idnsName=example.com, cn=dns if parent's objectClass is not idnsZone log an error (This should never happen :-)) SOA serial incrementation algorithm OLDserial = actual idnsSOAserial value timestamp = actual UNIX timestamp if (OLDserial != timestamp) newSerial = timestamp else newSerial = oldSerial + 1 Write newSerial value to particular idnsSOAserial attribute Implementation details BIND does direct SOA serial update (not trigerred by serial autoincrement feature) after any dynamic update. We have to catch those attempts and ignore them: A plugin can intercept any modify and manipulate it, including suppressing changes to SOA Serial. It should be possible to catch discard SOA serial modifications inside BIND. This will save some load from LDAP server. Possible optimization Increment serial value at most once per second. Basic idea: Write current timestamp (no incrementation) and write serial value to the database with one second delay. Problem: How to solve LDAP server crash? Write timestamp immediately and (while reading) subtract 1 if timestamp == serial? -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 356 Add trusconfig-show and trustconfig-mod commands
On 02/08/2013 05:30 PM, Alexander Bokovoy wrote: On Fri, 01 Feb 2013, Martin Kosek wrote: On 02/01/2013 03:55 PM, Alexander Bokovoy wrote: On Tue, 29 Jan 2013, Martin Kosek wrote: trust_output_params = ( @@ -482,3 +499,158 @@ api.register(trust_mod) api.register(trust_del) api.register(trust_find) api.register(trust_show) + + +_trust_type_option = ( +StrEnum('trust_type', +cli_name='type', +label=_('Trust type (ad for Active Directory, default)'), +values=(u'ad',), +default=u'ad', +autofill=True, +), +) We already have various trust type definitions in the same file. Maybe it makes sense to unify those somehow? Right, I unified those 2 separate trust_type option definitions. +def get_dn(self, *keys, **kwargs): +trust_type = kwargs.get('trust_type') +if trust_type is None: +raise errors.RequirementError(name='trust_type') +if kwargs['trust_type'] == u'ad': Perhaps better to define constants for the trust type values... I changed it a bit and now it uses a dict instead. I think its now more general and extensible. +except ValueError: +# The search is performed for groups with posixgroup objectclass +# and not ipausergroup so that it can also match groups like +# Default SMG Group which does not have this objectclass. 'Default SM_B_ Group' Fixed. Thanks for the unit tests too! You are welcome! I also generated API.txt which I forgot to do last time. Updated patch attached. ACK for the code but please add more documentation (below). Works like sharm. I tried also changing default fallback group to some IPA group, then back to Default SMB Group and it worked well. Also specifying non-existing group was noted and rejected. Please make sure to mention in the design page magic value 'Default SMB Group' and also that you can use any group with 'posixgroup' objectclass, and that 'Default SMB Group' is not visible through normal IPA tools. We need to write better documentation (online help) for trustconfig-mod. Basically, right now it helps no one to understand what is supposed to be done here. Once help is added, ACK. Thanks for the review! RFE updated with information you mentioned. I also added more info to trust online help (which you verified off-list). Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] ipa-kdb: Free talloc autofree context when module is closed
Hi, this patch should fix https://fedorahosted.org/freeipa/ticket/3410 . See commit message for details. bye, Sumit From 4892c10b273119e20c536285663f1ded6b6ff3fe Mon Sep 17 00:00:00 2001 From: sbose sbose@ipa18-devel.ipa18.devel Date: Mon, 11 Feb 2013 15:39:22 +0100 Subject: [PATCH] ipa-kdb: Free talloc autofree context when module is closed Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts are configured. The reason is the talloc autofree context which get initialised during the ndr_push_union_blob() call. On exit the KDC module is unloaded an later on atexit() tries to free the context, but all related symbols are already unloaded with the module. This patch frees the talloc autofree context during the cleanup routine of the module. Since this is called only at exit and not during normal operations this is safe even if other KDC plugins use the talloc autofree context, e.g. via some Samba libraries, as well. Fixes https://fedorahosted.org/freeipa/ticket/3410 --- daemons/ipa-kdb/ipa_kdb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 3527cefa10df67d3f17c730ab4483410c736a44f..0b769f7ed76488c5febf9e610450815534398f4d 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -20,6 +20,8 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */ +#include talloc.h + #include ipa_kdb.h struct ipadb_context *ipadb_get_context(krb5_context kcontext) @@ -452,6 +454,7 @@ static krb5_error_code ipadb_fini_module(krb5_context kcontext) ipactx = ipadb_get_context(kcontext); ipadb_context_free(kcontext, ipactx); +talloc_free(talloc_autofree_context()); return 0; } -- 1.8.0.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNS SOA serial managed by 389 DS plugin: design
On Mon, 2013-02-11 at 15:37 +0100, Petr Spacek wrote: Possible optimization Increment serial value at most once per second. Basic idea: Write current timestamp (no incrementation) and write serial value to the database with one second delay. Problem: How to solve LDAP server crash? Write timestamp immediately and (while reading) subtract 1 if timestamp == serial? I am not sure I understand the solution here ? Maybe a simpler solution is to always write the serial as time() + 1 ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel