[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Duplicate DN records, sometimes..
- To: openldap-technical@openldap.org
- Subject: Duplicate DN records, sometimes..
- From: Jorgen Lundman <lundman@lundman.net>
- Date: Tue, 14 Dec 2010 12:15:12 +0900
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lundman.net; s=dkim; t=1292296593; bh=sEmpZ+1/h3DGciAOELS305Vdv8tDqO7MKBK4kEwlIOE=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=DKbwhVPFAl0sOjm2Euj4Rk+EW9TXpLVUwC0P2WfDQikWMZVkNymXVTvywzQXRu4RO 79IOTqyaAPtDR1CBRgXe6BnjklucrrB9+bLzoz4dNVU/NCiPoIvz6QLg4VV9nSXbvb +JWUPiZWKwJn44KYGSF0MsH8uHmIoCGc4bAlu5b0=
- User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.16) Gecko/20101123 SeaMonkey/2.0.11
openldap-2.4.23
db-4.8.30.NC
Solaris 10u8 x86
We use LDAP for many things, including DNS. We've had an intermittent issue
where doing a ldap subtree (recursive) delete would fail. I dug deeper, and
found that it would die with NO SUCH OBJECT.
Curiously, it was not lying. Or rather, the LDAP Search to determine the objects
to delete would return duplicate for the "@" entry.
- Found 9 service entries in subtree DNSZoneName=reger.jorgen.jp,ou=dns:
1 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns
2 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns
etc.
What would then happen, is that the #1 deletion would succeed (and delete both
entries). After which it would try to delete #2 and receive NO SUCH OBJECT.
I created a new (many many new) domains, and did a command-line ldapsearch:
/usr/local/bin/ldapsearch -h 172.20.12.113 -b DNSZoneName=fun.jorgen.jp,ou=dns
# fun.jorgen.jp, dns,
dn: DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSZone
DNSZoneName: fun.jorgen.jp
# @, fun.jorgen.jp, dns
dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSHost
DNSHostName: @
# @, fun.jorgen.jp, dns
dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns
objectClass: DNSHost
DNSHostName: @
How curious. I peppered the perl code with the same ldapsearch to try to
determine where the duplicate DN was (accidentally?) created. I found that if I
had this:
ldapdb::CreateSOA($domain,$serial,28800, 7200, 604800, $ttl,
"hostmaster.$domain.", "dns01.company.com.");
system("/usr/local/bin/ldapsearch -h $ldap_host_dns DNSZoneName=$domain,ou=dns");
ldapdb::AddRecord($domain, "NS", "@", "dns01.company.com.");
The duplicate records were no longer created. By simply having an LDAP search
between the creation of the tree, the error went away. Does anyone know what is
actually going on here? I have also found that I can create a LDAP tree, which
has duplicate "@" entries. Then wait ~30mins, and the duplicate entry also,
sometimes(?), goes away. But not always.
The code for CreateSOA and AddRecord is relatively simple, here I have stripped
out the error checking code for simplicity.
----------------------------------------------------------------------
CreateSOA():
$ldap = Net::LDAP->new($ldap_host_dns);
$mesg = $ldap->bind($ldap_bind, password=>$ldap_pass);
$mesg = $ldap->add("DNSZoneName=$adddomain,$ldap_base_dns",
attr => [ 'objectClass' => [ 'DNSZone' ],
'DNSZoneName' => "$adddomain"
]
);
$mesg = $ldap->add("DNSHostName=\@,DNSZoneName=$adddomain,$ldap_base_dns",
attr => [ 'objectClass' => [ 'DNSHost' ],
'DNSHostName' => "\@"
]
);
$mesg = $ldap->add("DNSRecord=SOA,DNSHostName=\@,DNSZoneName=$adddomain,$lda
p_base_dns",
attr => [ 'objectClass' => [ 'DNSSOARecord' ],
'DNSHostName' => "\@",
'DNSRecord' => "SOA",
'DNSType' => "soa",
'DNSSerial' => "$serial",
'DNSRefresh' => "$refresh",
'DNSRetry' => "$retry",
'DNSExpire' => "$expire",
'DNSMinimum' => "$minttl",
'DNSAdminEmail' => "$hostmaster",
'DNSPrimaryns' => "$nameserver",
'DNSTTL' => "$minttl"
]
);
$ldap->unbind;
----------------------------------------------------------------------
And AddRecord:
$ldap = Net::LDAP->new($ldap_host_dns);
$mesg = $ldap->bind($ldap_bind, password=>$ldap_pass);
$mesg = $ldap->add("DNSHostName=$name,DNSZoneName=$domain,$ldap_base_dns",
attr => [ 'objectClass' => [ 'DNSHost' ],
'DNSHostName' => "$name"
]
);
$ldap->unbind;
----------------------------------------------------------------------
For now, we will have the simple/pointless ldapsearch between CreateSOA and
AddRecord to avoid the duplicate "@" DN entry, and in ldap delete-subtree we
will ignore NO SUCH OBJECT error so that it keeps going and cleans up the domain
properly.
Lund
--
Jorgen Lundman | <lundman@lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)