Updated bind-dyndb-ldap packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities for LDAP databases. It features support for dynamic updates and internal caching that helps to reduce the load on LDAP servers.
- Previously, the bind-dyndb-ldap 2.x driver (used in Red Hat Enterprise Linux 6.x) did not handle forward zones correctly when it was in the same replication topology as bind-dyndb-ldap 6.x (used in Red Hat Enterprise Linux 7.1). As a consequence, forward zones stopped working on all replicas. The underlying source code has been patched to fix this bug, and forward zones now continue to work in the described situation.
- The bind-dyndb-ldap library incorrectly compared current time and the expiration time of the Kerberos ticket used for authentication to an LDAP server. As a consequence, the Kerberos ticket was not renewed under certain circumstances, which caused the connection to the LDAP server to fail. The connection failure often happened after a BIND service reload was triggered by the logrotate utility. A patch has been applied to fix this bug, and Kerberos tickets are correctly renewed in this scenario.
- Prior to this update, the bind-dyndb-ldap plug-in incorrectly locked certain data structures. Consequently, a race condition during forwarder address reconfiguration could cause BIND to terminate unexpectedly. This bug has been fixed, bind-dyndb-ldap now locks data structures properly, and BIND no longer crashes in this scenario.
- Previously, the bind-dyndb-ldap plug-in incorrectly handled timeouts which occurred during LDAP operations. As a consequence, under very specific circumstances, the BIND daemon could terminate unexpectedly. With this update, bind-dyndb-ldap has been fixed to correctly handle timeouts during LDAP operations and the BIND daemon no longer crashes in this scenario.
- The documentation for bind-dyndb-ldap-2.3 located in the /usr/share/doc/bind-dyndb-ldap-2.3/README file incorrectly stated that the "idnsAllowTransfer" and "idnsAllowQuery" LDAP attributes are multi-valued. Consequently, users were not able to configure DNS zone transfer and query acess control lists according to the documentation. The documentation has been fixed to explain the correct attribute syntax.
Users of bind-dyndb-ldap are advised to upgrade to these updated packages, which fix these bugs.