Hi Roland, I wish I could use Samba AD. However, I am new to openldap and need at least LAM to manage user authentication, HBAC and Sudoers. I plan to do the DNS as well but I am having issue with dlz config crashing bind. Also having issue with powerDNS. We do have a DNS alternartive which we can use, FreeIPA. It can do everything I need but having issue integrating it with OKTA for user authentication. It seems OKTA does not support FreeIPA. That is why we are using openldap/LAM. I can still use FreeIPA for DNS if needed.
Jose -----Original Message----- From: Rowland Penny <rpenny241...@gmail.com> Sent: Monday, September 23, 2024 9:25 AM To: lam-public@lists.sourceforge.net Subject: Re: [Lam-public] LDAP DNS issue Ah, that explains it. I can only speak from the Samba point of view and with Bind9.18.28 running on Debian bookworm, BIND9_DLZ works as expected. Back when Samba first had the capability of running as an AD DC, Bind9 had to be rebuilt to use dlz, you had to recompile with '--with-dlz'. Around 2014, Bind stopped using this switch and built it in as a default, so you no longer had to rebuild Bind9. I suppose that I should point out that you could have set up a Samba AD domain in a lot less time than you have spent already. Rowland || On 23/09/2024 14:05, Jose Antonio Baduria Jr wrote: > Hi Rowland, > > I found this on an ubuntu forum site > (https://askubuntu.com/questions/630875/how-to-install-bind9-with-dlz-ubuntu-server-14-04). > I verified it with Google Gemini. It is not supported out of the box. I've > spent a week trying to get bind9 to work with dlz but it seems to crash every > time I put in DLZ config on named.local.conf as it does not recognize the > configs. Only workaround is to compile bind with dlz. I don't plan to compile > it on my own as I need to be wary of any patching that can impact it. > > Jose > > -----Original Message----- > From: Rowland Penny <rpenny241...@gmail.com> > Sent: Monday, September 23, 2024 4:33 AM > To: lam-public@lists.sourceforge.net > Subject: Re: [Lam-public] LDAP DNS issue > > > Could I ask where Jose found the information that Ubuntu had dropped support > for DLZ ? > > This worried me, I had heard nothing of this, so I did some checking, Samba > with Bind9 relies on DLZ. > > I can find nothing that says Ubuntu (or Bind) have dropped DLZ, what I did > find was that Ubuntu have removed the bind-dyndb-ldap package as it appears > to be broken: > > https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2078003 > > Rowland Penny > > Samba team member > > > On 21/09/2024 20:15, Jose Antonio Baduria Jr via Lam-public wrote: >> Hi, >> >> I just found out that that bind9 in ubuntu dropped support for DLZ. >> Could be the same thing with redhat. It now uses dyndb. Would LDAP manager >> support it? I tried power dns but I am facing the same issue. The >> documentation for powerdns for LAM is very scant? How can I create a zone >> for powerdns? I can do it with Bind DNS with New Zone. >> >> Thanks, >> Jose >> >> -----Original Message----- >> From: Roland Gruber <p...@rolandgruber.de> >> Sent: Friday, September 20, 2024 1:35 PM >> To: lam-public@lists.sourceforge.net >> Subject: Re: [Lam-public] LDAP DNS issue >> >> Hi Jose, >> >> is nslookup contacting your server at all? You should see its IP address in >> the output. >> I suggest to continue investigation on the Bind user mailinglist as this >> goes more into direction of configuring Bind itself. Here you will find more >> experts for this topic: >> >> https://lists.isc.org/mailman/listinfo/bind-users >> >> >> Best regards >> Roland >> >> >> Am 20.09.24 um 14:43 schrieb Jose Antonio Baduria Jr via Lam-public: >>> Hi, >>> >>> I activated logging. I do see some slapd messages but when I do the >>> nslookup, I don't see any slapd logs. It is not communicating to ldap? >>> >>> # ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" >>> SASL/EXTERNAL authentication started SASL username: >>> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >>> SASL SSF: 0 >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=config> with scope subtree # filter: (olcLogLevel=*) # >>> requesting: ALL # >>> >>> # config >>> dn: cn=config >>> objectClass: olcGlobal >>> cn: config >>> olcArgsFile: /var/run/slapd/slapd.args >>> olcLogLevel: stats >>> olcPidFile: /var/run/slapd/slapd.pid >>> olcToolThreads: 1 >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> -----Original Message----- >>> From: Roland Gruber <p...