About the package:
This is an LDAP driver for BIND. The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP database back-end capabilities.
Package provides ldap.so library
Approach for testing
This includes configuring openldap and bind .
bind-dyndb-ldap is used as backend for Bind9 DNS to communicate to openldap
Two setups include:
Configure LDAP connection using openldap by adding bind-dyndb-ldap schema
Configure dynamic loading of the backend using named ( bind )
Setup openldap
1) Create slapd.conf with below contents
#
See slapd.conf(5) for details on configuration options.
This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/bind-dyndb-ldap.schema
Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
Do not enable referrals until AFTER you have a working directory
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
enable monitoring
database monitor
allow onlu rootdn to read the monitor
access to
by dn.exact="cn=test,dc=example,dc=com" read
by \ none
Create ldap password for “dc=example,dc=com”
2) Create password and edit “rootpw” entry in slapd.conf using:
5)
The slapd configuration is stored in a special LDAP directory(/etc/openldap/slapd.d)
Convert from old slapd configuration file located at (/etc/openldap/slapd.conf) to new directory:
Run slaptest to check validity of the configuration file and
specify the new configuration directory :
With this configuration, the LDAP back-end will try to connect to server .
It will then use RFC 4533 refresh&persist search in the "cn=dns,dc=example,dc=com"
base for entries with object class idnsZone and idnsRecord
For each idnsZone entry it will find, it will register a new zone with BIND
15) Setup is going to use localhost server,
mv /etc/resolv.conf /etc/resolv.conf.org
Setup for BIND is complete.
Testing the setup.
1) Verify /var/named/dyndb-ldap contains entry for my_db_name
2) Verify using nslookup
About the package: This is an LDAP driver for BIND. The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP database back-end capabilities.
Package provides ldap.so library
Approach for testing
This includes configuring openldap and bind . bind-dyndb-ldap is used as backend for Bind9 DNS to communicate to openldap Two setups include:
Setup openldap
1) Create slapd.conf with below contents
#
See slapd.conf(5) for details on configuration options.
This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/bind-dyndb-ldap.schema
Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
Do not enable referrals until AFTER you have a working directory
service AND an understanding of referrals.
referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
#######################################################################
ldbm and/or bdb database definitions
#######################################################################
loglevel 256 database bdb suffix "dc=example,dc=com" checkpoint 1024 15 rootdn "cn=test,dc=example,dc=com"
Cleartext passwords, especially for the rootdn, should
be avoided. See slappasswd(8) and slapd.conf(5) for details.
Use of strong authentication encouraged.
rootpw secret
rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}KUS8va9cQ+UfW49PDSJ/clm
The database directory MUST exist prior to running slapd AND
should only be accessible by the slapd and slap tools.
Mode 700 recommended.
directory /var/lib/ldap moduleload syncprov.la overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
Indices to maintain for this database
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
enable monitoring
database monitor
allow onlu rootdn to read the monitor
access to by dn.exact="cn=test,dc=example,dc=com" read by \ none
Create ldap password for “dc=example,dc=com”
2) Create password and edit “rootpw” entry in slapd.conf using:
slappasswd -h {SSHA}
Copy the schema to openldap schema directory
3) cp /usr/share/doc/bind-dyndb-ldap*/schema /etc/openldap/schema/bind-dyndb-ldap.schema
4) create user test and password
5) The slapd configuration is stored in a special LDAP directory(/etc/openldap/slapd.d) Convert from old slapd configuration file located at (/etc/openldap/slapd.conf) to new directory: Run slaptest to check validity of the configuration file and specify the new configuration directory :
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
6) Start slapd: slapd -h "ldap:/// ldapi:///"
Make sure the process is running using: netstat -ltpn|grep 389
and check for slapd
7) After verifying openldap has started successfully , add the data.ldif as below:
Create data.ldif
<<>>> dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: OpenLDAP Test dc: example
dn: cn=test,dc=example,dc=com objectclass: organizationalRole cn: test <<>>
Add using ldapadd
