[Date Prev][Date Next] [Chronological] [Thread] [Top]

Duplicate DN records, sometimes..




openldap-2.4.23
db-4.8.30.NC
Solaris 10u8 x86

We use LDAP for many things, including DNS. We've had an intermittent issue where doing a ldap subtree (recursive) delete would fail. I dug deeper, and found that it would die with NO SUCH OBJECT.

Curiously, it was not lying. Or rather, the LDAP Search to determine the objects to delete would return duplicate for the "@" entry.

- Found 9 service entries in subtree DNSZoneName=reger.jorgen.jp,ou=dns:
1 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns
2 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns

etc.

What would then happen, is that the #1 deletion would succeed (and delete both entries). After which it would try to delete #2 and receive NO SUCH OBJECT.

I created a new (many many new) domains, and did a command-line ldapsearch:

/usr/local/bin/ldapsearch  -h 172.20.12.113 -b DNSZoneName=fun.jorgen.jp,ou=dns



# fun.jorgen.jp, dns,
dn: DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSZone
DNSZoneName: fun.jorgen.jp

# @, fun.jorgen.jp, dns
dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSHost
DNSHostName: @

# @, fun.jorgen.jp, dns
dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSHost
DNSHostName: @


How curious. I peppered the perl code with the same ldapsearch to try to determine where the duplicate DN was (accidentally?) created. I found that if I had this:

         ldapdb::CreateSOA($domain,$serial,28800, 7200, 604800, $ttl,
                                "hostmaster.$domain.", "dns01.company.com.");

system("/usr/local/bin/ldapsearch -h $ldap_host_dns DNSZoneName=$domain,ou=dns");

         ldapdb::AddRecord($domain, "NS", "@", "dns01.company.com.");

The duplicate records were no longer created. By simply having an LDAP search between the creation of the tree, the error went away. Does anyone know what is actually going on here? I have also found that I can create a LDAP tree, which has duplicate "@" entries. Then wait ~30mins, and the duplicate entry also, sometimes(?), goes away. But not always.

The code for CreateSOA and AddRecord is relatively simple, here I have stripped out the error checking code for simplicity.

----------------------------------------------------------------------

CreateSOA():

    $ldap = Net::LDAP->new($ldap_host_dns);
    $mesg = $ldap->bind($ldap_bind, password=>$ldap_pass);
    $mesg = $ldap->add("DNSZoneName=$adddomain,$ldap_base_dns",
                       attr => [ 'objectClass' => [ 'DNSZone' ],
                                 'DNSZoneName' => "$adddomain"
                               ]
                      );
    $mesg = $ldap->add("DNSHostName=\@,DNSZoneName=$adddomain,$ldap_base_dns",
                       attr => [ 'objectClass' => [ 'DNSHost' ],
                                 'DNSHostName' => "\@"
                               ]
                      );
    $mesg = $ldap->add("DNSRecord=SOA,DNSHostName=\@,DNSZoneName=$adddomain,$lda
p_base_dns",
                       attr => [ 'objectClass'   => [ 'DNSSOARecord' ],
                                 'DNSHostName'   => "\@",
                                 'DNSRecord'     => "SOA",
                                 'DNSType'       => "soa",
                                 'DNSSerial'     => "$serial",
                                 'DNSRefresh'    => "$refresh",
                                 'DNSRetry'      => "$retry",
                                 'DNSExpire'     => "$expire",
                                 'DNSMinimum'    => "$minttl",
                                 'DNSAdminEmail' => "$hostmaster",
                                 'DNSPrimaryns'  => "$nameserver",
                                 'DNSTTL'        => "$minttl"
                               ]
                      );

  $ldap->unbind;

----------------------------------------------------------------------
And AddRecord:

  $ldap = Net::LDAP->new($ldap_host_dns);
  $mesg = $ldap->bind($ldap_bind, password=>$ldap_pass);
    $mesg = $ldap->add("DNSHostName=$name,DNSZoneName=$domain,$ldap_base_dns",
                       attr => [ 'objectClass' => [ 'DNSHost' ],
                                 'DNSHostName' => "$name"
                               ]
                      );
  $ldap->unbind;

----------------------------------------------------------------------


For now, we will have the simple/pointless ldapsearch between CreateSOA and AddRecord to avoid the duplicate "@" DN entry, and in ldap delete-subtree we will ignore NO SUCH OBJECT error so that it keeps going and cleans up the domain properly.

Lund

--
Jorgen Lundman       | <lundman@lundman.net>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)