Upload
dangkiet
View
233
Download
2
Embed Size (px)
Citation preview
Using OpenLDAP with BIND 9 DNS
Overview
This procedure describes one of the ways to implement BIND 9 zone tables in an OpenLDAP server. It was written for use with Fedora 8, but should apply in general to any UNIX/Linux installation with BIND 9 and OpenLDAP.
The following assumptions are made in this discussion:
● The Operating System is Fedora 8 with the Gnome desktop installed.
● OpenLDAP has been installed and configured to accept connections(refer to Configure OpenLDAP).
● The LDAP Browser application has been installed and configured(refer to Download and Install LDAP Browser).
● bind9 has been installed, configured and tested(refer to Download and Install BIND 9 DNS).
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
I nstall BIND9 sdb
1. Start the Package Manager from the Add/Remove Software entry on the Applications menu:
2. Select the List view to show All packages. When the list has been populated, scroll down to the bind entries. If the bind-sdb package is not already installed, check the missing package and click Apply:
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
Configuration
1. Using a web browser, connect to the Internet and navigate to
http://bind9-ldap.bayour.com/zone2ldif.pl
This will download the latest version of zone2ldif, a Perl script to simplify conversion of BIND 9 zone files, to your download folder.
2. Using the File Manager (or Terminal) application, move zone2ldif.pl to /usr/local/bin, or some other suitable folder. Modify the owner (root:root) and permissions (755) for zone2ldif.pl.
3. Using the File Manager application navigate to /var/named, the location of the BIND 9 zone files (for a 'chrooted' named server, this would be /var/named/chroot/var/named).
4. Using zone2ldif, create LDIF files for each of the BIND 9 zone files to be loaded into OpenLDAP. In this example, the files would be earthwalk.lan.zone and 11.168.192.in-addr.arpa.zone (refer to Download and Install BIND 9 DNS):
/usr/local/bin/zone2ldif.pl -b dc=earthwalk,dc=org -z earthwalk.lan.zone -l earthwalk.lan.ldif
and
/usr/local/bin/zone2ldif.pl -b dc=earthwalk,dc=org -z 11.168.192.in-addr.arpa.zone -l 11.168.192.ldif
5. Create a LDIF file (e.g. - ns.ldif) to contain the nameserver, nsgroup and ldap user definitions, similar to the one below:
##################################################### # nameserver organization # # dn: o=nameserver,dc=earthwalk,dc=org # ####################################################dn: o=nameserver,dc=earthwalk,dc=org o: nameserver objectClass: organization
##################################################### # LDAP account # # dn: uid=ldap,ou=people,dc=earthwalk,dc=org # ####################################################dn: uid=ldap,ou=people,dc=earthwalk,dc=org telephoneNumber: +1 555 123 4567uid: ldap userPassword:: cGFzc3cwcmQ= ou: people givenName: EarthWalk LDAP Manager objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: ldap cn: ldap
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
##################################################### # LDAP Manager group container # # Add all users that are LDAP managers as a 'member' in this group # # dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org # ####################################################dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org description: EarthWalk Administrator group members objectClass: groupOfNames member: cn=manager,dc=earthwalk,dc=org member: uid=ldap,ou=people,dc=earthwalk,dc=org cn: nsgroup
##################################################### # nameserver organization # # dn: o=nameserver,dc=earthwalk,dc=org # ####################################################dn: o=nameserver,dc=earthwalk,dc=org o: nameserver objectClass: organization
##################################################### # LDAP account # # dn: uid=ldap,ou=people,dc=earthwalk,dc=org # ####################################################dn: uid=ldap,ou=people,dc=earthwalk,dc=org telephoneNumber: +1 555 123 4567uid: ldap userPassword:: cGFzc3cwcmQ= ou: people givenName: EarthWalk LDAP Manager objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: ldap cn: ldap
##################################################### # LDAP Manager group container # # Add all users that are LDAP managers as a 'member' in this group # # dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org # ####################################################dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org description: EarthWalk Administrator group members objectClass: groupOfNames member: cn=manager,dc=earthwalk,dc=org member: uid=ldap,ou=people,dc=earthwalk,dc=org cn: nsgroup
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
6. Start the LDAP Browser application (Applications/Internet/LDAP Browser menu):
7. Connect to the OpenLDAP server using the Directory Manager account. A directory tree should be presented similar to the following:
8. Select LDIF/Import from the menu bar and select the ns.ldif file to import into the server:
9. The LDAP tree should now appear similar to the following tree structure:
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
10. Select LDIF/Import from the menu bar and select the forward zone LDIF file to import into the server (e. g. - earthwalk.lan.ldif):
11. The LDAP tree should now show the forward zone definitions, similar to the following tree structure:
12. Select LDIF/Import from the menu bar and select the reverse zone LDIF file to import into the server (e. g. - 11.168.192.ldif):
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
13. The LDAP tree should now show the reverse zone definitions, similar to the following tree structure:
14. Start the Service Configuration application from the System/Administration/Services menu:
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
15. Use an editor to modify the named.zones file in /etc (/var/named/chroot/etc for a 'chrooted' named server). Modify the forward zone (e. g. - earthwalk.lan) and reverse zone (e. g. - 11.168.192.in-addr.arpa) definitions to use LDAP for the lookups, rather than the original flat files:
################################################################## # # local lan forward zone # ################################################################## zone "earthwalk.lan" IN {
type master; # file "earthwalk.lan.zone";
database "ldap ldap://192.168.11.2/zoneName=earthwalk.lan,o=nameserver,dc=earthwalk,dc=org 178600"; allow-update { key "rndckey"; }; notify yes; };
################################################################## # # local lan reverse zone # ################################################################## zone "11.168.192.in-addr.arpa" IN {
type master; # file "11.168.192.in-addr.arpa.zone"; database "ldap ldap://192.168.11.2/zoneName=11.168.192.in-addr.arpa,o=nameserver,dc=earthwalk,dc=org 178600"; allow-update { key "rndckey"; }; notify yes; };
