Hello,
We want to start using bind-dyndb-ldap instead of bind-sdb, which we currently use on Rocky Linux 8.x servers. This is because the bind-sdb package is no longer available on Rocky Linux 9.x machines. Our domain controllers are running Samba AD 4.21.
Please provide us with the bind-dyndb-ldap ldif schema so we can add it to the Samba 4 AD schema.
Please feel free to ask me for more information on this topic.
Kamal Chikh Echioukh
Best Regards,
LDAP schema is present in /usr/share/doc/bind-dyndb-ldap/schema.ldif if you have the binary package installed on RHEL-alike systems. Alternatively, you can see it here: https://pagure.io/bind-dyndb-ldap/blob/master/f/doc/schema.ldif.
/usr/share/doc/bind-dyndb-ldap/schema.ldif
LDAP schema format may differ across LDAP servers, so you would need to adjust it yourself.
Hi! SDB with built-in support were removed in RHEL9, but it should still be possible to support DLZ loadable plugins instead of separate named build with included built-in support. Compared to switch to bind-dyndb-ldap, using DLZ module should be relatively acceptable way and still supported, at least in BIND 9.18.
Some documentation is at upstream: https://bind9.readthedocs.io/en/v9.18.36/chapter6.html#configuring-dlz
But overall documentation about those plugins and how to configure them is relatively poor. They were even moved out eventually in recent development versions.
Code remains present in separate repository: https://gitlab.isc.org/isc-projects/dlz-modules
There is almost no remaining documentation, only few examples. It has very flexible database format, but poor results. I admit I have never tried running this type of configuration for production, but this variant should be similar to legacy SDB interface. But generic DLZ interface remains present in BIND9 even in 9.21, just no modules anymore.
Unfortunately bind-dyndb-ldap plugin is not much safer alternative, because I think upstream is considering to remove even dyndb interface used by us in the current form. It seems ideal alternative would be pushing changes via dynamic updates into bind from samba daemons, not using any shared database. But that would require major redesign, which we hope could replace also bind-dyndb-ldap eventually to have external daemon pushing changes.
LDAP schema is present in /usr/share/doc/bind-dyndb-ldap/schema.ldif if you have the binary package installed on RHEL-alike systems. Alternatively, you can see it here: https://pagure.io/bind-dyndb-ldap/blob/master/f/doc/schema.ldif. LDAP schema format may differ across LDAP servers, so you would need to adjust it yourself.
Thanks for your help
Hi! SDB with built-in support were removed in RHEL9, but it should still be possible to support DLZ loadable plugins instead of separate named build with included built-in support. Compared to switch to bind-dyndb-ldap, using DLZ module should be relatively acceptable way and still supported, at least in BIND 9.18. Some documentation is at upstream: https://bind9.readthedocs.io/en/v9.18.36/chapter6.html#configuring-dlz But overall documentation about those plugins and how to configure them is relatively poor. They were even moved out eventually in recent development versions. Code remains present in separate repository: https://gitlab.isc.org/isc-projects/dlz-modules There is almost no remaining documentation, only few examples. It has very flexible database format, but poor results. I admit I have never tried running this type of configuration for production, but this variant should be similar to legacy SDB interface. But generic DLZ interface remains present in BIND9 even in 9.21, just no modules anymore. Unfortunately bind-dyndb-ldap plugin is not much safer alternative, because I think upstream is considering to remove even dyndb interface used by us in the current form. It seems ideal alternative would be pushing changes via dynamic updates into bind from samba daemons, not using any shared database. But that would require major redesign, which we hope could replace also bind-dyndb-ldap eventually to have external daemon pushing changes.
Thanks for your reply, I will investigate...
Hello, I downloaded the LDAP schema https://pagure.io/bind-dyndb-ldap and converted it to a Samba 4 AD schema. I then successfully imported it into the AD schema of our AD (Samba 4.21). However, when I tried to add a DNS zone, I ran into the following issues: 1) With adding of NS record: Was unable to create DN: idnsname=example.ch,CN=dns,DC=tad,DC=prolune,DC=ch. LDAP error, server says: Object class violation - 00002014: objectclass_attrs: attribute 'nSRecord' on entry 'IDNSNAME=example.ch,CN=dns,DC=tad,DC=prolune,DC=ch' does not exist in the specified objectclasses!
2) With adding of A record: Was unable to create DN: idnsname=example.ch,CN=dns,DC=tad,DC=prolune,DC=ch. LDAP error, server says: Object class violation - 00002014: objectclass_attrs: attribute 'aRecord' on entry 'IDNSNAME=example.ch,CN=dns,DC=tad,DC=prolune,DC=ch' does not exist in the specified objectclasses!
However, if I define only the SOA record part, the zone is created successfully.
It seems my LDAP schema is incorrect. How can I upload the ldif files so you can review it?
Log in to comment on this ticket.