diff --git a/.bind-dyndb-ldap.metadata b/.bind-dyndb-ldap.metadata index 2d09b3a..84d607a 100644 --- a/.bind-dyndb-ldap.metadata +++ b/.bind-dyndb-ldap.metadata @@ -1 +1 @@ -fcbc17f93733a9498b936fdf8a7a1a62ce0666f1 SOURCES/bind-dyndb-ldap-3.5.tar.bz2 +69bc56deee1d165e82baf13d97c9facc5d7b5fd1 SOURCES/bind-dyndb-ldap-6.0.tar.bz2 diff --git a/.gitignore b/.gitignore index 813679d..96c1140 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/bind-dyndb-ldap-3.5.tar.bz2 +SOURCES/bind-dyndb-ldap-6.0.tar.bz2 diff --git a/SOURCES/bz1161635-Send-DNS-NOTIFY-message-after-any-modification-to-th.patch b/SOURCES/bz1161635-Send-DNS-NOTIFY-message-after-any-modification-to-th.patch new file mode 100644 index 0000000..9c10542 --- /dev/null +++ b/SOURCES/bz1161635-Send-DNS-NOTIFY-message-after-any-modification-to-th.patch @@ -0,0 +1,80 @@ +From 7dd6ba6c70273fef0ffd34b265e6f1a1b6988a26 Mon Sep 17 00:00:00 2001 +From: Petr Spacek +Date: Fri, 7 Nov 2014 15:12:38 +0100 +Subject: [PATCH] Send DNS NOTIFY message after any modification to the zone. + +https://fedorahosted.org/bind-dyndb-ldap/ticket/144 +--- + src/ldap_helper.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/src/ldap_helper.c b/src/ldap_helper.c +index dac11396857aa69d67243b3bc275cf9714be2238..ddb787c152b522118357bb6dc5542dce6af8ee0e 100644 +--- a/src/ldap_helper.c ++++ b/src/ldap_helper.c +@@ -1017,7 +1017,7 @@ cleanup: + * @warning Never call this on raw part of in-line secure zone. + */ + static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT +-load_zone(dns_zone_t *zone) { ++load_zone(dns_zone_t *zone, isc_boolean_t log) { + isc_result_t result; + isc_boolean_t zone_dynamic; + isc_uint32_t serial; +@@ -1036,15 +1036,18 @@ load_zone(dns_zone_t *zone) { + } + + CHECK(dns_zone_getserial2(raw, &serial)); +- dns_zone_log(raw, ISC_LOG_INFO, "loaded serial %u", serial); ++ if (log == ISC_TRUE) ++ dns_zone_log(raw, ISC_LOG_INFO, "loaded serial %u", serial); + if (zone != NULL) { + result = dns_zone_getserial2(zone, &serial); +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS && log == ISC_TRUE) + dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u", + serial); + /* in-line secure zone is loaded asynchonously in background */ + else if (result == DNS_R_NOTLOADED) { +- dns_zone_log(zone, ISC_LOG_INFO, "signing in progress"); ++ if (log == ISC_TRUE) ++ dns_zone_log(zone, ISC_LOG_INFO, ++ "signing in progress"); + result = ISC_R_SUCCESS; + } else + goto cleanup; +@@ -1154,7 +1157,7 @@ activate_zone(isc_task_t *task, ldap_instance_t *inst, dns_name_t *name) { + goto cleanup; + } + +- CHECK(load_zone(toview)); ++ CHECK(load_zone(toview, ISC_TRUE)); + if (secure != NULL) { + CHECK(zr_get_zone_settings(inst->zone_register, name, + &zone_settings)); +@@ -2491,9 +2494,7 @@ ldap_parse_master_zoneentry(ldap_entry_t * const entry, dns_db_t * const olddb, + if (isactive == ISC_TRUE) { + if (new_zone == ISC_TRUE || activity_changed == ISC_TRUE) + CHECK(publish_zone(task, inst, toview)); +- if (data_changed == ISC_TRUE || olddb != NULL || +- activity_changed == ISC_TRUE) +- CHECK(load_zone(toview)); ++ CHECK(load_zone(toview, ISC_FALSE)); + } else if (activity_changed == ISC_TRUE) { /* Zone was deactivated */ + CHECK(unpublish_zone(inst, &name, entry->dn)); + dns_zone_log(toview, ISC_LOG_INFO, "zone deactivated " +@@ -4668,9 +4669,9 @@ cleanup: + "reload triggered by change in '%s'", + pevent->dn); + if (secure != NULL) +- result = load_zone(secure); ++ result = load_zone(secure, ISC_TRUE); + else if (raw != NULL) +- result = load_zone(raw); ++ result = load_zone(raw, ISC_TRUE); + if (result == ISC_R_SUCCESS || result == DNS_R_UPTODATE || + result == DNS_R_DYNAMIC || result == DNS_R_CONTINUE) { + /* zone reload succeeded, fire current event again */ +-- +2.1.0 + diff --git a/SOURCES/bz1168131-Fix-crash-caused-by-interaction-between-forward-and.patch