ldapadd -x -W -D "cn=test,dc=example,dc=com" -h localhost -f data.ldif Enter LDAP Password: adding new entry "dc=example,dc=com"
adding new entry "cn=test,dc=example,dc=com"
9) Verify it works using:
ldapsearch -D "cn=test,dc=example,dc=com" -W -b 'dc=example,dc=com'
ldapsearch -D "cn=test,dc=example,dc=com" -W -b 'dc=example,dc=com' Enter LDAP Password:
extended LDIF
#
LDAPv3
base with scope subtree
filter: (objectclass=*)
requesting: ALL
#
example.com
dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: OpenLDAP Test dc: example
test, example.com
dn: cn=test,dc=example,dc=com objectClass: organizationalRole cn: test
search result
search: 2 result: 0 Success
numResponses: 3
numEntries: 2
10) To get ip for zone and records, create virtual interface and assign ip
Create virtual interface using: ip link add veth0 type veth peer name veth1 ip link add veth2 type veth peer name veth3
Assign private ip using: ifconfig veth0 192.168.122.2 netmask 255.255.255.0 ifconfig veth1 192.168.122.3 netmask 255.255.255.0 ifconfig veth2 192.168.122.4 netmask 255.255.255.0
11) Add zones and records using input file as below:
Create dns-domain.ldif
<<>>
Top container
dn: cn=dns, dc=example, dc=com objectClass: top objectClass: organizationalRole cn: dns
Zone example.com
dn: idnsName=example.com, cn=dns, dc=example, dc=com objectClass: top objectClass: idnsZone objectClass: idnsRecord idnsName: example.com idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; idnsZoneActive: TRUE idnsSOAmName: server.example.com idnsSOArName: root.server.example.com idnsSOAserial: 1 idnsSOArefresh: 10800 idnsSOAretry: 900 idnsSOAexpire: 604800 idnsSOAminimum: 86400 NSRecord: example.com. ARecord: 192.168.122.2
DNS records for zone example.com
dn: idnsName=server, idnsName=example.com, cn=dns, dc=example, dc=com objectClass: idnsRecord objectClass: top idnsName: server CNAMERecord: example.com
dn: idnsName=foo, idnsName=example.com, cn=dns, dc=example, dc=com objectClass: idnsRecord objectClass: top idnsName: foo ARecord: 192.168.122.3 ARecord: 192.168.122.4
dn: idnsName=bar, idnsName=example.com, cn=dns, dc=example, dc=com objectClass: idnsRecord objectClass: top idnsName: bar ARecord: 192.168.122.5 <<>>
12) Add using ldapadd:
ldapadd -H ldap://localhost -D "cn=test,dc=example,dc=com" -W -c -f dns-domain.ldif
LDAP confguration is complete.
Setup BIND
1)
Setup named.conf, To configure dynamic loading of back-end, add a "dynamic-db" to named.conf Specify library and ldap using arg options
Add this to /etc/named.conf
dynamic-db "my_db_name" { library "ldap.so"; arg "uri ldap:///"; arg "base cn=dns, dc=example, dc=com"; arg "auth_method none"; arg "cache_ttl 300"; };
14)
service named start
With this configuration, the LDAP back-end will try to connect to server . It will then use RFC 4533 refresh&persist search in the "cn=dns,dc=example,dc=com" base for entries with object class idnsZone and idnsRecord For each idnsZone entry it will find, it will register a new zone with BIND
15) Setup is going to use localhost server,
mv /etc/resolv.conf /etc/resolv.conf.org
Setup for BIND is complete.
Testing the setup.
1) Verify /var/named/dyndb-ldap contains entry for my_db_name 2) Verify using nslookup
Name: foo.example.com Address: 192.168.122.4 Name: foo.example.com Address: 192.168.122.3
nslookup bar.example.com Server: 127.0.0.1 Address: 127.0.0.1#53
Name: bar.example.com Address: 192.168.122.5
3)
Add records:
Add record for baz.example.com
Create add-zones.ldif
<<>> dn: idnsName=baz, idnsName=example.com, cn=dns, dc=example, dc=com objectClass: idnsRecord objectClass: top idnsName: baz CNAMERecord: bar <<>>
Add using ldapadd:
-bash-4.2# ldapadd -H ldap://localhost -D "cn=test,dc=example,dc=com" -W -c -f add-zones.ldif Enter LDAP Password: adding new entry "idnsName=baz, idnsName=example.com, cn=dns, dc=example, dc=com"
Test if it is refreshed in the DNS data:
-bash-4.2# nslookup baz.example.com Server: 127.0.0.1 Address: 127.0.0.1#53
baz.example.com canonical name = bar.example.com. Name: bar.example.com Address: 192.168.122.3
Delete records:
Create baz-delete.ldif
<<>> dn: idnsName=baz, idnsName=example.com, cn=dns, dc=example, dc=com changetype: delete <<>>
nslookup baz.example.com Server: 127.0.0.1 Address: 127.0.0.1#53
\ server can't find baz.example.com: NXDOMAIN
Verify using dig
dig @localhost foo.example.com
; <<>> DiG <<>> @localhost foo.example.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42470 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;foo.example.com. IN A
;; ANSWER SECTION: foo.example.com. 86400 IN A 192.168.122.2
;; AUTHORITY SECTION: example.com. 86400 IN NS example.com.
;; ADDITIONAL SECTION: example.com. 86400 IN A 192.168.122.4
;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Dec 29 11:26:00 UTC 2015 ;; MSG SIZE rcvd: 90