ISC Bind 9.11 and dyndb-ldap

Petr Mensik pemensik at redhat.com
Wed Dec 14 17:40:16 UTC 2016 

Hello Kishore,

It is not so simple. What was merged into BIND 9.11 is only dynamic database API, that is bind-dyndb-ldap using. That dynamic database does not store any permanent data, it is only interface other plugins can use.
That means dynamic_db provided by custom patch for RHEL and Fedora was merged upstream WITH changes. It changed name and syntax of configuration, so you have to modify it. 

But you still have to use bind-dyndb-ldap plugin to use LDAP backend in BIND. And that plugin is not supported by ISC, see https://fedorahosted.org/bind-dyndb-ldap/. 

Unfortunately there is plugin in rawhide with support for new API of BIND 9.11, but it requires OpenSSL 1.1 as well. There is not yet bind-dyndb-ldap that supports both current dyndb and older OpenSSL. I suggest to use older BIND server now with custom patches for dynamic_db. You would have to backport some code to run last release.

Correct path on Fedora is /usr/lib64/bind/ldap.so (bind-dyndb-ldap package). /usr/lib64/libldap.so is something completely different, that will never work in BIND.

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

----- Original Message -----
From: "ramkishore b" <ramkishore.b at gmail.com>
To: comp-protocols-dns-bind at isc.org
Sent: Tuesday, December 13, 2016 6:22:09 PM
Subject: Re: ISC Bind 9.11 and dyndb-ldap

On Monday, October 17, 2016 at 7:23:34 AM UTC+5:30, Pallissard, Matt wrote:
> Has anyone successfully used LDAP as a dynamic back-end for bind 9.11?
> 
> 
> 
> Unless I'm reading the release notes/new features pages incorrectly the bind-dyndb-ldap plugin has been rolled into ISC's official release and I shouldn't have to mess around with patching/building it from source.
> 
> 
> 
> 
> Yet I get the following errors upon startup;
> 
> 
> 
> named[9937]: loading configuration from '/etc/named.conf'
> named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
> named[9937]: loading configuration: failure
> named[9937]: exiting (due to fatal error)
> systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE
> 
> 
> 
> 
> I'm using the package provided by Arch Linux and can provide the flags the bind package was compiled with if those are relevant.
> 
> 
> 
> Any advice would be greatly appreciated.
> 
> 
> 
> 
> 
> Matt Pallissard

Hello Matt Pallissard , 
Have you succeeded in using LDAP as a dynamic back-end for bind 9.11? 

We are getting below errors while trying to make bind initialization with dyndb. 

loading DynDB instance 'ldap_dyndb' driver '/usr/lib64/libldap.so'
failed to lookup symbol dyndb_version in dyndb module '/usr/lib64/libldap.so': /usr/lib64/libldap.so: undefined symbol: dyndb_version
failed to dynamically load instance 'ldap_dyndb' driver '/usr/lib64/libldap.so': (null) (failure)
dynamic database 'ldap_dyndb' configuration failed: failure
loading configuration: failure
exiting (due to fatal error)

The configuration details related to bind in named.conf file is as below. 

dyndb ldap_dyndb "/usr/lib64/libldap.so" {
        uri "ldap://10.12.42.113";
        base "cn=dns, dc=example, dc=com";
};

We are using bind 9.11 version package in RHEL 7.2 and have few queries as below. 
- We used the default RHEL "/usr/lib64/libldap.so" shared library in the above configuration. Is this correct? Is there any customized ldap.so file to be used for bind 9.11. 
- Are there any specific configure options to be enabled while compiling bind ?

Any inputs are highly appreciated and Thanks in advance. 

Thanks, 
Kishore.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list