[Pdns-dev] ldapbackend patch for AXFR base DN

Tom Bamford tom at aims.ac.za
Fri Jul 20 09:31:06 CEST 2012 

Hi

I encountered an issue with the way the ldapbackend performs AXFR
searches. It assumes that your subdomain entries are children of the
parent dn of the entry with your SOA record.

For example, say I have this entry:

dn: dc=mydomain.com,ou=dns,dc=mydomain,dc=com
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: mydomain.com
associatedDomain: mydomain.com

In ldapbackend.cc, in the method LdapBackend::list_simple(), two
searches are performed to build an AXFR response for mydomain.com. The
first search uses the "ldap-basedn" configuration entry from pdns.conf
and works fine, like this:

SRCH base="dc=mydomain,dc=com" scope=2 deref=3
filter="&(associatedDomain=mydomain.com)(sOARecord=*)"

However the second search which looks for
(associatedDomain=*.mydomain.com), uses the dn of the result of the
first search as its basedn. This results in a search that looks like
this:

SRCH base="ou=dns,dc=mydomain,dc=com" scope=2 deref=3
filter="associatedDomain=*.aims.ac.za"

This assumes that all my subdomain entries are contained in the
ou=dns,dc=mydomain,dc=com subtree, which is a bold assumption to make
given that in my tree, subdomain are scattered around my tree
according to their logical classification.

Accordingly, I have patched ldapbackend.cc (ldapbackend.so) to use the
ldap-basedn that I defined rather than the parent dn from the first
AXFR related search. Rather than change the current behaviour, I also
added a boolean configuration item ldap-basedn-axfr-override which is
first evaluated using mustDo().

It's a simple change but I expect could be very useful to other admins
in a use case similar to mine, where your LDAP tree is not designed
solely for DNS and you might have host entries outside the same parent
DN as your sOARecord. Diff is attached for a patch against the current
trunk (also also works for 3.1.1 and 3.0.1, also 2.9.22 when applied
manually).

Regards
Tom

-- 
System Administrator
African Institute for Mathematical Sciences
Cape Town, South Africa
Tel: +27 (0)21 787 9328
Fax: +27 (0)21 787 9321
Jabber: tom at aims.ac.za
Web: www.aims.ac.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldapbackend.cc.diff
Type: application/octet-stream
Size: 247 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20120720/5c9dc7a5/attachment.obj>

More information about the Pdns-dev mailing list