Hello, I'm testing the bind-dyndb-ldap solution to replace bind-sdb and I'm stuck with synchronization/reading ldap zones/records by named.
I installed Openldap server and bind-dyndb-ldap on a Rocky Linux 10 server. dnf list installed | grep openldap openldap.x86_64 2.6.8-3.el10 @Rocky10 openldap-clients.x86_64 2.6.8-3.el10 @baseos openldap-servers.x86_64 2.6.8-3.el10_0 @epel openldap-slapi.x86_64 2.6.8-3.el10_0 @epel
dnf list installed | grep bind-dyndb-ldap bind-dyndb-ldap.x86_64 11.11-2.el10 @appstream
I created add teh follwing to test on named.conf : dyndb "ldap" "/usr/lib64/bind/ldap.so" { uri "ldap://127.0.0.1"; base "ou=dns,dc=infra,dc=mydomain,dc=tld"; auth_method "simple"; bind_dn "cn=Manager,dc=infra,dc=mydomain,dc=tld"; password "MyP@sswd"; reconnect_interval 60; };
When I start the named service, named starts but with recurring errors: Oct 06 13:32:26 srv named[2485]: LDAP error: Critical extension is unavailable: critical extension is not recognized: unable to start SyncRepl session: is RFC 4533 suppor> Oct 06 13:32:26 srv named[2485]: LDAP configuration synchronization failed: socket is not connected Oct 06 13:32:26 srv named[2485]: ldap_syncrepl will reconnect in 60 seconds Oct 06 13:33:26 srv named[2485]: successfully reconnected to LDAP server Oct 06 13:33:26 srv named[2485]: LDAP error: Critical extension is unavailable: critical extension is not recognized: unable to start SyncRepl session: is RFC 4533 supported> Oct 06 13:33:26 srv named[2485]: LDAP configuration synchronization failed: socket is not connected Oct 06 13:33:26 srv named[2485]: ldap_syncrepl will reconnect in 60 seconds Oct 06 13:34:26 srv named[2485]: successfully reconnected to LDAP server
I tried to compile named as indicated in the page https://pagure.io/bind-dyndb-ldap but I got errors: export CPPFLAGS=isc-config.sh --cflags ./configure --libdir=/usr/lib64/bind . . . checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... no checking for stddef.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for strings.h... (cached) yes checking for size_t... yes checking for memset... yes checking for strcasecmp... yes checking for strncasecmp... yes checking for -fvisibility=hidden compiler flag... yes checking for -fno-delete-null-pointer-checks compiler flag... yes checking for -std=gnu11 compiler flag... yes checking for isc_dir_open in -lisc... yes checking for dns_name_init in -ldns... yes checking for ldap_initialize in -lldap... yes checking for krb5_cc_initialize in -lkrb5... yes checking for uuid_unparse in -luuid... yes checking libdns version... configure: error: Can't obtain libdns version 1.
isc-config.sh --cflags
Any ideas please?
Best Regards,
I think OpenLDAP server is not supported on RHEL 10 and it is not tested with it. I would recommend trying it with 389ds server.
bind-dyndb-ldap won't work with any server not supporting SyncRepl protocol, it is basic requirement. If OpenLDAP cannot do that, then no, it won't work.
You need to add CPPFLAGS += '-I/usr/include/bind9' and have bind-devel package installed. There are other tricks required, read bind-dyndb-ldap RPM spec file to build it correctly. https://src.fedoraproject.org/rpms/bind-dyndb-ldap/blob/rawhide/f/bind-dyndb-ldap.spec#_64
CPPFLAGS += '-I/usr/include/bind9'
isc-config.sh is not provided on RHEL10 anymore.
Note from bind maintainer: You can still use dlz loadable plugin in bind, even in RHEL 10. We do not ship bind-sdb nor bind-dlz-ldap, but you can build those modules yourself and use them in normal packaged bind.
Its configuration is somehow tricky and not well documented, but can be still done without extra named-sdb build. But DLZ plugins were removed from bind source tree and have own unmaintained repo at https://gitlab.isc.org/isc-projects/dlz-modules. You might be able to use them with any bind still supporting DLZ plugins, which work even in 9.21 AFAIK.
Thank you very much @pemensik for your help. I tested bind-dyndb-ldap on Rocky Linux 10 with Samba 4 AD and OpenLDAP, but it didn't work due to the lack of SyncRepl protocol. I haven't tested it on Rocky Linux 9 yet. I also haven't been able to compile bind-dyndb-ldap on Rocky Linux 10 even with export CPPFLAGS. Regarding DLZ, I couldn't compile bind version > 9.16 with the DLZ/ldap module on either Rocky Linux 9 or 10. It's fine on Rocky Linux 9 with bind 9.16.
I'll try Rocky Linux 10 with 389ds and keep you posted.
OpenLDAP supports syncrepl through a separate plugin. You have to enable it as part of your server configuration. The issue you see had nothing to do with bind-dyndb-ldap. See sync provider overlay documentation for details. https://www.openldap.org/doc/admin24/overlays.html#Sync%20Provider
I'm going to close your ticket because it is misconfiguration on your side.
Metadata Update from @abbra: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.