From: https://www.section6.net/wiki/index.php/Configuring_DNS_zones_in_LDAP =========================================================================== Configuring DNS zones in LDAP From Section6wiki Table of contents 1 Configuring DNS zones to use LDAP 1.1 Compiling BIND 1.1.1 BIND-SDB-LDAP 1.2 Setting up the schema 1.3 Configuring the named.conf 1.4 Adding records to the database 1.5 Testing DNS 1.6 Resources [edit] Configuring DNS zones to use LDAP author: TBONIUS Often it is desirable to store DNS information in a database rather than in zones that are flat ASCII text files. Storing these zone files in a database can greatly reduce administration overhead since associate information such as billing contact, account management, etc. can be stored and processed inside the same database. Also, due to the nature of DNS design, information must be stored redundantly on two or more hosts. The classical data replication through zone transfer is unreliable, insecure and often difficult to administer. To overcome this problem some projects have attempted to store DNS information in relational databases. One of the major issues with many of these attempts is the nature of DNS itself; being hierarchical it also requires the database to be. Using a relational database to store DNS information can be undesirable, because it becomes difficult to store free form information as the name space for an organization grows. Enter LDAP. LDAP (Lightweight Directory Access Protocol) is probably the most widely spread hierarchical database protocol used today. LDAP allows for flexibility in its database schema, so as one's organization grows or changes, the database used to store information reflecting that organization can also grown and change. This article will discuss configuring BIND 9.3 to store its zone files in an LDAP directory database. There are a few assumptions made here: 1. The Section6 Article "What Is LDAP?" (http://www.section6.net/wiki/index.php/What_is_LDAP) has been read 2. The Section6 article "Using DNS With BIND" (http://www.section6.net/wiki/index.php/Using_DNS_with_BIND) has been read 3. The Section6 Article "Keeping Your System Current With CVSUP" (http://www.section6.net/wiki/index.php/Keeping_your_FreeBSD_system_current_with_CVSUP) has been read 4. A full and updated Ports tree exists on a FreeBSD computer 4. A functioning installation of OpenLDAP client and server exists on a FreeBSD computer [edit] Compiling BIND We first need to fetch and extract the source for BIND9 in the ports tree. We can accomplish this task by going to the BIND directory : root@host# cd /usr/ports/dns/bind9 root@host# make extract This will extract the BIND9 source into a work directory under the ports tree. We then need to download a handy library that will allow bind to used the LDAP client libraries. [edit] BIND-SDB-LDAP BIND-SDB-LDAP is a modification to the "Simplified Database" API that provides an LDAP back-end interface for BIND9 using the "sdb". With this API, BIND can store zones in an LDAP database rather than in files. Note that when using sdb, the zones are not cached in memory, BIND will actually perform a database lookup whenever it gets a query. The BIND-SDB-LDAP tar ball is downloadable here. (http://www.section6.net/help/bind-sdb-ldap-1.0.tar.gz) Once downloaded, extract it to the directory of your choice by running the following command: root@host#tar -xzf bind-sdb-ldap-1.0.tar.gz This will create a bind-sdb-ldap-1.0 directory with the source in it. Change to the source directory of bind-sdb-ldap-1.0 and copy the ldapdb.c file to /usr/ports/dns/bind9/work/bind-9.3.1/bin/named/ and copy the ldapdb.h file to /usr/ports/dns/bind9/work/bind-9.3.1/bin/named/include. After the source files have been copied to the BIND9 work directory, we then need to make a few modifications to the BIND9 source so that when compiled, it will use the new APIs. Change directories to /usr/ports/dns/bind9/work/bind-9.3.1/bin/named/ and edit the Makefile.in file and make the following modifications where you see these lines: # #Add database drivers here. # DBDRIVER_OBJS = ldapdb.@O@ DBDRIVER_SRCS = ldapdb.c DBDRIVER_INCLUDES = -I/usr/local/include DBDRIVER_LIBS = -L/usr/local/lib -lldap -llber -lresolv Next we will need to modify the main.c file in the same directory and look for the following line: /* #include "xxdb.h" */ We need to change this to use the LDAPDB source file: #include In the same file, look for the initialization line: /* xxdb_init(); */ We need to add a line below this to use the LDAPDB initialization function: ldapdb_ini(); And finally we need to find the cleanup routine line: /* xxdb_clear(); */ We need to add a line below this to use the LDAPDB cleanup function: ldapdb_clear(); Once this file has been saved, we should be able to return to the main ports directory for BIND9 and try compiling it. root@host# cd /usr/ports/net/dns/bind9 root@host# make install [edit] Setting up the schema Now that we