Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ISC Bind 9.11 and dyndb-ldap
166 views
Skip to first unread message
Pallissard, Matt
Oct 16, 2016, 9:53:34 PM10/16/16
to bind-...@lists.isc.org
Has anyone successfully used LDAP as a dynamic back-end for bind 9.11?
Unless I'm reading the release notes/new features pages incorrectly the bind-dyndb-ldap plugin has been rolled into ISC's official release and I shouldn't have to mess around with patching/building it from source.
Yet I get the following errors upon startup;
named[9937]: loading configuration from '/etc/named.conf'
named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
named[9937]: loading configuration: failure
named[9937]: exiting (due to fatal error)
systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE
named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
named[9937]: loading configuration: failure
named[9937]: exiting (due to fatal error)
systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE
I'm using the package provided by Arch Linux and can provide the flags the bind package was compiled with if those are relevant.
Any advice would be greatly appreciated.
Matt Pallissard
Mark Andrews
Oct 16, 2016, 10:35:07 PM10/16/16
to Pallissard, Matt, bind-...@isc.org
In message <cc788a8c-0d45-4726...@typeapp.com>, "Pallissard, Mat
> Matt Pallissard
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Pallissard, Matthew
Oct 17, 2016, 5:49:53 PM10/17/16
to bind-...@isc.org
On 10/16/2016 09:34 PM, Mark Andrews wrote:
> In message <cc788a8c-0d45-4726...@typeapp.com>, "Pallissard, Matt" writes:
>>
>> Has anyone successfully used LDAP as a dynamic back-end for bind 9.11?
>>
>> Unless I'm reading the release notes/new features pages incorrectly the bind-dyndb-ldap plugin has been rolled into ISC's official release and I shouldn't have to mess around with patching/building it from source.
>>
>>
>> Yet I get the following errors upon startup;
>>
>> named[9937]: loading configuration from '/etc/named.conf'
>> named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
>> named[9937]: loading configuration: failure
>> named[9937]: exiting (due to fatal error)
>> systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE
>>
>>
>> I'm using the package provided by Arch
Linux and can provide the flags the bind package was compiled with if those are relevant.
>>
>> Any advice would be greatly appreciated.
>
> Did you mean "dyndb" perhaps?
>
>> Matt Pallissard
Changing from dynamic-db to dyndb still causes named to fail.
Using formatting similar to this;
Gives the following error;
named[31641]: /etc/named.conf:23: expected quoted string near '{
Most of the documentation I can find around this seems to use 'dynamic-db' in named.conf
Matt Pallissard
Mark Andrews
Oct 17, 2016, 6:50:26 PM10/17/16
to Pallissard, Matthew, bind-...@isc.org
Did you read the documentation that comes with BIND 9.11 for dyndb?
dyndb domain.net "ldap.so" {
...
};
Mark
Pallissard, Matt
Oct 17, 2016, 9:25:08 PM10/17/16
to bind-...@isc.org
On 10/17/2016 05:50 PM, Mark Andrews wrote:
> In message <d22a356f-c07b-7992...@pallissard.net>, "Pallissard, Matthew" writes:
>> On 10/16/2016 09:34 PM, Mark Andrews wrote:
>>> In message <cc788a8c-0d45-4726...@typeapp.com>, "Pallissard, Matt" writes:
>>>>
>>>> Has anyone successfully used LDAP as a dynamic back-end for bind 9.11?
>>>>
>>>> Unless I'm reading the release notes/new features pages incorrectly the bind-dyndb-ldap plugin has been rolled into ISC's official release a
>> nd I shouldn't have to mess around with patching/building it from source.
>>>>
>>>>
>>>> Yet I get the following errors upon startup;
>>>>
>>>> named[9937]: loading configuration from '/etc/named.conf'
>>>> named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
>>>> named[9937]: loading configuration: failure
>>>> named[9937]: exiting (due to fatal error)
>>>> systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE
>>>>
>>>>
>>>> I'm using the package provided by Arch Linux and can provide the flags the bind package was compiled with if those are relevant.
>>>>
>>>> Any advice would be greatly appreciated.
>>>
>>> Did you mean "dyndb" perhaps?
>>>> Matt Pallissard
>>
>> Changing from dynamic-db to dyndb still causes named to fail.
