Bug 1207545

Summary: [RFE] Option to not serve anything if LDAP is not available
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: bind-dyndb-ldapAssignee: Tomas Krizek <tkrizek>
Status: CLOSED WONTFIX QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, drieden, jpazdziora, pspacek, pvoborni
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-18 15:25:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2015-03-31 07:14:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/140

= Enhancement proposal =

Make it possible to setup named in such a way that it does not serve anything if LDAP is not available.

= Use case =

https://www.redhat.com/archives/freeipa-users/2014-October/msg00016.html

   LDAP server is not reachable when IPA is down so BIND
   cannot see zones in LDAP and "global" forwarding in named.conf
   causes that it accidentally works for you

Since unreachable LDAP server can cause bind to forward requests for
zones it shouldn't be forwarding, either make it possible to cache
the list of zones that were seen as stored in the LDAP database
the last time things worked and only forward request for the other ones,
or refuse to serve anything because without the LDAP access we do
not know which zones should be forwarded and which shouldn't.

I'd argue that it's better to return error than to give an answer
which shouldn't be given.

= Proposed implementation =

Not sure.

= Additional notes =

Petr Š. notes that in the past named refused to start when LDAP was
not available. Due to the service start ordering this caused issues
and was thus removed:

   https://bugzilla.redhat.com/show_bug.cgi?id=662930

I'd argue that named probably shouldn't refuse to start if it's waiting
for localhost LDAP (or any LDAP for that matter) but it also shouldn't
be forwarding everything.
Comment 3 Martin Kosek 2016-12-09 10:38:48 UTC 
I discussed this bug with Petr Spacek. Due to design limitations of bind-dyndb-ldap, we cannot add this feature without extensive and wider implementation effort. We would only do it with business justification sufficient for this investment.
Comment 4 Petr Vobornik 2017-08-18 15:25:56 UTC 
bind-dynb-ldap is in maintenance mode. New features are not actively developed. Therefore closing this RFE.

Detailed explanation of why: https://docs.pagure.org/bind-dyndb-ldap/Maintainability.html

If it is implemented upstream then it might be backported.