Difference between revisions of "PowerDNS LDAP Backend/Installation"
From Linuxnetworks
(removed backlink) |
|||
| (10 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
__TOC__ | __TOC__ | ||
| − | |||
| − | |||
== Compilation == | == Compilation == | ||
| − | Before performing the steps to compile the PowerDNS server and the LDAP backend you have to install a | + | Before performing the steps to compile the PowerDNS server and the LDAP DNS backend you have to install a LDAP development package, which includes all necessary headers. The openldap-devel package is provided by most distributions. Apply these steps to the source .tar.gz file, if you don't want to use a pre-compiled package: |
* Extract the tar file | * Extract the tar file | ||
| Line 24: | Line 22: | ||
== Configuration options == | == Configuration options == | ||
| − | There are a few options through the LDAP backend can be configured for your environment. Add them to the pdns.conf file located in /etc/powerdns or /usr/local/etc/ (depends on your configuration while compiling): | + | There are a few options through the LDAP DNS backend can be configured for your environment. Add them to the pdns.conf file located in /etc/powerdns or /usr/local/etc/ (depends on your configuration while compiling): |
| − | ; ldap | + | ; launch=ldap |
| − | + | You'll have to add the LDAP DNS backend to the PowerDNS backends first by altering the launch declaration in the pdns.conf file. Otherwise the options below won't have any effect. | |
| − | ; ldap- | + | ; ldap-host (default <nowiki>"ldap://127.0.0.1:389/"</nowiki>) : The values assigned to this parameter can be LDAP URIs (e.g. ldap://127.0.0.1/ or ldaps://127.0.0.1/) describing the connection to the LDAP server. There can be multiple LDAP URIs specified for load balancing and high availability if they are separated by spaces. In case the used LDAP client library doesn't support LDAP URIs as connection parameter, use plain host names or IP addresses instead (both may optionally be followed by a colon and the port). |
| − | ; ldap- | + | ; ldap-starttls (default "no") : Use TLS encrypted connections to the LDAP server. This is only allowed if ldap-host is a ldap:// URI or a host name / IP address. |
| − | ; ldap- | + | ; ldap-basedn (default "") : The PowerDNS LDAP DNS backend searches below this path for objects containing the specified DNS information. The retrieval of attributes is limited to this subtree. This option must be set to the path according to the layout of your LDAP tree, e.g. ou=hosts,o=linuxnetworks,c=de is the DN to my objects containing the DNS information. |
| − | ; ldap- | + | ; ldap-binddn (default "") : Path to the object to authenticate against. Should only be used, if the LDAP server doesn't support anonymous binds. |
| + | |||
| + | ; ldap-secret (default "") : Password for authentication against the object specified by ldap-binddn | ||
| + | |||
| + | ; ldap-method (default "simple") : | ||
* simple | * simple | ||
| Line 42: | Line 44: | ||
* tree | * tree | ||
| − | : Search entires by translating the domain string into a LDAP dn. Your LDAP tree must be designed in the same way as your DNS tree. The question for "myhost.linuxnetworks.de" would translate into "dc=myhost,dc=linuxnetworks,dc=de,ou=hosts=..." and the entry where this dn points to would be evaluated for dns records. | + | : Search entires by translating the domain string into a LDAP dn. Your LDAP tree must be designed in the same way as your DNS LDAP tree. The question for "myhost.linuxnetworks.de" would translate into "dc=myhost,dc=linuxnetworks,dc=de,ou=hosts=..." and the entry where this dn points to would be evaluated for dns records. |
* strict | * strict | ||
: Like simple, but generates PTR records from aRecords or aAAARecords. Using "strict", you won't be able to do zone transfers for reverse zones. | : Like simple, but generates PTR records from aRecords or aAAARecords. Using "strict", you won't be able to do zone transfers for reverse zones. | ||
| − | ; ldap-filter-axfr (<nowiki> | + | ; ldap-filter-axfr (default <nowiki>"(:target:)"</nowiki> ) : LDAP filter for limiting AXFR results (zone transfers), e.g. (&(:target:)(active=yes)) for returning only entries whose attribute "active" is set to "yes". |
| − | + | ||
| − | + | ||
| − | + | ||
| − | -- | + | ; ldap-filter-lookup (default <nowiki>"(:target:)"</nowiki> ) : LDAP filter for limiting IP or name lookups, e.g. (&(:target:)(active=yes)) for returning only entries whose attribute "active" is set to "yes". |
| − | + | ||
Latest revision as of 14:40, 22 June 2008
Contents
Compilation
Before performing the steps to compile the PowerDNS server and the LDAP DNS backend you have to install a LDAP development package, which includes all necessary headers. The openldap-devel package is provided by most distributions. Apply these steps to the source .tar.gz file, if you don't want to use a pre-compiled package:
* Extract the tar file
* Change into the newly created pdns directory
* Type ./configure --help for the available options
* For dynamic modules:
./configure
--with-modules=""
--with-dynmodules="ldap"
--enable-recursor
* For a static binary:
./configure
--with-modules="ldap"
--with-dynmodules=""
--enable-recursor
* make && make install
Configuration options
There are a few options through the LDAP DNS backend can be configured for your environment. Add them to the pdns.conf file located in /etc/powerdns or /usr/local/etc/ (depends on your configuration while compiling):
- launch=ldap
You'll have to add the LDAP DNS backend to the PowerDNS backends first by altering the launch declaration in the pdns.conf file. Otherwise the options below won't have any effect.
- ldap-host (default "ldap://127.0.0.1:389/")
- The values assigned to this parameter can be LDAP URIs (e.g. ldap://127.0.0.1/ or ldaps://127.0.0.1/) describing the connection to the LDAP server. There can be multiple LDAP URIs specified for load balancing and high availability if they are separated by spaces. In case the used LDAP client library doesn't support LDAP URIs as connection parameter, use plain host names or IP addresses instead (both may optionally be followed by a colon and the port).
- ldap-starttls (default "no")
- Use TLS encrypted connections to the LDAP server. This is only allowed if ldap-host is a ldap:// URI or a host name / IP address.
- ldap-basedn (default "")
- The PowerDNS LDAP DNS backend searches below this path for objects containing the specified DNS information. The retrieval of attributes is limited to this subtree. This option must be set to the path according to the layout of your LDAP tree, e.g. ou=hosts,o=linuxnetworks,c=de is the DN to my objects containing the DNS information.
- ldap-binddn (default "")
- Path to the object to authenticate against. Should only be used, if the LDAP server doesn't support anonymous binds.
- ldap-secret (default "")
- Password for authentication against the object specified by ldap-binddn
- ldap-method (default "simple")
- simple
- Search the requested domain by comparing the associatedDomain attributes with the domain string in the question.
- tree
- Search entires by translating the domain string into a LDAP dn. Your LDAP tree must be designed in the same way as your DNS LDAP tree. The question for "myhost.linuxnetworks.de" would translate into "dc=myhost,dc=linuxnetworks,dc=de,ou=hosts=..." and the entry where this dn points to would be evaluated for dns records.
- strict
- Like simple, but generates PTR records from aRecords or aAAARecords. Using "strict", you won't be able to do zone transfers for reverse zones.
- ldap-filter-axfr (default "(:target:)" )
- LDAP filter for limiting AXFR results (zone transfers), e.g. (&(:target:)(active=yes)) for returning only entries whose attribute "active" is set to "yes".
- ldap-filter-lookup (default "(:target:)" )
- LDAP filter for limiting IP or name lookups, e.g. (&(:target:)(active=yes)) for returning only entries whose attribute "active" is set to "yes".
