RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1207545 - [RFE] Option to not serve anything if LDAP is not available
Summary: [RFE] Option to not serve anything if LDAP is not available
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Krizek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-31 07:14 UTC by Martin Kosek
Modified: 2017-08-21 08:03 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-18 15:25:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Martin Kosek 2015-03-31 07:14:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/140

= Enhancement proposal =

Make it possible to setup named in such a way that it does not serve anything if LDAP is not available.

= Use case =

https://www.redhat.com/archives/freeipa-users/2014-October/msg00016.html

   LDAP server is not reachable when IPA is down so BIND
   cannot see zones in LDAP and "global" forwarding in named.conf
   causes that it accidentally works for you

Since unreachable LDAP server can cause bind to forward requests for
zones it shouldn't be forwarding, either make it possible to cache
the list of zones that were seen as stored in the LDAP database
the last time things worked and only forward request for the other ones,
or refuse to serve anything because without the LDAP access we do
not know which zones should be forwarded and which shouldn't.

I'd argue that it's better to return error than to give an answer
which shouldn't be given.

= Proposed implementation =

Not sure.

= Additional notes =

Petr Š. notes that in the past named refused to start when LDAP was
not available. Due to the service start ordering this caused issues
and was thus removed:

   https://bugzilla.redhat.com/show_bug.cgi?id=662930

I'd argue that named probably shouldn't refuse to start if it's waiting
for localhost LDAP (or any LDAP for that matter) but it also shouldn't
be forwarding everything.
Comment 3 Martin Kosek 2016-12-09 10:38:48 UTC 
I discussed this bug with Petr Spacek. Due to design limitations of bind-dyndb-ldap, we cannot add this feature without extensive and wider implementation effort. We would only do it with business justification sufficient for this investment.
Comment 4 Petr Vobornik 2017-08-18 15:25:56 UTC 
bind-dynb-ldap is in maintenance mode. New features are not actively developed. Therefore closing this RFE.

Detailed explanation of why: https://docs.pagure.org/bind-dyndb-ldap/Maintainability.html

If it is implemented upstream then it might be backported.
Note You need to log in before you can comment on or make changes to this bug.