Re: Alternative LDAP schema for DNS database (bind9 used by freeipa)

To: debian-edu@lists.debian.org
Subject: Re: Alternative LDAP schema for DNS database (bind9 used by freeipa)
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Thu, 24 Jun 2010 15:57:17 +0200
Message-id: <[🔎] 20100624135717.GA8869@flashgordon>
Mail-followup-to: debian-edu@lists.debian.org
In-reply-to: <[🔎] 2fly6e4u0lk.fsf@login1.uio.no>
References: <[🔎] 2fly6e4u0lk.fsf@login1.uio.no>

Hi,

when trying to add machines with gosa to the dhcp and dns system, I
run into related problems. Let me report below.

On Thu, Jun 24, 2010 at 01:33:11PM +0200, Petter Reinholdtsen wrote:
> 
> I asked on #freeipa on freenode, where I hang because I maintain sssd
> in Debian, about their LDAP schema for storing DNS information in the
> LDAP database.
> 
[...]
> 
> I mentioned the PowerDNS LDAP schema and the need for a common LDAP
> schema for both PowerDNS and Bind, and was adviced to talk to Martin
> Nagy who is the freeipa DNS guy.  Perhaps a IETF work group should be
> formed to come up with a good schema for this?
> 
> I have no idea if powerdns can use this schema, but assume it is too
> different to work without any changes.
> 

GOsa contains a dhcp and a dns plugin. With these plugins, a dns
and/or dhcp server can be configured in ldap. After that, a machine
can be added to ldap and dhcp as well as dns can be switched on for
this machine with a single click (to be precise with two clicks: one
to enable dhcp, one to enable dns for the device).

So far, so good, but of course the information in ldap has to be
fetched by the service daemons needing it. With dhcp this was no
problem, it worked out of the box. With dns, I found that the entries
added to ldap are not compatible to powerdns.
( http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend ).

Bind does not have a ldap backend (yet?) in debian. Fortunately, I
found https://oss.gonicus.de/labs/gosa/wiki/PluginInstallationDNS .

After installing bind9 and ldap2zone (both in squeeze), it was only a
matter of getting familiar with the setup: All modifications in ldap
are transfered to the bind configuration by calling the script
ldap2bind contained in ldap2zone package.

So if we want to move on in the gosa direction until alternatives turn
up we need to:

* Install bind9 and ldap2zone    
* Minor change on the schematas (replace dnsdomain2.schema by dnszone.schema)
* Implement cronjob or hook to run ldap2bind 
* Setup dns server/tjener configuration in ldap the bootstrapping.

This would give us the full functionality of managing users, groups
and machines. 

As I have already all this working here it should not be too much work
to have it in our installation. Let me know if you think this is a
good idea for now. Without dns we cannot move on with kerberos.

Best regards,

     Andi

Reply to:

References:
- Alternative LDAP schema for DNS database (bind9 used by freeipa)
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: Alternative LDAP schema for DNS database (bind9 used by freeipa)
Next by Date: debian-edu-config_1.442~svn65200_i386.changes ACCEPTED
Previous by thread: Re: Alternative LDAP schema for DNS database (bind9 used by freeipa)
Next by thread: debian-edu-config_1.442~svn65200_i386.changes ACCEPTED
Index(es):
- Date
- Thread