16. On the Service Configuration window, scroll down to the named service, highlight the entry and click on Restart.
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
17. Check the operation of the named server. Start the Network Tools application from the Applications/System Tools/Network Tools menu entry:
18. Check the operation of forward domain lookups:
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
and reverse domain lookups:
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
References (last verified 2008-03-12)
The following Internet resources were used as references in developing this procedure or in understanding the processes involved:
LDAP sdb back-end for BIND 9http://bind9-ldap.bayour.com/
How to use dnsZone with the BIND 9 sdb back-endhttp://bind9-ldap.bayour.com/dnszonehowto.html
DNS/BIND the Easy Wayhttp://krnlpanic.com/tutorials/dns.php
Using the BIND 9 Simplified Database Interfacehttp://uw713doc.sco.com/en/NET_tcpip/dns.bind9sdi.html
HowTo: OpenLDAP + BINDhttp://cit3.ldl.swin.edu.au/~533473X/index.php/HowTo:OpenLDAP+BIND
Configuring DNS Zones in LDAPhttp://imil.net/docs/Configuring_DNS_zones_with_LDAP.txt
LDAP Howto, LDAP Links, LDAP Whitepapershttp://www.bind9.net/ldap
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
Sample Forward Domain LDIF
The following LDIF corresponds to the forward domain zone file developed in the Download and Install Bind9 DNS documentation
dn: zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org objectClass: top objectClass: dNSZone relativeDomainName: earthwalk.lan zoneName: earthwalk.lan
dn: relativeDomainName=@, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org sOARecord: @ root.earthwalk.lan. 200712130 3600 1800 604800 86400 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: @ dNSTTL: 86400 nSRecord: ns.earthwalk.lan. zoneName: earthwalk.lan
dn: relativeDomainName=gateway, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.1 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: gateway dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=router, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: gateway objectClass: top objectClass: dNSZone relativeDomainName: router dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=ns, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.2 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: ns dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=village, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: village dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=www, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: www dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=ldap, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: ldap dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=ftp, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: ftp dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=samba, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: samba dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=development, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.3 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: development dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=jay, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.10 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: jay dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=dev, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: jay objectClass: top objectClass: dNSZone relativeDomainName: dev dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=wwwdev, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: jay objectClass: top objectClass: dNSZone relativeDomainName: wwwdev dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=jays1150, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.69 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: jays1150 dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=frans5160, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.33 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: frans5160 dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=b130, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.100 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: b130 dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=frans130, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.101 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: frans130 dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=terrawalker, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.110 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: terrawalker dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=fran, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.111 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: fran dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=edward, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.120 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: edward dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=edwards1100, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: edward objectClass: top objectClass: dNSZone relativeDomainName: edwards1100 dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=michael, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.130 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: michael dNSTTL: 86400 zoneName: earthwalk.lan
dn: relativeDomainName=michaels1100, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: michael objectClass: top objectClass: dNSZone relativeDomainName: michaels1100 dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
Sample Reverse Domain LDIF
The following LDIF corresponds to the reverse domain zone file developed in the Download and Install Bind9 DNS documentation
dn: zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org objectClass: top objectClass: dNSZone relativeDomainName: 11.168.192.in-addr.arpa zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=@, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org sOARecord: @ root.earthwalk.lan. 200712120 3600 1800 604800 86400 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: @ dNSTTL: 86400 nSRecord: 2.11.168.192.in-addr.arpa. zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=1, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: gateway.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 1 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=2, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: ns.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 2 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=3, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: development.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 3 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=69, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: jays1150.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 69 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=33, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: frans5160.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 33 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=100, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: b130.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 100 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=101, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: frans130.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 101 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=110, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: terrawalker.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 110 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=111, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: fran.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 111 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=120, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: edward.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 120 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=121, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: edwards1100.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 121 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=130, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: michael.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 130 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
dn: relativeDomainName=131, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: michaels1100.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 131 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net