[Freeipa-users] best practices for subdomains
Brendan Kearney
bpk678 at gmail.com
Mon Mar 3 21:57:35 UTC 2014
On Mon, 2014-03-03 at 09:33 +0100, Petr Spacek wrote:
> On 1.3.2014 23:20, Brendan Kearney wrote:
> > i am using bind-dyndb-ldap outside of freeipa, and want to create
> > _tcp.my-domain.com and _udp.my-domain.com subdomains. i have tried, but
> > seem to come up short and nslookup fails for the records i try to create
> > in the subdomains. some googling and searching in the wiki have not
> > provided me with much go on. below is an attempt at _tcp.my-domain.com
> >
> > dn: idnsName=_tcp.my-domain.com.,cn=dns,dc=my-domain,dc=com
> > dnsttl: 3600
> > idnsallowdynupdate: FALSE
> > idnsallowsyncptr: FALSE
> > idnsname: _tcp.my-domain.com.
> > idnssoaexpire: 604800
> > idnssoaminimum: 86400
> > idnssoamname: server.my-domain.com.
> > idnssoarefresh: 10800
> > idnssoaretry: 900
> > idnssoarname: root.server.my-domain.com.
> > idnssoaserial: 1
> > idnsupdatepolicy: grant MY-DOMAIN.COM krb5-self * A;
> > idnszoneactive: TRUE
> > nsrecord: server.my-domain.com.
> > objectclass: top
> > objectclass: idnsZone
> > objectclass: idnsRecord
> >
> > what is the correct way to create a subdomain?
>
> First of all, do you really want to create *subdomains* for _tcp and _udp or
> do you just need to create couple records like _ldap._tcp in a existing
> domain? It is very unusual to create separate subdomains for _tcp and _udp.
>
> I'm attaching small snippet which shows how to add _ldap._tcp SRV record to
> existing domain ipa.example.
>
> Please be so kind and send us information mentioned on
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#a3.Whatweneedtoknow
>
> We would like to know how users use bind-dyndb-ldap, which LDAP server is used
> outside FreeIPA and so on.
>
> Have a nice day!
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
What distribution you use? Fedora
Which distribution version you use? Fedora 20, with latest updates
Which architecture you use? x86_64 on a qemu VM
What plugin version you use? bind-dyndb-ldap-3.5-1.fc20.x86_64
Do you use bind-dyndb-ldap as part of FreeIPA installation? no, using
openldap-servers-2.4.39-2.fc20.x86_64
Which version of BIND you use? bind-9.9.4-11.P2.fc20.x86_64
Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db "my-domain.com" {
library "ldap.so";
arg "uri ldap://127.0.0.1/";
arg "base cn=dns,dc=my-domain,dc=com";
arg "auth_method simple";
arg "bind_dn cn=Manager,dc=my-domain,dc=com";
arg "password *****";
arg "psearch no";
// arg "serial_autoincrement yes";
arg "sync_ptr yes";
arg "dyn_update yes";
arg "connections 2";
arg "cache_ttl 300";
arg "verbose_checks yes";
};
Do you have some other text based or DLZ zones configured? no
Do you have some global forwarders configured in BIND configuration
file? no
Do you have some settings in global configuration object in LDAP?
dn: cn=dns,dc=my-domain,dc=com
cn: dns
idnspersistentsearch: FALSE
idnszonerefresh: 30
objectclass: top
objectclass: nsContainer
objectclass: idnsConfigObject
without a doubt i want to use subdomains (or subzones, if that the
correct term) for _tcp and _udp. kerberos, kerberos-adm,
kerberos-master, kpasswd, ldap, nfs4, wpad and ntp are the SRV records i
want to manage, and having them in the regular forward zone is not as
clean, neat and organized as i want to be. also, i may want to have
forward subdomains (sub.my-domain.com, for example, with
testhost.sub.my-domain.com as an A record).
the example included in the package did have a similar example on how to
put a SRV into the zone, but again, i want to manage those records with
a subdomain (or subzone, if that is the correct term).
More information about the Freeipa-users
mailing list