You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
About the package:
This is an LDAP driver for BIND. The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP database back-end capabilities.
Package provides ldap.so library
Approach for testing
This includes configuring openldap and bind .
bind-dyndb-ldap is used as backend for Bind9 DNS to communicate to openldap
Two setups include:
Configure LDAP connection using openldap by adding bind-dyndb-ldap schema
Configure dynamic loading of the backend using named ( bind )
Setup openldap
Create slapd.conf with below contents
See slapd.conf(5) for details on configuration options.
This file should NOT be world readable.
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/bind-dyndb-ldap.schema
Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
Do not enable referrals until AFTER you have a working directory
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
enable monitoring
database monitor
allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=test,dc=example,dc=com" read
by * none
Create ldap password for “dc=example,dc=com”
Create password and edit “rootpw” entry in slapd.conf using:
The slapd configuration is stored in a special LDAP directory(/etc/openldap/slapd.d)
Convert from old slapd configuration file located at (/etc/openldap/slapd.conf) to new directory:
Run slaptest to check validity of the configuration file and
specify the new configuration directory :
With this configuration, the LDAP back-end will try to connect to server .
It will then use RFC 4533 refresh&persist search in the "cn=dns,dc=example,dc=com"
base for entries with object class idnsZone and idnsRecord
For each idnsZone entry it will find, it will register a new zone with BIND
Setup is going to use localhost server,
mv /etc/resolv.conf /etc/resolv.conf.org
Setup for BIND is complete.
Testing the setup.
Verify /var/named/dyndb-ldap contains entry for my_db_name
About the package:
This is an LDAP driver for BIND. The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP database back-end capabilities.
Package provides ldap.so library
Approach for testing
This includes configuring openldap and bind .
bind-dyndb-ldap is used as backend for Bind9 DNS to communicate to openldap
Two setups include:
Setup openldap
See slapd.conf(5) for details on configuration options.
This file should NOT be world readable.
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/bind-dyndb-ldap.schema
Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
Do not enable referrals until AFTER you have a working directory
service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
ldbm and/or bdb database definitions
#######################################################################
loglevel 256
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=test,dc=example,dc=com"
Cleartext passwords, especially for the rootdn, should
be avoided. See slappasswd(8) and slapd.conf(5) for details.
Use of strong authentication encouraged.
rootpw secret
rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}KUS8va9cQ+UfW49PDSJ/clm
The database directory MUST exist prior to running slapd AND
should only be accessible by the slapd and slap tools.
Mode 700 recommended.
directory /var/lib/ldap
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
enable monitoring
database monitor
allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=test,dc=example,dc=com" read
by * none
Create ldap password for “dc=example,dc=com”
slappasswd -h {SSHA}
Copy the schema to openldap schema directory
cp /usr/share/doc/bind-dyndb-ldap*/schema /etc/openldap/schema/bind-dyndb-ldap.schema
create user test and password
The slapd configuration is stored in a special LDAP directory(/etc/openldap/slapd.d)
Convert from old slapd configuration file located at (/etc/openldap/slapd.conf) to new directory:
Run slaptest to check validity of the configuration file and
specify the new configuration directory :
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
Start slapd:
slapd -h "ldap:/// ldapi:///"
Make sure the process is running using:
netstat -ltpn|grep 389
and check for slapd
Create data.ldif
<<>>>
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: OpenLDAP Test
dc: example
dn: cn=test,dc=example,dc=com
objectclass: organizationalRole
cn: test
<<>>
Add using ldapadd
ldapadd -x -W -D "cn=test,dc=example,dc=com" -h localhost -f data.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "cn=test,dc=example,dc=com"
ldapsearch -D "cn=test,dc=example,dc=com" -W -b 'dc=example,dc=com'
ldapsearch -D "cn=test,dc=example,dc=com" -W -b 'dc=example,dc=com'
Enter LDAP Password:
extended LDIF
LDAPv3
base <dc=example,dc=com> with scope subtree
filter: (objectclass=*)
requesting: ALL
example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: OpenLDAP Test
dc: example
test, example.com
dn: cn=test,dc=example,dc=com
objectClass: organizationalRole
cn: test
search result
search: 2
result: 0 Success
numResponses: 3
numEntries: 2
Create virtual interface using:
ip link add veth0 type veth peer name veth1
ip link add veth2 type veth peer name veth3
Assign private ip using:
ifconfig veth0 192.168.122.2 netmask 255.255.255.0
ifconfig veth1 192.168.122.3 netmask 255.255.255.0
ifconfig veth2 192.168.122.4 netmask 255.255.255.0
Create dns-domain.ldif
<<>>
Top container
dn: cn=dns, dc=example, dc=com
objectClass: top
objectClass: organizationalRole
cn: dns
Zone example.com
dn: idnsName=example.com, cn=dns, dc=example, dc=com
objectClass: top
objectClass: idnsZone
objectClass: idnsRecord
idnsName: example.com
idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A;
idnsZoneActive: TRUE
idnsSOAmName: server.example.com
idnsSOArName: root.server.example.com
idnsSOAserial: 1
idnsSOArefresh: 10800
idnsSOAretry: 900
idnsSOAexpire: 604800
idnsSOAminimum: 86400
NSRecord: example.com.