have compiled and installed our new BIND9, we need to extend the schema of OpenLDAP for the storage of zone files in the LDAP database. Download the dnszone schema file (http://www.section6.net/help/dnszone.zip) from Section6.net and extract it. Once extracted, you can copy the dnszone.schema file to your /usr/local/etc/openldap/schema directory with the rest of the LDAP schemas. Once copied to our schema directory, simply edit the /usr/local/etc/openldap/slapd.conf file and add the following line under the rest of your schemas: include /usr/local/etc/openldap/schema/dnszone.schema Once the schema has been included, we must restart OpenLDAP so that the slapd process will extend the schmema. root@host# /usr/local/etc/rc.d/slapd.sh stop root@host# /usr/local/etc/rc.d/slapd.sh start [edit] Configuring the named.conf The usual configuration for named is to store its zones in flat text files located somewhere on the system. The usual configuration in FreeBSD might look something like this: zone "domain.com" { type master; file "zones/db.domain.com"; notify yes; }; Instead of using the file option to store the zone information, we will replace it with the database option and make a call to the ldapclient library: zone "domain.com" { type master; database "ldap ldap://localhost/dc=domain,dc=com,o=DNS,dc=domain,dc=no 172800"; }; When doing lookups BIND will do a sub-tree search below the base in the URL. The number 172800 is the TTL which will be used for all entries that do not have the dNSTTL attribute defined in the schema. Also, if you did nto want named to attach anonymously to the LDAP database, you could define something like: ldap://localhost/dc=domain,dc=com,o=DNS,dc=domian,dc=no????!bindname=cn=admin%2cdc=domain%2cdc=no,!x-bindpw=secret In the previous example, named attached to the LDAP database as the admin user with the password secret to perform its operations. [edit] Adding records to the database Most administrator already use some sort of LDAP administration tool to perform operations such as adding and removing account information from the database. For this example, we will supply what is commonly known as an LDIF file to use as a guideline for adding records to the database. First let us look at what a standard zone file might look like: @ 3600 IN SOA ns.domain.com. root.domain.com. ( 2001030201 3600 1800 604800 86400 ) NS ns.domain.com. MX 10 mail.domain.com. hosta A 10.0.0.10 www CNAME hosta.my-domain.com. hostb A 10.0.0.11 We could represent this zone file with an LDIF file that would look something like this: dn: relativeDomainName=@, dc=domain, dc=com objectClass: dNSZone relativeDomainName: @ zoneName: domain.com dNSTTL: 3600 dNSClass: IN sOARecord: ns.domain.com. root.domain.com. 2001030201 3600 1800 604800 86400 nSRecord: ns.domain.com. mXRecord: 10 mail.my-domain.com. dn: relativeDomainName=hosta, dc=domain, dc=com objectClass: dNSZone relativeDomainName: hosta zoneName: domain.com dNSTTL: 86400 dNSClass: IN aRecord: 10.10.10.10 dn: relativeDomainName=www, dc=domain, dc=com objectClass: dNSZone relativeDomainName: www zoneName: domain.com dNSTTL: 1800 dNSClass: IN cNAMERecord: hosta.domain.com. dn: relativeDomainName=hostb, dc=domain, dc=com objectClass: dNSZone relativeDomainName: hostb zoneName: domain.com dNSTTL: 3600 dNSClass: IN aRecord: 10.10.10.11 The LDIF file is a file we manually create to enter the records into the database. Try naming the file something like dnszone.ldif and then import the data into the LDAP database with the following command: ldapadd -x -H ldap://localhost -D "cn=admin,dc=domain,dc=com" -W -f dnszone.ldif Where admin would be the name of the administrative account for OpenLDAP. If you are using a different account name such as "Manager", be sure and pass that account name instead. If you would rather use UI based LDAP administrative tools, Section6 recommends the following: GQ LDAP (http://biot.com/gq/index2.html) : A GTK-based LDAP client and administration tool PHP LDAP Admin (http://phpldapadmin.sourceforge.net) : A PHP based LDAP administration tool [edit] Testing DNS From here we should be able to restart BIND9 and test out our new configuration by simply performing a lookup on the DNS server: root@host# nslookup hosta.domain.com Server: ns.domain.com Address: 10.0.0.1 Name: hosta.domain.com Address: 10.0.0.10 Looks like our nameserver is functioning properly while storing its zone information in the LDAP database. If you do run into any issues, or have additional problems or questions, feel free to post to the Section6 Support Forum (http://www.section6.net/board/) and check out the additional resources listed below: [edit] Resources The LDAP sdb back-end for BIND 9 (http://www.venaas.no/ldap/bind-sdb/) project home page The BIND9 network (http://www.bind9.net/) information website The LDAP guru (http://www.ldapguru.com/) Public Information Resource Retrieved from "https://www.section6.net:443/wiki/index.php/Configuring_DNS_zones_in_LDAP"