Using OpenLDAP with BIND 9 DNS - Jay Wheeler's Pagejaywheeler.users.sourceforge.net/pdf/Using...

transcript

Using OpenLDAP with BIND 9 DNS

Overview

This procedure describes one of the ways to implement BIND 9 zone tables in an OpenLDAP server. It was written for use with Fedora 8, but should apply in general to any UNIX/Linux installation with BIND 9 and OpenLDAP.

The following assumptions are made in this discussion:

● The Operating System is Fedora 8 with the Gnome desktop installed.

● OpenLDAP has been installed and configured to accept connections(refer to Configure OpenLDAP).

● The LDAP Browser application has been installed and configured(refer to Download and Install LDAP Browser).

● bind9 has been installed, configured and tested(refer to Download and Install BIND 9 DNS).

Jay Wheeler 05/03/2007 http://jaywheeler.users.sourceforge.net

I nstall BIND9 sdb

1. Start the Package Manager from the Add/Remove Software entry on the Applications menu:

2. Select the List view to show All packages. When the list has been populated, scroll down to the bind entries. If the bind-sdb package is not already installed, check the missing package and click Apply:

Configuration

1. Using a web browser, connect to the Internet and navigate to

http://bind9-ldap.bayour.com/zone2ldif.pl

This will download the latest version of zone2ldif, a Perl script to simplify conversion of BIND 9 zone files, to your download folder.

2. Using the File Manager (or Terminal) application, move zone2ldif.pl to /usr/local/bin, or some other suitable folder. Modify the owner (root:root) and permissions (755) for zone2ldif.pl.

3. Using the File Manager application navigate to /var/named, the location of the BIND 9 zone files (for a 'chrooted' named server, this would be /var/named/chroot/var/named).

4. Using zone2ldif, create LDIF files for each of the BIND 9 zone files to be loaded into OpenLDAP. In this example, the files would be earthwalk.lan.zone and 11.168.192.in-addr.arpa.zone (refer to Download and Install BIND 9 DNS):

/usr/local/bin/zone2ldif.pl -b dc=earthwalk,dc=org -z earthwalk.lan.zone -l earthwalk.lan.ldif

/usr/local/bin/zone2ldif.pl -b dc=earthwalk,dc=org -z 11.168.192.in-addr.arpa.zone -l 11.168.192.ldif

5. Create a LDIF file (e.g. - ns.ldif) to contain the nameserver, nsgroup and ldap user definitions, similar to the one below:

##################################################### # nameserver organization # # dn: o=nameserver,dc=earthwalk,dc=org # ####################################################dn: o=nameserver,dc=earthwalk,dc=org o: nameserver objectClass: organization

##################################################### # LDAP account # # dn: uid=ldap,ou=people,dc=earthwalk,dc=org # ####################################################dn: uid=ldap,ou=people,dc=earthwalk,dc=org telephoneNumber: +1 555 123 4567uid: ldap userPassword:: cGFzc3cwcmQ= ou: people givenName: EarthWalk LDAP Manager objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: ldap cn: ldap

##################################################### # LDAP Manager group container # # Add all users that are LDAP managers as a 'member' in this group # # dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org # ####################################################dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org description: EarthWalk Administrator group members objectClass: groupOfNames member: cn=manager,dc=earthwalk,dc=org member: uid=ldap,ou=people,dc=earthwalk,dc=org cn: nsgroup

##################################################### # nameserver organization # # dn: o=nameserver,dc=earthwalk,dc=org # ####################################################dn: o=nameserver,dc=earthwalk,dc=org o: nameserver objectClass: organization

##################################################### # LDAP account # # dn: uid=ldap,ou=people,dc=earthwalk,dc=org # ####################################################dn: uid=ldap,ou=people,dc=earthwalk,dc=org telephoneNumber: +1 555 123 4567uid: ldap userPassword:: cGFzc3cwcmQ= ou: people givenName: EarthWalk LDAP Manager objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: ldap cn: ldap

##################################################### # LDAP Manager group container # # Add all users that are LDAP managers as a 'member' in this group # # dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org # ####################################################dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org description: EarthWalk Administrator group members objectClass: groupOfNames member: cn=manager,dc=earthwalk,dc=org member: uid=ldap,ou=people,dc=earthwalk,dc=org cn: nsgroup

6. Start the LDAP Browser application (Applications/Internet/LDAP Browser menu):

7. Connect to the OpenLDAP server using the Directory Manager account. A directory tree should be presented similar to the following:

8. Select LDIF/Import from the menu bar and select the ns.ldif file to import into the server:

9. The LDAP tree should now appear similar to the following tree structure:

10. Select LDIF/Import from the menu bar and select the forward zone LDIF file to import into the server (e. g. - earthwalk.lan.ldif):

11. The LDAP tree should now show the forward zone definitions, similar to the following tree structure:

12. Select LDIF/Import from the menu bar and select the reverse zone LDIF file to import into the server (e. g. - 11.168.192.ldif):

