Public bug reported:
Caught this in a run of the dyndb-ldap DEP8 test:
280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1
RESULT tag=103 err=50 qtime=0.000009 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error:
Insufficient access: while modifying(replace) entry
'idnsName=example.internal,ou=dns,dc=example,dc=internal'
Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
and not just read from it. Looking at the code, that can happen for some
SOA attributes, and perhaps other cases too. The documentation isn't
immediately clear.
A re-run of this test cleared the error, but we all dislike flaky tests,
so it's probably best to adjust the ACL and allow the bind9 user to
write to the DNS tree. Production deployments will definitely want to
fine tune this ACL and list explicit attribites and entry types that can
be modified, but for a DEP8 test, this is enough.
```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" write by * none
EOF
}
```
** Affects: bind-dyndb-ldap (Ubuntu)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Affects: bind9 (Ubuntu)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Also affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: bind9 (Ubuntu)
Status: New => In Progress
** Changed in: bind9 (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250
Title:
Insufficient access in dyndb DEP8 test
Status in bind-dyndb-ldap package in Ubuntu:
In Progress
Status in bind9 package in Ubuntu:
In Progress
Bug description:
Caught this in a run of the dyndb-ldap DEP8 test:
280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1
MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1
RESULT tag=103 err=50 qtime=0.000009 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error:
Insufficient access: while modifying(replace) entry
'idnsName=example.internal,ou=dns,dc=example,dc=internal'
Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
and not just read from it. Looking at the code, that can happen for
some SOA attributes, and perhaps other cases too. The documentation
isn't immediately clear.
A re-run of this test cleared the error, but we all dislike flaky
tests, so it's probably best to adjust the ACL and allow the bind9
user to write to the DNS tree. Production deployments will definitely
want to fine tune this ACL and list explicit attribites and entry
types that can be modified, but for a DEP8 test, this is enough.
```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by
dn.exact="${ldap_bind9_dn}" write by * none
EOF
}
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
