PowerDNS LDAP Backend/Migration

From Linuxnetworks
Jump to: navigation, search

BIND zone files

There is a small utility in the PowerDNS distribution available called "zone2ldap", which can convert zone files used by BIND to the ldif format. Ldif is a text file format containing information about LDAP objects and can be read by every standard compliant LDAP server. Zone2ldap needs the BIND named.conf (usually located in /etc) as input and writes the dns record entries in ldif format to stdout:


   > zones.ldif

Alternatively zone2ldap can be used to convert only single zone files instead all zones:


   > zone.ldif

Here is a complete list of all options:

Provides a short description of all options
Node below the new objects should be created. All nodes mentioned in the basedn must exist before you can add the ldif file to your LDAP DNS tree
How the entries will be arranged in the LDAP directory. Currently "tree" (e.g. dc=host,dc=subdomain,dc=linuxnetworks,dc=de) and "list" (e.g. dc=host,dc=subdomain.linuxnetworks.de) are supported.
Location of the BIND named.conf file
Resume processing the zone files if an error occurs. An error message is written to stderr in this case and one or more objects may be missing but the rest of the zones are converted to ldif format
Outputs additional information about the operations to stderr
Instead of a complete named.conf file you can also parse only a single zone file. If you pass a single dash ("-") as parameter, input is read from stdin.
Name of the zone like it is mentioned in the named.conf or in the zone file, e.g. linuxnetworks.de. Necessary if you only want to parse single zone files

Bind LDAP backend

If you are using the Bind LDAP sdb backend, you can keep the records in the LDAP tree also for the PowerDNS LDAP backend. The schemas both backends utilize is almost the same exept for one important thing: Domains for PowerDNS are stored in the attibute "associatedDomain" whereas Bind stores them split in "relativeDomainName" and "zoneName".

There is a migration script which creates a file in LDIF format with the necessary LDAP updates including the "associatedDomain" and "dc" attributes. The utility is executed on the command line by:

 --host=<host name or IP>
 --basedn=<subtree dn>
 --binddn=<admin dn>
 > update.ldif

The parameter "host" and "basedn" are mandatory, "binddn" is optional. If "binddn" is given, you will be asked for a password, otherwise an anonymous bind is executed. The updates in LDIF format are written to stdout and can be redirected to a file.

The script requires Perl and the Perl Net::LDAP module and can be downloaded from /pdnsldap/bind2pdns-ldap.

Updating the entries in the LDAP tree requires to make the dnsdomain2 schema known to the LDAP server. Unfortunately, both schemas (dnsdomain2 and dnszone) share the same record types and use the same OIDs so the LDAP server can't use both schemas at the same time. The solution is to add the dnsdomain2 schema and replace the dnszone schema by the dnszone-migrate schema. After restarting the LDAP server you can use attributes from both schemas and updating the objects in the LDAP tree using the LDIF file generated from bind2pdns-ldap will work without errors.

Other name server

The easiest way for migrating DNS records is to use the output of a zone transfer (AXFR). Save the output of the "dig" program provided by bind into a file and call zone2ldap with the file name as option to the --zone-file parameter. This will generate you an appropriate ldif file, which you can import into your LDAP tree. The bash script except below automates this for you.

DOMAINS="linuxnetworks.de 10.10.in-addr.arpa"
for DOMAIN in $DOMAINS; do
   zone2ldap --zone-name=$DOMAIN --zone-file=$DOMAIN.zone> $DOMAIN.ldif;