Using OpenLDAP With Bind9 DNS
Using OpenLDAP With Bind9 DNS
Using OpenLDAP With Bind9 DNS
Overview This procedure describes one of the ways to implement BIND 9 zone tables in an OpenLDAP server. It was written for use with Fedora 8, but should apply in general to any UNIX/Linux installation with BIND 9 and OpenLDAP. The following assumptions are made in this discussion:
The Operating System is Fedora 8 with the Gnome desktop installed. OpenLDAP has been installed and configured to accept connections (refer to Configure OpenLDAP). The LDAP Browser application has been installed and configured (refer to Download and Install LDAP Browser). bind9 has been installed, configured and tested (refer to Download and Install BIND 9 DNS).
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
Install BIND9 sdb 1. Start the Package Manager from the Add/Remove Software entry on the Applications menu:
2. Select the List view to show All packages. When the list has been populated, scroll down to the bind entries. If the bind-sdb package is not already installed, check the missing package and click Apply:
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
Configuration 1. Using a web browser, connect to the Internet and navigate to http://bind9-ldap.bayour.com/zone2ldif.pl This will download the latest version of zone2ldif, a Perl script to simplify conversion of BIND 9 zone files, to your download folder. 2. Using the File Manager (or Terminal) application, move zone2ldif.pl to /usr/local/bin, or some other suitable folder. Modify the owner (root:root) and permissions (755) for zone2ldif.pl. 3. Using the File Manager application navigate to /var/named, the location of the BIND 9 zone files (for a 'chrooted' named server, this would be /var/named/chroot/var/named). 4. Using zone2ldif, create LDIF files for each of the BIND 9 zone files to be loaded into OpenLDAP. In this example, the files would be earthwalk.lan.zone and 11.168.192.inaddr.arpa.zone (refer to Download and Install BIND 9 DNS):
/usr/local/bin/zone2ldif.pl -b dc=earthwalk,dc=org -z earthwalk.lan.zone -l earthwalk.lan.ldif
and
/usr/local/bin/zone2ldif.pl -b dc=earthwalk,dc=org -z 11.168.192.in-addr.arpa.zone -l 11.168.192.ldif
5. Create a LDIF file (e.g. - ns.ldif) to contain the nameserver, nsgroup and ldap user definitions, similar to the one below:
#################################################### # # nameserver organization # # dn: o=nameserver,dc=earthwalk,dc=org # #################################################### dn: o=nameserver,dc=earthwalk,dc=org o: nameserver objectClass: organization #################################################### # # LDAP account # # dn: uid=ldap,ou=people,dc=earthwalk,dc=org # #################################################### dn: uid=ldap,ou=people,dc=earthwalk,dc=org telephoneNumber: +1 555 123 4567 uid: ldap userPassword:: cGFzc3cwcmQ= ou: people givenName: EarthWalk LDAP Manager objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: ldap cn: ldap
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
#################################################### # # LDAP Manager group container # # Add all users that are LDAP managers as a 'member' in this group # # dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org # #################################################### dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org description: EarthWalk Administrator group members objectClass: groupOfNames member: cn=manager,dc=earthwalk,dc=org member: uid=ldap,ou=people,dc=earthwalk,dc=org cn: nsgroup #################################################### # # nameserver organization # # dn: o=nameserver,dc=earthwalk,dc=org # #################################################### dn: o=nameserver,dc=earthwalk,dc=org o: nameserver objectClass: organization #################################################### # # LDAP account # # dn: uid=ldap,ou=people,dc=earthwalk,dc=org # #################################################### dn: uid=ldap,ou=people,dc=earthwalk,dc=org telephoneNumber: +1 555 123 4567 uid: ldap userPassword:: cGFzc3cwcmQ= ou: people givenName: EarthWalk LDAP Manager objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: ldap cn: ldap #################################################### # # LDAP Manager group container # # Add all users that are LDAP managers as a 'member' in this group # # dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org # #################################################### dn: cn=nsgroup,ou=groups,dc=earthwalk,dc=org description: EarthWalk Administrator group members objectClass: groupOfNames member: cn=manager,dc=earthwalk,dc=org member: uid=ldap,ou=people,dc=earthwalk,dc=org cn: nsgroup
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
7. Connect to the OpenLDAP server using the Directory Manager account. A directory tree should be presented similar to the following:
8. Select LDIF/Import from the menu bar and select the ns.ldif file to import into the server:
9. The LDAP tree should now appear similar to the following tree structure:
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
10. Select LDIF/Import from the menu bar and select the forward zone LDIF file to import into the server (e. g. - earthwalk.lan.ldif):
11. The LDAP tree should now show the forward zone definitions, similar to the following tree structure:
12. Select LDIF/Import from the menu bar and select the reverse zone LDIF file to import into the server (e. g. - 11.168.192.ldif):
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
13. The LDAP tree should now show the reverse zone definitions, similar to the following tree structure:
14. Start the Service Configuration application from the System/Administration/Services menu:
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
15. Use an editor to modify the named.zones file in /etc (/var/named/chroot/etc for a 'chrooted' named server). Modify the forward zone (e. g. - earthwalk.lan) and reverse zone (e. g. - 11.168.192.in-addr.arpa) definitions to use LDAP for the lookups, rather than the original flat files:
################################################################## # # local lan forward zone # ################################################################## zone "earthwalk.lan" IN { type master; # file "earthwalk.lan.zone"; database "ldap ldap://192.168.11.2/zoneName=earthwalk.lan,o=nameserver,dc=earthwalk,dc=org 178600"; allow-update { key "rndckey"; }; notify yes; }; ################################################################## # # local lan reverse zone # ################################################################## zone "11.168.192.in-addr.arpa" IN { type master; # file "11.168.192.in-addr.arpa.zone"; database "ldap ldap://192.168.11.2/zoneName=11.168.192.in-addr.arpa,o=nameserver,dc=earthwalk,dc=org 178600"; allow-update { key "rndckey"; }; notify yes; };
16. On the Service Configuration window, scroll down to the named service, highlight the entry and click on Restart.
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
17. Check the operation of the named server. Start the Network Tools application from the Applications/System Tools/Network Tools menu entry:
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
References (last verified 2008-03-12) The following Internet resources were used as references in developing this procedure or in understanding the processes involved: LDAP sdb back-end for BIND 9 http://bind9-ldap.bayour.com/ How to use dnsZone with the BIND 9 sdb back-end http://bind9-ldap.bayour.com/dnszonehowto.html DNS/BIND the Easy Way http://krnlpanic.com/tutorials/dns.php Using the BIND 9 Simplified Database Interface http://uw713doc.sco.com/en/NET_tcpip/dns.bind9sdi.html HowTo: OpenLDAP + BIND http://cit3.ldl.swin.edu.au/~533473X/index.php/HowTo:OpenLDAP+BIND Configuring DNS Zones in LDAP http://imil.net/docs/Configuring_DNS_zones_with_LDAP.txt LDAP Howto, LDAP Links, LDAP Whitepapers http://www.bind9.net/ldap
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
Sample Forward Domain LDIF The following LDIF corresponds to the forward domain zone file developed in the Download and Install Bind9 DNS documentation dn: zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org objectClass: top objectClass: dNSZone relativeDomainName: earthwalk.lan zoneName: earthwalk.lan dn: relativeDomainName=@, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org sOARecord: @ root.earthwalk.lan. 200712130 3600 1800 604800 86400 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: @ dNSTTL: 86400 nSRecord: ns.earthwalk.lan. zoneName: earthwalk.lan dn: relativeDomainName=gateway, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.1 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: gateway dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=router, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: gateway objectClass: top objectClass: dNSZone relativeDomainName: router dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=ns, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.2 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: ns dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=village, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: village dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=www, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: www dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=ldap, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: ldap dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=ftp, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: ftp dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=samba, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: ns objectClass: top objectClass: dNSZone relativeDomainName: samba dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=development, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.3 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: development dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=jay, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.10 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: jay dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=dev, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: jay objectClass: top objectClass: dNSZone relativeDomainName: dev dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=wwwdev, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: jay objectClass: top objectClass: dNSZone relativeDomainName: wwwdev dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=jays1150, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.69 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: jays1150 dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=frans5160, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.33 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: frans5160 dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=b130, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.100 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: b130 dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=frans130, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.101 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: frans130 dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=terrawalker, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.110 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: terrawalker dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=fran, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.111 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: fran dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=edward, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.120 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: edward dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=edwards1100, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: edward objectClass: top objectClass: dNSZone relativeDomainName: edwards1100 dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=michael, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org aRecord: 192.168.11.130 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: michael dNSTTL: 86400 zoneName: earthwalk.lan dn: relativeDomainName=michaels1100, zoneName=earthwalk.lan, o=nameserver, dc=earthwalk,dc=org dNSClass: IN cNAMERecord: michael objectClass: top objectClass: dNSZone relativeDomainName: michaels1100 dNSTTL: 86400 zoneName: earthwalk.lan
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
Sample Reverse Domain LDIF The following LDIF corresponds to the reverse domain zone file developed in the Download and Install Bind9 DNS documentation dn: zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org objectClass: top objectClass: dNSZone relativeDomainName: 11.168.192.in-addr.arpa zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=@, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org sOARecord: @ root.earthwalk.lan. 200712120 3600 1800 604800 86400 dNSClass: IN objectClass: top objectClass: dNSZone relativeDomainName: @ dNSTTL: 86400 nSRecord: 2.11.168.192.in-addr.arpa. zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=1, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: gateway.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 1 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=2, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: ns.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 2 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=3, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: development.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 3 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=69, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: jays1150.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 69 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=33, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: frans5160.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 33 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=100, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: b130.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 100 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=101, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: frans130.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 101 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=110, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: terrawalker.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 110 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net
dn: relativeDomainName=111, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: fran.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 111 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=120, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: edward.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 120 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=121, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: edwards1100.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 121 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=130, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: michael.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 130 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa dn: relativeDomainName=131, zoneName=11.168.192.in-addr.arpa, o=nameserver, dc=earthwalk,dc=org dNSClass: IN pTRRecord: michaels1100.earthwalk.lan. objectClass: top objectClass: dNSZone relativeDomainName: 131 dNSTTL: 86400 zoneName: 11.168.192.in-addr.arpa
Jay Wheeler
05/03/2007
http://jaywheeler.users.sourceforge.net