freeipa team mailing list archive

Thread
Date

[Bug 2034250] [NEW] Insufficient access in dyndb DEP8 test

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <2034250@xxxxxxxxxxxxxxxxxx>
Date: Tue, 05 Sep 2023 12:37:58 -0000
Reply-to: Bug 2034250 <2034250@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Caught this in a run of the dyndb-ldap DEP8 test:

280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.000009 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal'

Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
and not just read from it. Looking at the code, that can happen for some
SOA attributes, and perhaps other cases too. The documentation isn't
immediately clear.

A re-run of this test cleared the error, but we all dislike flaky tests,
so it's probably best to adjust the ACL and allow the bind9 user to
write to the DNS tree. Production deployments will definitely want to
fine tune this ACL and list explicit attribites and entry types that can
be modified, but for a DEP8 test, this is enough.


```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
 dn: olcDatabase={1}mdb,cn=config
 changetype: modify
 add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none
 
 EOF
 }
```

** Affects: bind-dyndb-ldap (Ubuntu)
     Importance: Undecided
     Assignee: Andreas Hasenack (ahasenack)
         Status: In Progress

** Affects: bind9 (Ubuntu)
     Importance: Undecided
     Assignee: Andreas Hasenack (ahasenack)
         Status: In Progress

** Also affects: bind9 (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: bind9 (Ubuntu)
       Status: New => In Progress

** Changed in: bind9 (Ubuntu)
     Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250

Title:
  Insufficient access in dyndb DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  In Progress
Status in bind9 package in Ubuntu:
  In Progress

Bug description:
  Caught this in a run of the dyndb-ldap DEP8 test:

  280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
  280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial
  280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.000009 etime=0.001324 text=
  280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal'

  Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
  and not just read from it. Looking at the code, that can happen for
  some SOA attributes, and perhaps other cases too. The documentation
  isn't immediately clear.

  A re-run of this test cleared the error, but we all dislike flaky
  tests, so it's probably best to adjust the ACL and allow the bind9
  user to write to the DNS tree. Production deployments will definitely
  want to fine tune this ACL and list explicit attribites and entry
  types that can be modified, but for a DEP8 test, this is enough.

  
  ```diff
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -135,7 +135,7 @@ EOF
   dn: olcDatabase={1}mdb,cn=config
   changetype: modify
   add: olcAccess
  -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none
  +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none
   
   EOF
   }
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions

Follow ups

[Bug 2034250] Re: Insufficient access in dyndb DEP8 test
From: Launchpad Bug Tracker, 2023-09-07
[Bug 2034250] Re: Insufficient access in dyndb DEP8 test
From: Launchpad Bug Tracker, 2023-09-07
[Bug 2034250] Re: Insufficient access in dyndb DEP8 test
From: Launchpad Bug Tracker, 2023-09-05
[Bug 2034250] Re: Insufficient access in dyndb DEP8 test
From: Launchpad Bug Tracker, 2023-09-05