Difference between revisions of "PowerDNS LDAP Backend/Troubleshooting"
(removed backlink) |
|||
| (12 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
__TOC__ | __TOC__ | ||
| − | = | + | == Trying to set unexisting parameter == |
| + | |||
| + | If your PowerDNS config file contains an unknown parameter or at least one of your parameters is not in the form | ||
| + | |||
| + | ldap-''name''=''value'' | ||
| + | |||
| + | the PowerDNS server won't start up and you will see a fatal error in the log file. For a list of available parameters, please have a look at [[PowerDNS_LDAP_Backend/Installation#Configuration_options|configuration options]]. | ||
== Use of quotation marks ("") == | == Use of quotation marks ("") == | ||
| − | Do never use quotation marks in the PowerDNS | + | Do never use quotation marks in the PowerDNS configuration files! They are not evaluated and remain part of the parameter value. This leads to hard to find errors, e.g. no objects are returned from the LDAP directory. |
== No reverse zone transfer == | == No reverse zone transfer == | ||
| − | Your | + | Your LDAP tree must contain a separate subtree of PTR records (e.g. for 1.1.10.10.in-addr.arpa) and you can't set "ldap-method" to "strict". |
== IPv6 reverse lookup doesn't work in strict mode == | == IPv6 reverse lookup doesn't work in strict mode == | ||
| − | For automatically generated reverse IPv6 records your | + | For automatically generated reverse IPv6 records your aAAARecord entries must follow two restrictions: They have to be fully expanded ("FFFF::1" is not allowed and it must be "FFFF:0:0:0:0:0:0:1" instead) and they must not contain leading zeros, e.g. an entry containing "002A" is incorrect - use "2A" without zeros instead. These restrictions are due to the fact that LDAP DNS AAAA entries are pure text and doesn't allow searching by wild-cards. |
| + | == Bad search filter == | ||
| − | ---- | + | The release of PowerDNS 2.9.20 contains a bug in ldap-filter-{axfr,lookup}. A user provided string with ":target:" is replaced with "(associatedDomain=QUERYDATA)" and braces ARE added. So if you create some filter like |
| − | + | ||
| + | ldap-filter-lookup=(&(:target:)(active=yes)) | ||
| + | |||
| + | it will result as | ||
| + | |||
| + | ldap-filter-lookup=(&((associatedDomain=QUERYDATA))(active=yes)) | ||
| + | |||
| + | which results with bad search filter. To circumvent the bug temporarily you can add instead | ||
| + | |||
| + | ldap-filter-lookup=(&:target:(active=yes)) | ||
| + | |||
| + | The bug will be fixed in version 2.9.21 and later versions. | ||
---- | ---- | ||
| − | + | '''Feel free to add your own tips''' | |
Latest revision as of 14:42, 22 June 2008
Contents
Trying to set unexisting parameter
If your PowerDNS config file contains an unknown parameter or at least one of your parameters is not in the form
ldap-name=value
the PowerDNS server won't start up and you will see a fatal error in the log file. For a list of available parameters, please have a look at configuration options.
Use of quotation marks ("")
Do never use quotation marks in the PowerDNS configuration files! They are not evaluated and remain part of the parameter value. This leads to hard to find errors, e.g. no objects are returned from the LDAP directory.
No reverse zone transfer
Your LDAP tree must contain a separate subtree of PTR records (e.g. for 1.1.10.10.in-addr.arpa) and you can't set "ldap-method" to "strict".
IPv6 reverse lookup doesn't work in strict mode
For automatically generated reverse IPv6 records your aAAARecord entries must follow two restrictions: They have to be fully expanded ("FFFF::1" is not allowed and it must be "FFFF:0:0:0:0:0:0:1" instead) and they must not contain leading zeros, e.g. an entry containing "002A" is incorrect - use "2A" without zeros instead. These restrictions are due to the fact that LDAP DNS AAAA entries are pure text and doesn't allow searching by wild-cards.
Bad search filter
The release of PowerDNS 2.9.20 contains a bug in ldap-filter-{axfr,lookup}. A user provided string with ":target:" is replaced with "(associatedDomain=QUERYDATA)" and braces ARE added. So if you create some filter like
ldap-filter-lookup=(&(:target:)(active=yes))
it will result as
ldap-filter-lookup=(&((associatedDomain=QUERYDATA))(active=yes))
which results with bad search filter. To circumvent the bug temporarily you can add instead
ldap-filter-lookup=(&:target:(active=yes))
The bug will be fixed in version 2.9.21 and later versions.
Feel free to add your own tips
