[Freeipa-devel] [PATCH 0148] Explicitly return SERVFAIL if PTR synchronization is misconfigured.

Tomas Babej tbabej at redhat.com
Tue May 14 13:07:31 UTC 2013 

On 05/09/2013 05:23 PM, Petr Spacek wrote:
> On 9.5.2013 14:53, Petr Spacek wrote:
>> On 9.5.2013 10:59, Tomas Hozza wrote:
>>> On 04/16/2013 12:45 PM, Petr Spacek wrote:
>>>> Hello,
>>>>
>>>> Explicitly return SERVFAIL if PTR synchronization is misconfigured.
>>>>
>>>> SERVFAIL will be returned if PTR synchronization is enabled
>>>> in forward zone but reverse zone has dynamic updates disabled.
>>>>
>>>
>>> What the patch does little bit differs from what the commit
>>> message says. Explanation follows:
>>>
>>> Snip from ldap_helper.c (starting line 2959):
>>>
>>> /* Get attribute "idnsAllowDynUpdate" for reverse zone or use 
>>> default. */
>>> dns_name_free(&zone_name, mctx);
>>> dns_name_init(&zone_name, NULL);
>>> CHECK(dn_to_dnsname(mctx, owner_zone_dn_ptr, &zone_name, NULL));
>>>
>>> zone_settings = NULL;
>>> result = zr_get_zone_settings(ldap_inst->zone_register, &zone_name,
>>>                           &zone_settings);
>>> if (result != ISC_R_SUCCESS) {
>>>     if (result == ISC_R_NOTFOUND)
>>>         log_debug(3, "active zone '%s' not found", zone_dn);
>>>     goto cleanup;
>>>     ^
>>>     You replaced this goto with "CLEANUP_WITH(DNS_R_SERVFAIL)" but
>>>     the check if dynamic updates in reverse zone are enabled
>>>     is done in the following IF statement
>>> }
>>>
>>> CHECK(setting_get_bool("dyn_update", zone_settings, &zone_dyn_update));
>>> if (!zone_dyn_update) {
>>>     log_debug(3, "dynamic update is not allowed in zone "
>>>              "'%s'", zone_dn);
>>>     CLEANUP_WITH(ISC_R_NOPERM);
>>> }
>>>
>>>
>>> The patch modifies the plugin to explicitly return SERVFAIL if there 
>>> was
>>> some error while getting settings of PTR zone (the zone does not exist,
>>> etc).
>>>
>>> Maybe it would be good to explicitly return SERVFAIL also if dynamic
>>> updates in PTR zone are disabled and modify the commit message to
>>> better express what this patch does.
>>
>> You are right. Revised patch is attached.
>
> I sent a bad patch by mistake...
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
I tested the patch. Works ok, ACK.

Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130514/6d85dae3/attachment.htm>

More information about the Freeipa-devel mailing list