Difference between revisions of "PowerDNS LDAP Backend/Example"
m (Pdnsldap example moved to PowerDNS LDAP Backend - Example) |
(LDAP DNS) |
||
| Line 5: | Line 5: | ||
== Tree design == | == Tree design == | ||
| − | The LDAP tree should be designed carefully to prevent mistakes, which are hard to correct afterwards. The best solution is to create a subtree for all host entries which will contain the DNS records. You can do this the simple way or in a tree style. | + | The DNS LDAP tree should be designed carefully to prevent mistakes, which are hard to correct afterwards. The best solution is to create a subtree for all host entries which will contain the DNS records. You can do this the simple way or in a tree style. |
DN of a simple style example record (e.g. myhost.linuxnetworks.de): | DN of a simple style example record (e.g. myhost.linuxnetworks.de): | ||
| Line 29: | Line 29: | ||
associateddomain: linuxnetworks.de | associateddomain: linuxnetworks.de | ||
| − | A simple mapping between name and ip address can be specified by an object containing an arecord and an associateddomain. You don't have to bother about a reverse mapping (ip address to name) if you don't want to, because this can be done automagically by the | + | A simple mapping between name and ip address can be specified by an object containing an arecord and an associateddomain. You don't have to bother about a reverse mapping (ip address to name) if you don't want to, because this can be done automagically by the LDAP DNS backend if you set ldap-method=strict in pdns.conf. |
dn: dc=server,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de | dn: dc=server,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de | ||
| Line 44: | Line 44: | ||
== Wildcards == | == Wildcards == | ||
| − | + | Wild-card domains are possible by using the asterisk in the associatedDomain value like it is used in the bind zone files. The "dc" attribute can be set to any value in simple or strict mode - this doesn't matter. | |
dn: dc=any,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de | dn: dc=any,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de | ||
| Line 54: | Line 54: | ||
associateddomain: *.linuxnetworks.de | associateddomain: *.linuxnetworks.de | ||
| − | In tree mode | + | In tree mode wild-card entries has to look like this instead: |
dn: dc=*,dc=linuxnetworks,dc=de,ou=hosts,o=linuxnetworks,c=de | dn: dc=*,dc=linuxnetworks,dc=de,ou=hosts,o=linuxnetworks,c=de | ||
| Line 127: | Line 127: | ||
'''CAUTION:''' | '''CAUTION:''' | ||
| − | You can't use "ldap-method=strict" if you need zone transfers (AXFR) to other name servers. Distributing zones can only be done directly via | + | You can't use "ldap-method=strict" if you need zone transfers (AXFR) to other name servers. Distributing zones can only be done directly via LDAP replication in this case, because for a full zone transfer the reverse records are missing |
---- | ---- | ||
Back to [[PowerDNS LDAP Backend|Overview]] | Back to [[PowerDNS LDAP Backend|Overview]] | ||
Revision as of 22:54, 21 April 2007
Examples
Tree design
The DNS LDAP tree should be designed carefully to prevent mistakes, which are hard to correct afterwards. The best solution is to create a subtree for all host entries which will contain the DNS records. You can do this the simple way or in a tree style.
DN of a simple style example record (e.g. myhost.linuxnetworks.de):
dn: dc=myhost,dc=linuxnetworks,ou=hosts,...
DN of a tree style example record (e.g. myhost.test.linuxnetworks.de):
dn: dc=myhost,dc=test,dc=linuxnetworks,dc=de,ou=hosts,...
Basic objects
Each domain (or zone for BIND users) must include one object containing a SOA (Start Of Authority) record. This object can also contain the attribute for a MX (Mail eXchanger) and a NS (Name Server) record. These attributes allow one or more values, e.g. for a backup mail or name server:
dn: dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dcobject objectclass: dnsdomain objectclass: domainrelatedobject dc: linuxnetworks soarecord: ns.linuxnetworks.de me@linuxnetworks.de 1 1800 3600 86400 7200 nsrecord: ns.linuxnetworks.de mxrecord: 10 mail.linuxnetworks.de mxrecord: 20 mail2.linuxnetworks.de associateddomain: linuxnetworks.de
A simple mapping between name and ip address can be specified by an object containing an arecord and an associateddomain. You don't have to bother about a reverse mapping (ip address to name) if you don't want to, because this can be done automagically by the LDAP DNS backend if you set ldap-method=strict in pdns.conf.
dn: dc=server,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: server arecord: 10.1.0.1 arecord: 192.168.0.1 associateddomain: server.linuxnetworks.de
Be aware of the fact that these examples work if ldap-method is simple or strict. For tree mode you have to modify all DNs according to the algorithm described in the section above.
Wildcards
Wild-card domains are possible by using the asterisk in the associatedDomain value like it is used in the bind zone files. The "dc" attribute can be set to any value in simple or strict mode - this doesn't matter.
dn: dc=any,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: any arecord: 192.168.0.1 associateddomain: *.linuxnetworks.de
In tree mode wild-card entries has to look like this instead:
dn: dc=*,dc=linuxnetworks,dc=de,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: any arecord: 192.168.0.1 associateddomain: *.linuxnetworks.de
Aliases
Aliases for an existing DNS object have to be defined in a separate LDAP object. You can create one object per alias (this is a must in tree mode) or add all aliases (as values of associateddomain) to one object. The only thing which is not allowed is to create loops by using the same name in associateddomain and in cnamerecord
dn: dc=server-aliases,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: server-aliases cnamerecord: server.linuxnetworks.de associateddomain: proxy.linuxnetworks.de associateddomain: mail2.linuxnetworks.de associateddomain: ns.linuxnetworks.de
Aliases are optional. You can also add all alias domains to the associateddomain attribute. The only difference is that these additional domains aren't recognized as aliases anymore, but instead as a normal arecord:
dn: dc=server,dc=linuxnetworks,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: server arecord: 10.1.0.1 associateddomain: server.linuxnetworks.de associateddomain: proxy.linuxnetworks.de associateddomain: mail2.linuxnetworks.de associateddomain: ns.linuxnetworks.de
Reverse lookups
Currently you have two options: Either reverse lookups handled by the code automagically or you have to add PTR records to your LDAP directory. If you want to derive PTR records from A records, you have set "ldap-method" to "strict". Otherwise add objects like below to your directory:
dn: dc=1.10.in-addr.arpa,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain2 objectclass: domainrelatedobject dc: 1.10.in-addr.arpa soarecord: ns.linuxnetworks.de me@linuxnetworks.de 1 1800 3600 86400 7200 nsrecord: ns.linuxnetworks.de associateddomain: 1.10.in-addr.arpa
dn: dc=1.0,dc=1.10.in-addr.arpa,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain2 objectclass: domainrelatedobject dc: 1.0 ptrrecord: server.linuxnetworks.de associateddomain: 1.0.1.10.in-addr.arpa
Tree mode requires each component to be a dc element of its own:
dn: dc=1,dc=0,dc=1,dc=10,dc=in-addr,dc=arpa,ou=hosts,o=linuxnetworks,c=de objectclass: top objectclass: dnsdomain2 objectclass: domainrelatedobject dc: 1.0 ptrrecord: server.linuxnetworks.de associateddomain: 1.0.1.10.in-addr.arpa
To use this kind of record, you also have to add the dnsdomain2 schema to the configuration of your LDAP server.
CAUTION:
You can't use "ldap-method=strict" if you need zone transfers (AXFR) to other name servers. Distributing zones can only be done directly via LDAP replication in this case, because for a full zone transfer the reverse records are missing
Back to Overview
