Bug 819629

Summary: Enable persistent search in bind-dyndb-ldap during IPA upgrade
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.3CC: jgalipea, mkosek, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Identity Management DNS module use "pull" model for updating DNS records provisioned to BIND Nameserver by bind-dyndb-ldap plugin. Consequence: When a DNS zone LDAP entry or DNS records present in bind-dyndb-ldap cache are changed via Identity Management CLI or Web UI, the update is not provisioned to the BIND nameserver until a zone is checked with a periodic poll or the DNS record in cache expires. Fix: Enable persistent search by default for both new Identity Management installations and for running Identity Management server instances. Result: A change to DNS zone LDAP entry or to DNS record that is already cached by bind-dydnb-ldap is instantly provisioned to the BIND Name server and thus resolvable.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:12:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2012-05-07 19:14:11 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2719

Persistent search will be needed by DNS SOA serial number update/zone transfer support (IPA 3.0) and DNSSEC (IPA 3.1), as discussed on meeting May/03/2012.

During upgrade it's necessary to modify "dynamic-db ipa" section in /etc/named.conf configuration file and make sure that this line is present:

{{{
arg "psearch yes";
}}}

Old configuration file can contain old value "psearch no" or psearch line value can be missing completely, before the IPA upgrade.
Comment 1 Martin Kosek 2012-06-12 07:18:26 UTC 
Fixed upstream:

master:
c856fb60737612781fab30760bceeb8bbf6312d9
ce97d6f8e7cb47927fccc27c258d32caf895a88c
1d44aba89b225aa9e131ac8ca596df7b0faaa964

Persistent search is now enabled by default both for new IPA installations and for running IPA server instances.

Existing IPA server instance psearch features is enabled only once, i.e. when psearch is turned off during RPM update and then turned off by user, subsequent RPM updates won't turn it back on.
Comment 3 Xiyang Dong 2012-11-28 19:15:29 UTC 
verifying
Comment 4 Xiyang Dong 2012-11-28 19:24:02 UTC 
ipa version:

ipa-server-2.2.0-16.el6.x86_64

ipa-server-3.0.0-8.el6.x86_64

how to verify:

1.create a rhel6.3 beaker machine installed with ipa server 2.2.0-16
2.[root@sgi-xe320-01 ~]# cat /etc/named.conf |grep psearch 

nothing in named for persistent search,i.e.psearch line value is missing completely
3.update ipa server to newest version 3.0.0-8

4.[root@sgi-xe320-01 yum.repos.d]# cat /etc/named.conf |grep psearch
	arg "psearch yes";
  
verified that psearch line exists in named.conf after upgrade
Comment 5 Namita Soman 2012-11-28 19:26:48 UTC 
xdong verified
Comment 7 errata-xmlrpc 2013-02-21 09:12:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html