DLZ bind/named & ldap.conf

Hi,

it turns out, named is not recognising /etc/ldap.conf, /usr/local/etc/ldap.conf or /usr/local/etc/openldap/ldap.conf. Am I missing something? It's not running as chroot:

Code:
cat /etc/rc.conf
[...]
named_enable="YES"
named_conf="/usr/local/etc/namedb/named.conf"
[...]

on LDAP side it clearly states that it is not doing a starttls:

Code:
Nov  1 21:15:31 FreeBSD slapd[30750]: conn=1058 op=0 BIND dn="cn=admin,dc=DOMAIN,dc=TLD" method=128
Nov  1 21:15:31 FreeBSD slapd[30750]: conn=1058 op=0 RESULT tag=97 err=13 text=confidentiality required

Code:
root@Prod-DNS-1 [~]$ ls -lach {/usr/local/etc/openldap/ldap.conf,/usr/local/etc/ldap.conf,/etc/ldap.conf}
lrwxr-xr-x  1 root  wheel    33B Nov  1 21:01 /etc/ldap.conf -> /usr/local/etc/openldap/ldap.conf
lrwxr-xr-x  1 root  wheel    33B Nov  1 20:12 /usr/local/etc/ldap.conf -> /usr/local/etc/openldap/ldap.conf
-rwxrwxr-x  1 root  wheel   921B Nov  1 21:29 /usr/local/etc/openldap/ldap.conf

All other TLS/SSL connections to LDAP work fine. My ldap.conf is definitely fine. I just don't know where named is looking for it?! With sshd I needed to do something like this, to get ssh pub keys working from LDAP:

Code:
LDAPCONF='/usr/local/etc/openldap/ldap.conf'
export LDAPCONF
export PATH=${PATH}:/usr/local/bin

But where would I place this?
 
I haven't looked very closely on how to configure BIND for this but it looks like it uses its own settings from named.conf and doesn't use ldap.conf at all.
 
/usr/local/etc/ldap.conf and /usr/local/etc/openldap/ldap.conf are two totally different files but you have the former linked to the later...

/usr/local/etc/ldap.conf is the configuration file for the LDAP nameservice switch library and the LDAP PAM module.

/usr/local/etc/openldap/ldap.conf is used to set system-wide defaults to be applied when running ldap clients.
 
I haven't looked very closely on how to configure BIND for this but it looks like it uses its own settings from named.conf and doesn't use ldap.conf at all.
Thus far it looks like the only thing I can change regarding this is to switch between "ldap:///" or "ldaps:///". Problem is, that I can not set any CADIR, CACERT, etc.

Code:
dlz "LDAP Zone Master" {
    database "ldap 1
    v3 simple {cn=admin,dc=domain,dc=tld} {maypassword} {ldap.domain.tld}
   ldap:///dlzZoneName=$zone$,ou=zone.master,ou=dns,ou=services,dc=domain,dc=tld???objectclass=dlzZone
   ldap:///dlzHostName=$record$,dlzZoneName=$zone$,ou=zone.master,ou=dns,ou=services,dc=domain,dc=tld?dlzTTL,dlzType,dlzPreference,dlzData,dlzIPAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?objectclass=dlzAbstractRecord
    {}
   ldap:///dlzZoneName=$zone$,ou=zone.master,ou=dns,ou=services,dc=domain,dc=tld?dlzTTL,dlzType,dlzHostName,dlzPreference,dlzData,dlzIPAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?objectclass=dlzAbstractRecord
   ldap:///dlzZoneName=$zone$,ou=zone.master,ou=dns,ou=services,dc=domain,dc=tld??sub?(&(objectclass=dlzXFR)(dlzIPAddr=$client$))";
};


/usr/local/etc/ldap.conf and /usr/local/etc/openldap/ldap.conf are two totally different files but you have the former linked to the later...

/usr/local/etc/ldap.conf is the configuration file for the LDAP nameservice switch library and the LDAP PAM module.

/usr/local/etc/openldap/ldap.conf is used to set system-wide defaults to be applied when running ldap clients.

Thank you. I've linked them because the requirements for nslcd and system wide defaults are equal in my case. Nevertheless, bind dlz seems to completely ignore the defaults or simply doesn't look for the defaults where I would expect it to look for.




Helpful clues are very welcome ;)
 
Back
Top