openldap-2.4.23 db-4.8.30.NC Solaris 10u8 x86

We use LDAP for many things, including DNS. We've had an intermittent issue where doing a ldap subtree (recursive) delete would fail. I dug deeper, and found that it would die with NO SUCH OBJECT.

Curiously, it was not lying. Or rather, the LDAP Search to determine the objects to delete would return duplicate for the "@" entry.

- Found 9 service entries in subtree DNSZoneName=reger.jorgen.jp,ou=dns: 1 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns 2 DNSHostName=@,DNSZoneName=reger.jorgen.jp,ou=dns

etc.

What would then happen, is that the #1 deletion would succeed (and delete both entries). After which it would try to delete #2 and receive NO SUCH OBJECT.

I created a new (many many new) domains, and did a command-line ldapsearch:

/usr/local/bin/ldapsearch -h 172.20.12.113 -b DNSZoneName=fun.jorgen.jp,ou=dns

# fun.jorgen.jp, dns, dn: DNSZoneName=fun.jorgen.jp,ou=dns objectClass: DNSZone DNSZoneName: fun.jorgen.jp

# @, fun.jorgen.jp, dns dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns objectClass: DNSHost DNSHostName: @

# @, fun.jorgen.jp, dns dn: DNSHostName=@,DNSZoneName=fun.jorgen.jp,ou=dns objectClass: DNSHost DNSHostName: @

How curious. I peppered the perl code with the same ldapsearch to try to determine where the duplicate DN was (accidentally?) created. I found that if I had this:

ldapdb::CreateSOA($domain,$serial,28800, 7200, 604800, $ttl, "hostmaster.$domain.", "dns01.company.com.");

system("/usr/local/bin/ldapsearch -h $ldap_host_dns DNSZoneName=$domain,ou=dns");

ldapdb::AddRecord($domain, "NS", "@", "dns01.company.com.");

The duplicate records were no longer created. By simply having an LDAP search between the creation of the tree, the error went away. Does anyone know what is actually going on here? I have also found that I can create a LDAP tree, which has duplicate "@" entries. Then wait ~30mins, and the duplicate entry also, sometimes(?), goes away. But not always.

The code for CreateSOA and AddRecord is relatively simple, here I have stripped out the error checking code for simplicity.

----------------------------------------------------------------------

CreateSOA():

$ldap = Net::LDAP->new($ldap_host_dns); $mesg = $ldap->bind($ldap_bind, password=>$ldap_pass); $mesg = $ldap->add("DNSZoneName=$adddomain,$ldap_base_dns", attr => [ 'objectClass' => [ 'DNSZone' ], 'DNSZoneName' => "$adddomain" ] ); $mesg = $ldap->add("DNSHostName=@,DNSZoneName=$adddomain,$ldap_base_dns", attr => [ 'objectClass' => [ 'DNSHost' ], 'DNSHostName' => "@" ] ); $mesg = $ldap->add("DNSRecord=SOA,DNSHostName=@,DNSZoneName=$adddomain,$lda p_base_dns", attr => [ 'objectClass' => [ 'DNSSOARecord' ], 'DNSHostName' => "@", 'DNSRecord' => "SOA", 'DNSType' => "soa", 'DNSSerial' => "$serial", 'DNSRefresh' => "$refresh", 'DNSRetry' => "$retry", 'DNSExpire' => "$expire", 'DNSMinimum' => "$minttl", 'DNSAdminEmail' => "$hostmaster", 'DNSPrimaryns' => "$nameserver", 'DNSTTL' => "$minttl" ] );

$ldap->unbind;

---------------------------------------------------------------------- And AddRecord:

$ldap = Net::LDAP->new($ldap_host_dns); $mesg = $ldap->bind($ldap_bind, password=>$ldap_pass); $mesg = $ldap->add("DNSHostName=$name,DNSZoneName=$domain,$ldap_base_dns", attr => [ 'objectClass' => [ 'DNSHost' ], 'DNSHostName' => "$name" ] ); $ldap->unbind;

----------------------------------------------------------------------

For now, we will have the simple/pointless ldapsearch between CreateSOA and AddRecord to avoid the duplicate "@" DN entry, and in ldap delete-subtree we will ignore NO SUCH OBJECT error so that it keeps going and cleans up the domain properly.

Lund