>>
>> Using formatting similar to this;
>>
>> dyndb "domain.net" {
>> Â library "ldap.so"
>>
>> Changing from dynamic-db to dyndb still causes named to fail.
>>
>> Using formatting similar to this;
>>
>> dyndb "domain.net" {
>> Â arg...
>> }
>>
>> Gives the following error;
>>
>> named[31641]: /etc/named.conf:23: expected quoted string near '{
>>
>> Most of the documentation I can find around this seems to use 'dynamic-db' in named.conf
>
> Which would be for the unoffical extension.
>
> Did you read the documentation that comes with BIND 9.11 for dyndb?
>
> dyndb domain.net "ldap.so" {
> ...
> };
>
> Mark
>
>> Matt Pallissard
That was it. Thank you for your help
>>
>> Gives the following error;
>>
>> named[31641]: /etc/named.conf:23: expected quoted string near '{
>>
>> Most of the documentation I can find around this seems to use 'dynamic-db' in named.conf
>
> Which would be for the unoffical extension.
>
> Did you read the documentation that comes with BIND 9.11 for dyndb?
>
> dyndb domain.net "ldap.so" {
> ...
> };
>
> Mark
>
>> Matt Pallissard
As for the documentation, I was reading the 'bind-dyndb-ldap' documentation.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/bind-dyndb-ldap-config.html
I wish I'd have thought to grep through the bind docs as it's right there.
[matt bind-9.11.0]$ grep -r dyndb doc
doc/misc/options: dyndb <string> <quoted_string> { <unspecified text> };
I should remember to RTFM next time.
Matt Pallissard
ramkis...@gmail.com
Dec 13, 2016, 12:22:34 PM12/13/16
to comp-protoc...@isc.org
Have you succeeded in using LDAP as a dynamic back-end for bind 9.11?
We are getting below errors while trying to make bind initialization with dyndb.
loading DynDB instance 'ldap_dyndb' driver '/usr/lib64/libldap.so'
failed to lookup symbol dyndb_version in dyndb module '/usr/lib64/libldap.so': /usr/lib64/libldap.so: undefined symbol: dyndb_version
failed to dynamically load instance 'ldap_dyndb' driver '/usr/lib64/libldap.so': (null) (failure)
dynamic database 'ldap_dyndb' configuration failed: failure
loading configuration: failure
exiting (due to fatal error)
The configuration details related to bind in named.conf file is as below.
dyndb ldap_dyndb "/usr/lib64/libldap.so" {
uri "ldap://10.12.42.113";
base "cn=dns, dc=example, dc=com";
};
We are using bind 9.11 version package in RHEL 7.2 and have few queries as below.
- We used the default RHEL "/usr/lib64/libldap.so" shared library in the above configuration. Is this correct? Is there any customized ldap.so file to be used for bind 9.11.
- Are there any specific configure options to be enabled while compiling bind ?
Any inputs are highly appreciated and Thanks in advance.
Thanks,
Kishore.
Petr Mensik
Dec 14, 2016, 12:40:24 PM12/14/16
to ramkishore b, comp-protoc...@isc.org
Hello Kishore,
It is not so simple. What was merged into BIND 9.11 is only dynamic database API, that is bind-dyndb-ldap using. That dynamic database does not store any permanent data, it is only interface other plugins can use.
That means dynamic_db provided by custom patch for RHEL and Fedora was merged upstream WITH changes. It changed name and syntax of configuration, so you have to modify it.
But you still have to use bind-dyndb-ldap plugin to use LDAP backend in BIND. And that plugin is not supported by ISC, see https://fedorahosted.org/bind-dyndb-ldap/.
Unfortunately there is plugin in rawhide with support for new API of BIND 9.11, but it requires OpenSSL 1.1 as well. There is not yet bind-dyndb-ldap that supports both current dyndb and older OpenSSL. I suggest to use older BIND server now with custom patches for dynamic_db. You would have to backport some code to run last release.
Correct path on Fedora is /usr/lib64/bind/ldap.so (bind-dyndb-ldap package). /usr/lib64/libldap.so is something completely different, that will never work in BIND.
