لطفا منتظر باشید ...
•
Table of Contents
•
Index
•
Reviews
•
Reader Reviews
•
Errata
LDAP System Administration
By
Gerald Carter
Publisher
: O''''Reilly
Pub Date
: March 2003
ISBN
: 1-56592-491-6
Pages
: 308
If you want to be a master of your domain, LDAP
System Administration will help you get up and
running quickly regardless of which LDAP version you use.
After reading this book, even with no previous LDAP
experience, you''''ll be able to integrate a directory server
into essential network services such as mail, DNS, HTTP, and
SMB/CIFS.
8.5 Resolving Hosts
Now let's turn our
attention to data describing hosts on a network. One of the most
fundamental services provided in any TCP/IP network is the
resolution of machine names to network
addresses. The most widespread mechanism for looking up IP addresses
is the Domain Name System (DNS). Again, coverage of DNS is beyond the
scope of this book; for more information, see
DNS and
BIND, Fourth Edition, by Cricket Liu and Paul
Albitz (O'Reilly).Chapter 1 already made it clear that LDAP is not a
replacement for a specialized directory service such as DNS. However,
you can use LDAP effectively as a backend storage system for DNS zone
files. Stig
Venaas has written such a patch for Bind 9 using its new
simplified
database interface (SDB).
The latest release of the patch for BIND 9.1 (or later) and the
necessary schema file for OpenLDAP 2 can be obtained from http://www.venaas.no/ldap/bind-sdb/. For
performance reasons, I recommend that you obtain the latest patch,
rather than using the one included in the
contrib/ subdirectory of the latest BIND 9
release.Venaas has included a brief list of the steps necessary for
integrating LDAP-sdb support in Bind 9. Here are the
instructions contained in the INSTALL file of
the ldap-sdb archive:
Copy the ldap.c source file to the
bin/named/ subdirectory of the BIND 9 source
tree.
Copy the ldap.h header file to the
bin/named/include/ subdirectory of the BIND 9
source tree.
Edit bin/named/Makefile.in and add the following
lines:
DDRIVER_OBJS = ldapdb.@O@The Makefile variables may already exist; if this is the case, simply
DDRVIVER_SRCS = ldapdb.c
DDRIVER_LIBS = -lldap -llber
append the references to the LDAP files to the existing definitions.
You may also need to add the path to the LDAP include files and
libraries to the DDRIVER_INCLUDES and
DDRIVER_LIBS respectively.
Edit bin/named/main.c and add the line
#include <ldapdb.h> below
#include "xxdb.h"; add the line
ldapdb_init( ); below xxdb_init(
); and finally, add ldapdb_clear( );
below xxdb_clear( );.
After making these changes, you're ready to build
the LDAP-enabled named binary by executing ./configure
&& make && /bin/su -c "make install". It is
a good idea to ensure that the new server is working with an existing
set of zone files before continuing. Here is a zone file for the
plainjoe.org domain; it contains four hosts,
localhost, dns1,
ldap, and ahab:
plainjoe.org. IN SOA dns1.plainjoe.org. root.dns.plainjoe.org. (
3 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
; Name Servers
plainjoe.org. IN NS dns1.plainjoe.org.
; Addresses for local printers
localhost.plainjoe.org. IN A 127.0.0.1
dns1.plainjoe.org. IN A 192.168.1.10
ldap.plainjoe.org. IN A 192.168.1.70
ahab.plainjoe.org. IN A 192.168.1.80
Figure 8-6 shows the schema for the structural
dNSZone object class. This schema allows you to
store DNS records in the directory. All of the attributes used to
represent the various DNS records (MX, A, PTR, etc.) are optional,
which means that a dNSZone entry can represent any
type of DNS record.
Figure 8-6. The dNSZone object class required for the Bind 9 LDAP-sdb backend
I have chosen to place all plainjoe.org hosts in
the hosts organizational unit. The following LDIF
entry represents the A record for the host
ahab.plainjoe.org:
dn: relativeDomainName=ahab,ou=hosts,dc=plainjoe,dc=org
aRecord: 192.168.1.80
objectClass: dNSZone
relativeDomainName: ahab
dNSTTL: 86400
zoneName: plainjoe.org
After placing your DNS zone data into the LDAP directory, you need to
tell the named server how to locate the zone
information. The database keyword specifies the
SDB type holding the zone information; in this case,
you're using an LDAP database. Any remaining
arguments after the database type are passed directly to the SDB
backend module. Here, you use an LDAP URI to define the directory
server's hostname and the base search suffix. The
final number (172800) specifies the default time-to-live (TTL) for
entries that do not possess a
dNSTTL attribute value.
zone "plainjoe.org" in {
type master;
database "ldap ldap://192.168.1.70/ou=hosts,dc=plainjoe,dc=org 172800";
};You can now use the dig utility to test the new LDAP-served DNS
zone. Figure 8-7 describes what will happen when
the dig or nslookup tools
are executed.
$ dig ahab.plainjoe.org +short
; <<>> DiG 9.1.0 <<>> ahab.plainjoe.org +short
;; global options: printcmd
192.168.1.80
Figure 8-7. Retrieving zone information using LDAP lookups in Bind 9
The zone2ldap tool included with the Bind distribution
provides a quick way to transfer existing zone files into an LDAP
directory. Newer versions of this utility can also be downloaded from
Venaas's web site. I decided against using it
because it creates an entry for each component of the FQDN for each
host. For example, the host ahab.plainjoe.org
results in three entries: one for dc=org, one for
dc=plainjoe,dc=org, and one for
relativeDomainName=ahab,dc=plainjoe,dc=org. For
more information, refer to the zone2ldap
manpage.
