freeipa team mailing list archive

Thread
Date

[Bug 2034250] Re: Insufficient access in dyndb DEP8 test

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2034250@xxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Sep 2023 15:42:16 -0000
Reply-to: Bug 2034250 <2034250@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu4

---------------
bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium

  * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250)

 -- Andreas Hasenack <andreas@xxxxxxxxxxxxx>  Tue, 05 Sep 2023 10:20:27
-0300

** Changed in: bind9 (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250

Title:
  Insufficient access in dyndb DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released

Bug description:
  Caught this in a run of the dyndb-ldap DEP8 test:

  280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
  280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial
  280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.000009 etime=0.001324 text=
  280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal'

  Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
  and not just read from it. Looking at the code, that can happen for
  some SOA attributes, and perhaps other cases too. The documentation
  isn't immediately clear.

  A re-run of this test cleared the error, but we all dislike flaky
  tests, so it's probably best to adjust the ACL and allow the bind9
  user to write to the DNS tree. Production deployments will definitely
  want to fine tune this ACL and list explicit attribites and entry
  types that can be modified, but for a DEP8 test, this is enough.

  
  ```diff
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -135,7 +135,7 @@ EOF
   dn: olcDatabase={1}mdb,cn=config
   changetype: modify
   add: olcAccess
  -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none
  +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none
   
   EOF
   }
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions

References

[Bug 2034250] [NEW] Insufficient access in dyndb DEP8 test
From: Andreas Hasenack, 2023-09-05