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: peme...@redhat.com PGP: 65C6C973
----- Original Message -----
From: "ramkishore b" <ramkis...@gmail.com>
To: comp-protoc...@isc.org
Sent: Tuesday, December 13, 2016 6:22:09 PM
Subject: Re: ISC Bind 9.11 and dyndb-ldap
On Monday, October 17, 2016 at 7:23:34 AM UTC+5:30, Pallissard, Matt wrote:
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
It is not so simple. What was merged into BIND 9.11 is only dynamic database API, that is bind-dyndb-ldap using. That dynamic database does not store any permanent data, it is only interface other plugins can use.
That means dynamic_db provided by custom patch for RHEL and Fedora was merged upstream WITH changes. It changed name and syntax of configuration, so you have to modify it.
But you still have to use bind-dyndb-ldap plugin to use LDAP backend in BIND. And that plugin is not supported by ISC, see https://fedorahosted.org/bind-dyndb-ldap/.
Unfortunately there is plugin in rawhide with support for new API of BIND 9.11, but it requires OpenSSL 1.1 as well. There is not yet bind-dyndb-ldap that supports both current dyndb and older OpenSSL. I suggest to use older BIND server now with custom patches for dynamic_db. You would have to backport some code to run last release.
Correct path on Fedora is /usr/lib64/bind/ldap.so (bind-dyndb-ldap package). /usr/lib64/libldap.so is something completely different, that will never work in BIND.
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: peme...@redhat.com PGP: 65C6C973
----- Original Message -----
From: "ramkishore b" <ramkis...@gmail.com>
To: comp-protoc...@isc.org
Sent: Tuesday, December 13, 2016 6:22:09 PM
Subject: Re: ISC Bind 9.11 and dyndb-ldap
On Monday, October 17, 2016 at 7:23:34 AM UTC+5:30, Pallissard, Matt wrote:
Hello Matt Pallissard ,
Have you succeeded in using LDAP as a dynamic back-end for bind 9.11?
We are getting below errors while trying to make bind initialization with dyndb.
loading DynDB instance 'ldap_dyndb' driver '/usr/lib64/libldap.so'
failed to lookup symbol dyndb_version in dyndb module '/usr/lib64/libldap.so': /usr/lib64/libldap.so: undefined symbol: dyndb_version
failed to dynamically load instance 'ldap_dyndb' driver '/usr/lib64/libldap.so': (null) (failure)
dynamic database 'ldap_dyndb' configuration failed: failure
loading configuration: failure
Have you succeeded in using LDAP as a dynamic back-end for bind 9.11?
We are getting below errors while trying to make bind initialization with dyndb.
loading DynDB instance 'ldap_dyndb' driver '/usr/lib64/libldap.so'
failed to lookup symbol dyndb_version in dyndb module '/usr/lib64/libldap.so': /usr/lib64/libldap.so: undefined symbol: dyndb_version
failed to dynamically load instance 'ldap_dyndb' driver '/usr/lib64/libldap.so': (null) (failure)
dynamic database 'ldap_dyndb' configuration failed: failure
loading configuration: failure
exiting (due to fatal error)
The configuration details related to bind in named.conf file is as below.
dyndb ldap_dyndb "/usr/lib64/libldap.so" {
uri "ldap://10.12.42.113";
base "cn=dns, dc=example, dc=com";
};
We are using bind 9.11 version package in RHEL 7.2 and have few queries as below.
- We used the default RHEL "/usr/lib64/libldap.so" shared library in the above configuration. Is this correct? Is there any customized ldap.so file to be used for bind 9.11.
- Are there any specific configure options to be enabled while compiling bind ?
Any inputs are highly appreciated and Thanks in advance.
Thanks,
Kishore.
_______________________________________________
dyndb ldap_dyndb "/usr/lib64/libldap.so" {
uri "ldap://10.12.42.113";
base "cn=dns, dc=example, dc=com";
};
We are using bind 9.11 version package in RHEL 7.2 and have few queries as below.
- We used the default RHEL "/usr/lib64/libldap.so" shared library in the above configuration. Is this correct? Is there any customized ldap.so file to be used for bind 9.11.
- Are there any specific configure options to be enabled while compiling bind ?
Any inputs are highly appreciated and Thanks in advance.
Thanks,
Kishore.
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
0 new messages