Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/140
= Enhancement proposal =
Make it possible to setup named in such a way that it does not serve anything if LDAP is not available.
= Use case =
https://www.redhat.com/archives/freeipa-users/2014-October/msg00016.html
LDAP server is not reachable when IPA is down so BIND
cannot see zones in LDAP and "global" forwarding in named.conf
causes that it accidentally works for you
Since unreachable LDAP server can cause bind to forward requests for
zones it shouldn't be forwarding, either make it possible to cache
the list of zones that were seen as stored in the LDAP database
the last time things worked and only forward request for the other ones,
or refuse to serve anything because without the LDAP access we do
not know which zones should be forwarded and which shouldn't.
I'd argue that it's better to return error than to give an answer
which shouldn't be given.
= Proposed implementation =
Not sure.
= Additional notes =
Petr Š. notes that in the past named refused to start when LDAP was
not available. Due to the service start ordering this caused issues
and was thus removed:
https://bugzilla.redhat.com/show_bug.cgi?id=662930
I'd argue that named probably shouldn't refuse to start if it's waiting
for localhost LDAP (or any LDAP for that matter) but it also shouldn't
be forwarding everything.
I discussed this bug with Petr Spacek. Due to design limitations of bind-dyndb-ldap, we cannot add this feature without extensive and wider implementation effort. We would only do it with business justification sufficient for this investment.
bind-dynb-ldap is in maintenance mode. New features are not actively developed. Therefore closing this RFE.
Detailed explanation of why: https://docs.pagure.org/bind-dyndb-ldap/Maintainability.html
If it is implemented upstream then it might be backported.