@rolandgruber.de> >>> Sent: Friday, September 20, 2024 1:38 AM >>> To: lam-public@lists.sourceforge.net >>> Subject: Re: [Lam-public] LDAP DNS issue >>> >>> Hi Jose, >>> >>> please activate logging on LDAP server side to see which queries are >>> performed on LDAP-side. Then you can check why they do not return results. >>> >>> Log level (olcLogLevel in /etc/ldap/slapd.d/cn=config.ldif) for OpenLDAP >>> should be e.g. "stats". >>> >>> >>> Best regards >>> Roland >>> >>> >>> >>> Am 20.09.24 um 01:08 schrieb Jose Antonio Baduria Jr via Lam-public: >>>> Hi, >>>> >>>> I have setup openldap as a dns server. I have set up a ldap >>>> backend using bind9-dyndb-ldap. dig works but somehow nslookup fails. >>>> >>>> I do see the following issue on the logs: >>>> >>>> Sep 19 22:32:25 sdc-ops-openldap01 named[260087]: 0 master zones >>>> from LDAP instance 'ldap' loaded (0 zones defined, 0 inactive, 0 >>>> failed to >>>> load) Sep 19 22:32:25 sdc-ops-openldap01 named[260087]: 0 master >>>> zones is suspicious number, please check access control >>>> instructions on LDAP server >>>> >>>> root@sdc-ops-openldap01:/etc/bind# nslookup >>>> sdc-ops-for01.bd.internal ;; Got SERVFAIL reply from 10.32.183.11, >>>> trying next server >>>> >>>> ** server can't find sdc-ops-for01.bd.internal: NXDOMAIN >>>> >>>> root@sdc-ops-openldap01:/etc/bind# dig @10.32.183.11 sdc-ops-for01 >>>> >>>> ; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @10.32.183.11 >>>> sdc-ops-for01 ; (1 server found) ;; global options: +cmd ;; Got >>>> answer: >>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27733 ;; flags: >>>> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >>>> >>>> ;; OPT PSEUDOSECTION: >>>> ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: >>>> 89af8b62d831e3d70100000066ecae50cc3e47461128b789 (good) ;; QUESTION >>>> SECTION: >>>> ;sdc-ops-for01. IN A >>>> >>>> ;; Query time: 324 msec >>>> ;; SERVER: 10.32.183.11#53(10.32.183.11) (UDP) ;; WHEN: Thu Sep 19 >>>> 23:05:52 UTC 2024 ;; MSG SIZE rcvd: 70 >>>> >>>> >>>> root@sdc-ops-openldap01:/etc/bind# ldapsearch -x -H ldap://10.32.183.11 -P >>>> 3 -LLL -b "dlzHostName=@,dlzZoneName=bd.internal,ou=dns,dc=bd,dc=internal" >>>> "(objectClass=dlzSOARecord)" >>>> dn: >>>> dlzRecordID=1,dlzHostName=@,dlzZoneName=bd.internal,ou=dns,dc=bd,dc >>>> = >>>> i >>>> ntern >>>> al >>>> objectClass: top >>>> objectClass: dlzSOARecord >>>> dlzRecordID: 1 >>>> dlzHostName: @ >>>> dlzType: SOA >>>> dlzSerial: 1 >>>> dlzRefresh: 2800 >>>> dlzRetry: 7200 >>>> dlzExpire: 604800 >>>> dlzMinimum: 86400 >>>> dlzAdminEmail: root.example.com. >>>> dlzTTL: 1209600 >>>> dlzPrimaryNS: sdc-ops-openldap01.bd.internal. >>>> >>>> >>>> /etc/bind/named.conf >>>> >>>> dyndb "ldap" "/usr/lib/bind/ldap.so" { >>>> uri "ldap://10.32.183.11";; >>>> base "ou=dns,dc=bd,dc=internal"; >>>> auth_method "simple"; >>>> bind_dn "cn=admin,dc=bd,dc=internal"; >>>> password "PASSWORD"; >>>> }; >>>> >>>> Not sure what the issue is. Any ideas? >>>> >>>> Thanks, >>>> Jose >>>> >>>> >>>> >>>> _______________________________________________ >>>> Lam-public mailing list >>>> Lam-public@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/lam-public >>> _______________________________________________ >>> Lam-public mailing list >>> Lam-public@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/lam-public >>> >>> >>> _______________________________________________ >>> Lam-public mailing list >>> Lam-public@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/lam-public >> _______________________________________________ >> Lam-public mailing list >> Lam-public@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/lam-public >> >> >> _______________________________________________ >> Lam-public mailing list >> Lam-public@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/lam-public > > _______________________________________________ > Lam-public mailing list > Lam-public@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lam-public _______________________________________________ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public _______________________________________________ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public