b/SOURCES/bz1168131-Fix-crash-caused-by-interaction-between-forward-and.patch new file mode 100644 index 0000000..54b66f9 --- /dev/null +++ b/SOURCES/bz1168131-Fix-crash-caused-by-interaction-between-forward-and.patch @@ -0,0 +1,129 @@ +From 584f9ceeef131145feb32a741a8f5dbc04b9a2cd Mon Sep 17 00:00:00 2001 +From: Petr Spacek +Date: Tue, 25 Nov 2014 18:05:13 +0100 +Subject: [PATCH] Fix crash caused by interaction between forward and master + zones. + +LDAP modifications made to idnsName=sub, idnsName=example.com, cn=dns object +were incorrectly processed using update_zone() in cases where forward zone +sub.example.com. existed in LDAP as object idnsName=sub.example.com, cn=dns. + +https://fedorahosted.org/bind-dyndb-ldap/ticket/145 +--- + src/fwd_register.h | 3 +++ + src/ldap_entry.c | 26 ++++++++++++++++++++++++++ + src/ldap_entry.h | 7 +++++++ + src/ldap_helper.c | 14 ++++---------- + 4 files changed, 40 insertions(+), 10 deletions(-) + +diff --git a/src/fwd_register.h b/src/fwd_register.h +index 02ca7092d35ffbd684a4b531ac4ffbd94addd765..f7182ea0942ec0df811898c6de914f3302a722e3 100644 +--- a/src/fwd_register.h ++++ b/src/fwd_register.h +@@ -4,6 +4,9 @@ + #include + #include + ++#include "util.h" ++#include "rbt_helper.h" ++ + #define FORWARDING_SET_MARK ((void *)1) + /* + #if FORWARDING_SET_MARK == NULL +diff --git a/src/ldap_entry.c b/src/ldap_entry.c +index 9823fddfe6cb9805565152ccec9f130d01cc0f8f..18e6980f075f5f916826599a30abd9173ad583f7 100644 +--- a/src/ldap_entry.c ++++ b/src/ldap_entry.c +@@ -476,6 +476,32 @@ ldap_entry_getclass(ldap_entry_t *entry, ldap_entryclass_t *class) + return ISC_R_SUCCESS; + } + ++/** ++ * Infer entry class from auxiliary information. ++ * ++ * This is a fallback method for cases where objectClass values ++ * are not available. ++ * ++ * TODO: Object class information should be stored in UUID database ++ * (once we have it). ++ */ ++isc_result_t ++ldap_entry_guessclass(dns_name_t *entry_name, isc_boolean_t iszone, ++ fwd_register_t *fwd_register, ldap_entryclass_t *class) { ++ REQUIRE(class != NULL); ++ ++ if (iszone == ISC_TRUE) { ++ if (fwdr_zone_ispresent(fwd_register, entry_name) ++ == ISC_R_SUCCESS) ++ *class = LDAP_ENTRYCLASS_FORWARD; ++ else /* master zone */ ++ *class = (LDAP_ENTRYCLASS_MASTER | LDAP_ENTRYCLASS_RR); ++ } else ++ *class = LDAP_ENTRYCLASS_RR; ++ ++ return ISC_R_SUCCESS; ++} ++ + isc_result_t + ldap_attr_firstvalue(ldap_attribute_t *attr, ld_string_t *str) + { +diff --git a/src/ldap_entry.h b/src/ldap_entry.h +index 420fcde5c06b46c9dd11e98ef9744be5b2b9524c..76a958520b8eb1c9f039e399ac9f4e0f1b346414 100644 +--- a/src/ldap_entry.h ++++ b/src/ldap_entry.h +@@ -26,6 +26,8 @@ + #include + #include + ++#include "fwd_register.h" ++#include "util.h" + #include "str.h" + + #define LDAP_DEPRECATED 1 +@@ -137,6 +139,11 @@ isc_result_t + ldap_entry_getclass(ldap_entry_t *entry, ldap_entryclass_t *class) ATTR_NONNULLS ATTR_CHECKRESULT; + + isc_result_t ++ldap_entry_guessclass(dns_name_t *entry_name, isc_boolean_t iszone, ++ fwd_register_t *fwd_register, ldap_entryclass_t *class) ++ ATTR_NONNULLS ATTR_CHECKRESULT; ++ ++isc_result_t + ldap_attr_firstvalue(ldap_attribute_t *attr, ld_string_t *str) ATTR_NONNULLS ATTR_CHECKRESULT; + + /* +diff --git a/src/ldap_helper.c b/src/ldap_helper.c +index cb1ada64635406552f6b231cdb19a888a0f92244..c69b0748b7531479e62bbccc2b4ef468969c5434 100644 +--- a/src/ldap_helper.c ++++ b/src/ldap_helper.c +@@ -4794,7 +4794,7 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t *entry, int chgtype) + CHECKED_MEM_STRDUP(mctx, entry->dn, dn); + CHECKED_MEM_STRDUP(mctx, inst->db_name, dbname); + +- /* TODO: handle config objects properly - via UUID database */ ++ /* TODO: handle object class inference properly - via UUID database */ + CHECK(setting_get_str("base", inst->local_settings, &ldap_base)); + CHECK(ldap_dn_compare(ldap_base, entry->dn, &isbase)); + if (isbase == ISC_TRUE) { +@@ -4812,15 +4812,9 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t *entry, int chgtype) + /* deleted entry doesn't contain objectClass, so + * we need to find if the entry is zone or not + * in other way */ +- result = fwdr_zone_ispresent(inst->fwd_register, +- &entry_name); +- if (result == ISC_R_SUCCESS) +- class = LDAP_ENTRYCLASS_FORWARD; +- else if (iszone == ISC_TRUE) +- class = (LDAP_ENTRYCLASS_MASTER | +- LDAP_ENTRYCLASS_RR); +- else +- class = LDAP_ENTRYCLASS_RR; ++ CHECK(ldap_entry_guessclass(&entry_name, iszone, ++ inst->fwd_register, ++ &class)); + break; + } + } +-- +2.1.0 + diff --git a/SPECS/bind-dyndb-ldap.spec b/SPECS/bind-dyndb-ldap.spec index a2ef906..f1b65f4 100644 --- a/SPECS/bind-dyndb-ldap.spec +++ b/SPECS/bind-dyndb-ldap.spec @@ -1,26 +1,24 @@ -#%define PATCHVER P4 -#%define PREVER 20121009git6a86b1 -#%define VERSION %{version}-%{PATCHVER} -#%define VERSION %{version}-%{PREVER} %define VERSION %{version} Name: bind-dyndb-ldap -Version: 3.5 -Release: 4%{?dist} +Version: 6.0 +Release: 2%{?dist} Summary: LDAP back-end plug-in for BIND Group: System Environment/Libraries License: GPLv2+ URL: https://fedorahosted.org/bind-dyndb-ldap Source0: https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2 +Patch0: bz1168131-Fix-crash-caused-by-interaction-between-forward-and.patch +Patch1: bz1161635-Send-DNS-NOTIFY-message-after-any-modification-to-th.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: bind-devel >= 32:9.6.1-0.3.b1 +BuildRequires: bind-devel >= 32:9.9.0-1, bind-lite-devel >= 32:9.9.0-1 BuildRequires: krb5-devel BuildRequires: openldap-devel BuildRequires: automake, autoconf, libtool -Requires: bind >= 32:9.6.1-0.3.b1 +Requires: bind >= 32:9.9.0-1 %description This package provides an LDAP back-end plug-in for BIND. It features @@ -30,6 +28,8 @@ off of your LDAP server. %prep %setup -q -n %{name}-%{VERSION} +%patch0 -p1 -b .bz1168131 +%patch1 -p1 -b .bz1161635 %build export CFLAGS="`isc-config.sh --cflags dns` $RPM_OPT_FLAGS" @@ -41,12 +41,32 @@ make %{?_smp_mflags} %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} +mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap # Remove unwanted files rm %{buildroot}%{_libdir}/bind/ldap.la rm -r %{buildroot}%{_datadir}/doc/%{name} +# SELinux boolean named_write_master_zones has to be enabled +# otherwise the plugin will not be able to write to /var/named. +# This scriptlet enables the boolean after installation or upgrade. +# SELinux is sensitive area so I want to inform user about the change. +%post +if [ -x "/usr/sbin/setsebool" ] ; then + echo "Enabling SELinux boolean named_write_master_zones" + /usr/sbin/setsebool -P named_write_master_zones=1 || : +fi + + +# This scriptlet disables the boolean after uninstallation. +%postun +if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then + echo "Disabling SELinux boolean named_write_master_zones" + /usr/sbin/setsebool -P named_write_master_zones=0 || : +fi + + %clean rm -rf %{buildroot} @@ -54,10 +74,28 @@ rm -rf %{buildroot} %files %defattr(-,root,root,-) %doc NEWS README COPYING doc/{example.ldif,schema} +%dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap %{_libdir}/bind/ldap.so %changelog +* Tue Dec 02 2014 Petr Spacek - 6.0-2 +- fix bug 1161635: send DNS NOTIFY message after any modification to the zone +- fix bug 1168131: crash caused by interaction between forward and master zones + +* Tue Sep 23 2014 Petr Spacek - 6.0-1 +- update to 6.0 +- resolves bugs 1138317, 1144599, 1142176 + +* Fri Sep 12 2014 Petr Spacek - 5.3-1 +- update to 5.3 +- fixes several random crashes + +* Mon Sep 08 2014 Petr Spacek - 5.2-1 +- update to 5.2 +- adds DNSSEC support and supports root zone in LDAP +- idnsZoneActive attribute is not supported anymore + * Fri Jan 24 2014 Daniel Mach - 3.5-4 - Mass rebuild 2014-01-24