On 1.4.2014 16:17, Brendan Kearney wrote:
What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64
Before I dive into details, please read about the following bug:

I just found it, fixed it and I'm attaching patch for you so you don't need to wait for a new release :-)

Do you use bind-dyndb-ldap as part of ​FreeIPA installation? no, using

Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db "bpk2.com" {
                library "ldap.so";
         arg "uri ldap://";;
                arg "base cn=dns,dc=bpk2,dc=com";
         arg "auth_method simple";
        arg "bind_dn cn=Manager,dc=bpk2,dc=com";
        arg "password ***REMOVED***";
        arg "sync_ptr yes";
        arg "dyn_update yes";
        arg "connections 2";
        arg "verbose_checks yes";

i want to use bind-dyndb-ldap with keytabs against my directory.  i have
created the principal DNS/test.bpk2....@bpk2.com, and can have created
the keytab file.  what i want to know is:

what ldap object should i create to match up against the kerberos
i have to grant access to the ldap tree, so what ID will be presented to
ldap when using the keytab?
This is up to your LDAP server implementation. Bind-dyndb-ldap just calls SASL and Kerberos libraries. The plugin itself is not aware of any principal<->DN mapping.

am i able to use the sasl_username without the sasl_password to
establish that?
sasl_username defaults to "DNS/$(hostname)" so usually it is not necessary to specify it explicitly. (It should match your Kerberos principal.)

being that i want to use a keytab, the username would be in there,
when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and
a REALM (DNS/test.bpk2....@bpk2.com).  is the PRIMARY (DNS) or the
INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos
Your LDAP server will get the whole principal and it is up to the server how it will map it to some existing entity.

do i need a specific olcAuthzRegexp to massage the kerberos ID into a
proper ldap DN, like i am doing already for my ID?  example:
{0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
I have no idea, I have never configured this in OpenLDAP. Please let us know what configuration worked for you so we have the information in mailing list archives. Thanks!

i am running n-way multi master ldap.  does the uri directive support
more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)?
Unfortunately no, it is not supported. The usual recommendation is to configure one DNS server on one LDAP server for redundancy.

can the SRV records be used to point the uri directive at the ldap
servers by querying for them?  ha, thats a-chicken-and-the-egg topic,
but an interesting one...
That is an interesting idea but SRV lookups are not supported.

i am assuming my named.conf will change to include:
BTW documentation about named.conf syntax is in README:

         arg "uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com";;
^ This is not supported. Please pick just one LDAP server.

         arg "auth_method sasl";
^ This is correct.

         arg "sasl_mech GSSAPI";
^ This is default.

         arg "krb5_keytab FILE:/etc/named.keytab";
^ This is default.

is there anything else obvious that i am missing?
It should be enough if you configure your LDAP server accordingly.

Let us know if you encounter any problem.

BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management tools and nice user interface and solver Microsoft AD integration.

Maybe it could save you some headaches ...

Petr^2 Spacek
From 644d8e4d66107bd081dd0023f5b44d1c176861be Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 1 Apr 2014 18:38:35 +0200
Subject: [PATCH] Fix record parsing to prevent child zone corruption.

Child zone hosted on the same server as parent zone was
corrupted by bug in update_record().
Child zone's apex was modified by update_records()
intead of delegation records in the parent zone.


Signed-off-by: Petr Spacek <pspa...@redhat.com>
 NEWS              | 6 ++++++
 src/ldap_helper.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index d997df58dca5b77d84c0fafa2757cf49e15f7d65..e787e7f2d73e3e99d3d5c0d03b9ea92dff75b510 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,9 @@
+[1] Record parsing was fixed to prevent child-zone data corruption in cases
+    where parent zone example.com was hosted on the same server as child zone
+    sub.example.com. (This bug was introduced in version 4.0.)
 [1] Fix few minor bugs in error handling found by static code analyzers.
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 05951fccbc655aef20177ea4a905159141665800..678e9f8a52181a5c63c96d29da9b3e5ec3b1273d 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -4030,7 +4030,7 @@ update_restart:
 	ldapdb = NULL;
 	journal = NULL;
 	ldapdb_rdatalist_destroy(mctx, &rdatalist);
-	CHECK(zr_get_zone_dbs(inst->zone_register, &name, &ldapdb, &rbtdb));
+	CHECK(zr_get_zone_dbs(inst->zone_register, &origin, &ldapdb, &rbtdb));
 	CHECK(dns_db_newversion(ldapdb, &version));
 	CHECK(dns_db_findnode(rbtdb, &name, ISC_TRUE, &node));

Freeipa-users mailing list

Reply via email to