[Date Prev][Date Next] [Chronological] [Thread] [Top]

Duplicate DN records, sometimes..

To: openldap-technical@openldap.org
Subject: Duplicate DN records, sometimes..
From: Jorgen Lundman <lundman@lundman.net>
Date: Tue, 14 Dec 2010 12:15:12 +0900
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lundman.net; s=dkim; t=1292296593; bh=sEmpZ+1/h3DGciAOELS305Vdv8tDqO7MKBK4kEwlIOE=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=DKbwhVPFAl0sOjm2Euj4Rk+EW9TXpLVUwC0P2WfDQikWMZVkNymXVTvywzQXRu4RO 79IOTqyaAPtDR1CBRgXe6BnjklucrrB9+bLzoz4dNVU/NCiPoIvz6QLg4VV9nSXbvb +JWUPiZWKwJn44KYGSF0MsH8uHmIoCGc4bAlu5b0=
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.16) Gecko/20101123 SeaMonkey/2.0.11


openldap-2.4.23
db-4.8.30.NC
Solaris 10u8 x86

We use LDAP for many things, including DNS. We've had an intermittent issuewhere doing a ldap subtree (recursive) delete would fail. I dug deeper, andfound that it would die with NO SUCH OBJECT.

Curiously, it was not lying. Or rather, the LDAP Search to determine the objectsto delete would return duplicate for the "@" entry.


- Found 9 service entries in subtree DNSZoneName=reger.jorgen.jp,ou=dns:
1 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns
2 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns

etc.

What would then happen, is that the #1 deletion would succeed (and delete bothentries). After which it would try to delete #2 and receive NO SUCH OBJECT.


I created a new (many many new) domains, and did a command-line ldapsearch:

/usr/local/bin/ldapsearch  -h 172.20.12.113 -b DNSZoneName=fun.jorgen.jp,ou=dns



# fun.jorgen.jp, dns,
dn: DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSZone
DNSZoneName: fun.jorgen.jp

# @, fun.jorgen.jp, dns
dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSHost
DNSHostName: @

# @, fun.jorgen.jp, dns
dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSHost
DNSHostName: @

How curious. I peppered the perl code with the same ldapsearch to try todetermine where the duplicate DN was (accidentally?) created. I found that if Ihad this:


         ldapdb::CreateSOA($domain,$serial,28800, 7200, 604800, $ttl,
                                "hostmaster.$domain.", "dns01.company.com.");

system("/usr/local/bin/ldapsearch -h $ldap_host_dns DNSZoneName=$domain,ou=dns");

         ldapdb::AddRecord($domain, "NS", "@", "dns01.company.com.");

The duplicate records were no longer created. By simply having an LDAP searchbetween the creation of the tree, the error went away. Does anyone know what isactually going on here? I have also found that I can create a LDAP tree, whichhas duplicate "@" entries. Then wait ~30mins, and the duplicate entry also,sometimes(?), goes away. But not always.

The code for CreateSOA and AddRecord is relatively simple, here I have strippedout the error checking code for simplicity.


----------------------------------------------------------------------

CreateSOA():

    $ldap = Net::LDAP->new($ldap_host_dns);
    $mesg = $ldap->bind($ldap_bind, password=>$ldap_pass);
    $mesg = $ldap->add("DNSZoneName=$adddomain,$ldap_base_dns",
                       attr => [ 'objectClass' => [ 'DNSZone' ],
                                 'DNSZoneName' => "$adddomain"
                               ]
                      );
    $mesg = $ldap->add("DNSHostName=\@,DNSZoneName=$adddomain,$ldap_base_dns",
                       attr => [ 'objectClass' => [ 'DNSHost' ],
                                 'DNSHostName' => "\@"
                               ]
                      );
    $mesg = $ldap->add("DNSRecord=SOA,DNSHostName=\@,DNSZoneName=$adddomain,$lda
p_base_dns",
                       attr => [ 'objectClass'   => [ 'DNSSOARecord' ],
                                 'DNSHostName'   => "\@",
                                 'DNSRecord'     => "SOA",
                                 'DNSType'       => "soa",
                                 'DNSSerial'     => "$serial",
                                 'DNSRefresh'    => "$refresh",
                                 'DNSRetry'      => "$retry",
                                 'DNSExpire'     => "$expire",
                                 'DNSMinimum'    => "$minttl",
                                 'DNSAdminEmail' => "$hostmaster",
                                 'DNSPrimaryns'  => "$nameserver",
                                 'DNSTTL'        => "$minttl"
                               ]
                      );

  $ldap->unbind;

----------------------------------------------------------------------
And AddRecord:

  $ldap = Net::LDAP->new($ldap_host_dns);
  $mesg = $ldap->bind($ldap_bind, password=>$ldap_pass);
    $mesg = $ldap->add("DNSHostName=$name,DNSZoneName=$domain,$ldap_base_dns",
                       attr => [ 'objectClass' => [ 'DNSHost' ],
                                 'DNSHostName' => "$name"
                               ]
                      );
  $ldap->unbind;

----------------------------------------------------------------------

For now, we will have the simple/pointless ldapsearch between CreateSOA andAddRecord to avoid the duplicate "@" DN entry, and in ldap delete-subtree wewill ignore NO SUCH OBJECT error so that it keeps going and cleans up the domainproperly.


Lund

--
Jorgen Lundman       | <lundman@lundman.net>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)

Prev by Date: OpenLDAP and third party authentication integration
Next by Date: Re: backend issue
Index(es):
- Chronological
- Thread