13. The LDAP tree should now show the reverse zone definitions, similar to the following tree structure:

14. Start the Service Configuration application from the System/Administration/Services menu:

15. Use an editor to modify the named.zones file in /etc (/var/named/chroot/etc for a 'chrooted' named server). Modify the forward zone (e. g. - earthwalk.lan) and reverse zone (e. g. - 11.168.192.in-addr.arpa) definitions to use LDAP for the lookups, rather than the original flat files:

################################################################## # # local lan forward zone # ################################################################## zone "earthwalk.lan" IN {

type master; # file "earthwalk.lan.zone";

database "ldap ldap://192.168.11.2/zoneName=earthwalk.lan,o=nameserver,dc=earthwalk,dc=org 178600"; allow-update { key "rndckey"; }; notify yes; };

################################################################## # # local lan reverse zone # ################################################################## zone "11.168.192.in-addr.arpa" IN {

type master; # file "11.168.192.in-addr.arpa.zone"; database "ldap ldap://192.168.11.2/zoneName=11.168.192.in-addr.arpa,o=nameserver,dc=earthwalk,dc=org 178600"; allow-update { key "rndckey"; }; notify yes; };

16. On the Service Configuration window, scroll down to the named service, highlight the entry and click on Restart.

17. Check the operation of the named server. Start the Network Tools application from the Applications/System Tools/Network Tools menu entry:

18. Check the operation of forward domain lookups:

and reverse domain lookups:

References (last verified 2008-03-12)

The following Internet resources were used as references in developing this procedure or in understanding the processes involved:

LDAP sdb back-end for BIND 9http://bind9-ldap.bayour.com/

How to use dnsZone with the BIND 9 sdb back-endhttp://bind9-ldap.bayour.com/dnszonehowto.html

DNS/BIND the Easy Wayhttp://krnlpanic.com/tutorials/dns.php

Using the BIND 9 Simplified Database Interfacehttp://uw713doc.sco.com/en/NET_tcpip/dns.bind9sdi.html

HowTo: OpenLDAP + BINDhttp://cit3.ldl.swin.edu.au/~533473X/index.php/HowTo:OpenLDAP+BIND

Configuring DNS Zones in LDAPhttp://imil.net/docs/Configuring_DNS_zones_with_LDAP.txt

LDAP Howto, LDAP Links, LDAP Whitepapershttp://www.bind9.net/ldap

Sample Forward Domain LDIF

The following LDIF corresponds to the forward domain zone file developed in the Download and Install Bind9 DNS documentation

dn: zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org objectClass: top objectClass: dNSZone relativeDomainName: earthwalk.lan zoneName: earthwalk.lan

dn: relativeDomainName=@, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org sOARecord: @ root.earthwalk.lan. 200712130 3600 1800 604800 86400 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: @ dNSTTL: 86400 nSRecord: ns.earthwalk.lan. zoneName: earthwalk.lan

dn: relativeDomainName=gateway, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.1 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: gateway dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=router, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: gateway objectClass: top objectClass: dNSZone relativeDomainName: router dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=ns, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.2 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: ns dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=village, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: village dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=www, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: www dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=ldap, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: ldap dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=ftp, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: ftp dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=samba, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: samba dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=development, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.3 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: development dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=jay, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.10 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: jay dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=dev, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: jay objectClass: top objectClass: dNSZone relativeDomainName: dev dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=wwwdev, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: jay objectClass: top objectClass: dNSZone relativeDomainName: wwwdev dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=jays1150, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.69 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: jays1150 dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=frans5160, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.33 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: frans5160 dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=b130, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.100 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: b130 dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=frans130, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.101 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: frans130 dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=terrawalker, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.110 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: terrawalker dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=fran, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.111 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: fran dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=edward, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.120 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: edward dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=edwards1100, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: edward objectClass: top objectClass: dNSZone relativeDomainName: edwards1100 dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=michael, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.130 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: michael dNSTTL: 86400 zoneName: earthwalk.lan

dn: relativeDomainName=michaels1100, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: michael objectClass: top objectClass: dNSZone relativeDomainName: michaels1100 dNSTTL: 86400 zoneName: earthwalk.lan

Sample Reverse Domain LDIF

The following LDIF corresponds to the reverse domain zone file developed in the Download and Install Bind9 DNS documentation

dn: zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org objectClass: top objectClass: dNSZone relativeDomainName: 11.168.192.in-addr.arpa zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=@, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org sOARecord: @ root.earthwalk.lan. 200712120 3600 1800 604800 86400 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: @ dNSTTL: 86400 nSRecord: 2.11.168.192.in-addr.arpa. zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=1, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: gateway.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 1 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=2, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: ns.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 2 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=3, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: development.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 3 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=69, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: jays1150.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 69 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=33, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: frans5160.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 33 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=100, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: b130.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 100 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=101, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: frans130.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 101 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=110, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: terrawalker.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 110 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=111, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: fran.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 111 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=120, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: edward.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 120 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=121, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: edwards1100.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 121 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=130, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: michael.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 130 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

dn: relativeDomainName=131, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: michaels1100.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 131 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa

Using OpenLDAP with BIND 9 DNS - Jay Wheeler's Pagejaywheeler.users.sourceforge.net/pdf/Using...

Documents