What distribution you use? Fedora
Which distribution version you use? Fedora 20, with latest updates
Which architecture you use? x86_64 on a qemu VM

What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64
Do you use bind-dyndb-ldap as part of ​FreeIPA installation? no, using
openldap-servers-2.4.39-2.fc20.x86_64
Which version of ​BIND you use? bind-9.9.4-12.P2.fc20.x86_64

Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db "bpk2.com" {
        library "ldap.so";
        arg "uri ldap://127.0.0.1/";;
        arg "base cn=dns,dc=bpk2,dc=com";
        arg "auth_method simple";
        arg "bind_dn cn=Manager,dc=bpk2,dc=com";
        arg "password ***REMOVED***";
        arg "sync_ptr yes";
        arg "dyn_update yes";
        arg "connections 2";
        arg "verbose_checks yes";
};

Do you have some other text based or ​DLZ zones configured? no
Do you have some global forwarders configured in BIND configuration
file? no

Do you have some settings in global configuration object in LDAP?
dn: cn=dns,dc=my-domain,dc=com
cn: dns
idnspersistentsearch: FALSE
idnszonerefresh: 30
objectclass: top
objectclass: nsContainer
objectclass: idnsConfigObject

i want to use bind-dyndb-ldap with keytabs against my directory.  i have
created the principal DNS/test.bpk2....@bpk2.com, and can have created
the keytab file.  what i want to know is:

what ldap object should i create to match up against the kerberos
principal?
i have to grant access to the ldap tree, so what ID will be presented to
ldap when using the keytab?
am i able to use the sasl_username without the sasl_password to
establish that?
being that i want to use a keytab, the username would be in there,
correct?
when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and
a REALM (DNS/test.bpk2....@bpk2.com).  is the PRIMARY (DNS) or the
INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos
identity?
do i need a specific olcAuthzRegexp to massage the kerberos ID into a
proper ldap DN, like i am doing already for my ID?  example:
{0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
$1,ou=Users,dc=bpk2,dc=com
i am running n-way multi master ldap.  does the uri directive support
more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)?
can the SRV records be used to point the uri directive at the ldap
servers by querying for them?  ha, thats a-chicken-and-the-egg topic,
but an interesting one...

i am assuming my named.conf will change to include:

        arg "uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com";;
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "krb5_keytab FILE:/etc/named.keytab";

is there anything else obvious that i am missing?

thank you,

brendan

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to