Ubuntu
bind-dyndb-ldap package

Insufficient access in dyndb DEP8 test

Bug #2034250 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind-dyndb-ldap (Ubuntu)
Fix Released
Undecided
Andreas Hasenack
bind9 (Ubuntu)
Fix Released
Undecided
Andreas Hasenack

Bug Description

Caught this in a run of the dyndb-ldap DEP8 test:

280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial
280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.000009 etime=0.001324 text=
280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal'

Looks like sometimes the dyndb-ldap plugin wants to write to the tree, and not just read from it. Looking at the code, that can happen for some SOA attributes, and perhaps other cases too. The documentation isn't immediately clear.

A re-run of this test cleared the error, but we all dislike flaky tests, so it's probably best to adjust the ACL and allow the bind9 user to write to the DNS tree. Production deployments will definitely want to fine tune this ACL and list explicit attribites and entry types that can be modified, but for a DEP8 test, this is enough.

```diff
--- a/debian/tests/dyndb-ldap
+++ b/debian/tests/dyndb-ldap
@@ -135,7 +135,7 @@ EOF
 dn: olcDatabase={1}mdb,cn=config
 changetype: modify
 add: olcAccess
-olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none
+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none

 EOF
 }
```

Related branches

~ahasenack/ubuntu/+source/bind9:mantic-bind9-dyndb-ldap-dep8-fixes
git-ubuntu bot: Approve
Lucas Kanashiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 33 lines (+9/-1)
2 files modified
debian/changelog (+6/-0)
debian/tests/dyndb-ldap (+3/-1)
~ahasenack/ubuntu/+source/bind-dyndb-ldap:mantic-dyndb-ldap-dep8-fixes
git-ubuntu bot: Approve
Lucas Kanashiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 66 lines (+15/-3)
3 files modified
debian/changelog (+8/-0)
debian/control (+2/-1)
debian/tests/dyndb-ldap (+5/-2)
Andreas Hasenack (ahasenack)
Changed in bind9 (Ubuntu):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu1

---------------
bind-dyndb-ldap (11.10-6ubuntu1) mantic; urgency=medium

  * d/t/dyndb-ldap fixes:
    - use correct attribute in the bind9 dn entry (LP: #2034251)
    - allow writing to the dns tree (LP: #2034250)

 -- Andreas Hasenack <email address hidden> Tue, 05 Sep 2023 10:05:46 -0300

Changed in bind-dyndb-ldap (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu4

---------------
bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium

  * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250)

 -- Andreas Hasenack <email address hidden> Tue, 05 Sep 2023 10:20:27 -0300

Changed in bind9 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.