ARecord: 192.168.122.2
DNS records for zone example.com
dn: idnsName=server, idnsName=example.com, cn=dns, dc=example, dc=com
objectClass: idnsRecord
objectClass: top
idnsName: server
CNAMERecord: example.com
dn: idnsName=foo, idnsName=example.com, cn=dns, dc=example, dc=com
objectClass: idnsRecord
objectClass: top
idnsName: foo
ARecord: 192.168.122.3
ARecord: 192.168.122.4
dn: idnsName=bar, idnsName=example.com, cn=dns, dc=example, dc=com
objectClass: idnsRecord
objectClass: top
idnsName: bar
ARecord: 192.168.122.5
<<>>
Add using ldapadd:
ldapadd -H ldap://localhost -D "cn=test,dc=example,dc=com" -W -c -f dns-domain.ldif
LDAP confguration is complete.
Setup BIND
Setup named.conf, To configure dynamic loading of back-end, add a "dynamic-db" to named.conf
Specify library and ldap using arg options
Add this to /etc/named.conf
dynamic-db "my_db_name" {
library "ldap.so";
arg "uri ldap:///";
arg "base cn=dns, dc=example, dc=com";
arg "auth_method none";
arg "cache_ttl 300";
};
service named start
With this configuration, the LDAP back-end will try to connect to server .
It will then use RFC 4533 refresh&persist search in the "cn=dns,dc=example,dc=com"
base for entries with object class idnsZone and idnsRecord
For each idnsZone entry it will find, it will register a new zone with BIND
mv /etc/resolv.conf /etc/resolv.conf.org
Setup for BIND is complete.
Testing the setup.
Name: foo.example.com
Address: 192.168.122.4
Name: foo.example.com
Address: 192.168.122.3
nslookup bar.example.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: bar.example.com
Address: 192.168.122.5
Add records:
Add record for baz.example.com
Create add-zones.ldif
<<>>
dn: idnsName=baz, idnsName=example.com, cn=dns, dc=example, dc=com
objectClass: idnsRecord
objectClass: top
idnsName: baz
CNAMERecord: bar
<<>>
Add using ldapadd:
-bash-4.2# ldapadd -H ldap://localhost -D "cn=test,dc=example,dc=com" -W -c -f add-zones.ldif
Enter LDAP Password:
adding new entry "idnsName=baz, idnsName=example.com, cn=dns, dc=example, dc=com"
Test if it is refreshed in the DNS data:
-bash-4.2# nslookup baz.example.com
Server: 127.0.0.1
Address: 127.0.0.1#53
baz.example.com canonical name = bar.example.com.
Name: bar.example.com
Address: 192.168.122.3
Delete records:
Create baz-delete.ldif
<<>>
dn: idnsName=baz, idnsName=example.com, cn=dns, dc=example, dc=com
changetype: delete
<<>>
nslookup baz.example.com
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find baz.example.com: NXDOMAIN
Verify using dig
dig @localhost foo.example.com
; <<>> DiG <<>> @localhost foo.example.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42470
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;foo.example.com. IN A
;; ANSWER SECTION:
foo.example.com. 86400 IN A 192.168.122.2
;; AUTHORITY SECTION:
example.com. 86400 IN NS example.com.
;; ADDITIONAL SECTION:
example.com. 86400 IN A 192.168.122.4
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Dec 29 11:26:00 UTC 2015
;; MSG SIZE rcvd: 90
The text was updated successfully, but these errors were encountered: