[Freeipa-users] BIND apparently not loading ldap.so

Mon Feb 15 11:36:29 UTC 2016

On 12.2.2016 20:49, Chris Lajoie wrote:
> On 02/12/2016 12:53 AM, Petr Spacek wrote:
>> On 11.2.2016 19:32, Chris Lajoie wrote:
>>> On 02/11/2016 02:46 AM, Petr Spacek wrote:
>>>> What version of BIND and bind-dyndb-ldap packages are you using? $ rpm
>>>> -q bind bind-dyndb-ldap
>>> bind-9.9.4-29.el7_2.2.x86_64 bind-dyndb-ldap-8.0-1.el7.x86_64
>>>> I'm not sure how exactly the logging magic in BIND works so I would
>>>> recommend you to to run BIND using command: $ named -g -u named and
>>>> check output in the console to see if it contains line like
>>>> 'bind-dyndb-ldap version 8.0 compiled at 16:09:02 Jan 20 2016,
>>>> compiler 5.3.1 20151207 (Red Hat 5.3.1-2)'
>>> I get nothing like that. Here is the output I get from running named:
>>> https://gist.github.com/ctlajoie/0ed4e97e72aec3172a8d
>> Oh, wait, it seems that you are using views!
>>
>> Generally we do not test bind-dyndb-ldap with views so there be dragons.
>>
>> Could you share your named.conf with us?
>>
>> If you do not want to send it to mailing list feel free to send it to me
>> privately. My GPG key is attached just for the case you wish to encrypt it.
> 
> Sure. I do not see anything in my named.conf besides the ldap password (which
> I changed) that should be kept private.
> https://gist.github.com/ctlajoie/827a2ec9cfa70e3a1ebd
> 
> Not sure if it matters any more though.. I was able to get it working by
> commenting out  the view parts and leaving only the zones. Unfortunately the
> plugin seems unable or unwilling to load if there are any views present at
> all. I also tried placing the dynamic-db section inside of one of the views.
> named will accept the configuration and start up, but again there are no ldap
> log messages.
> 
> I would really like to use ldap as the backend for my DNS configuration... its
> heirarchical nature seems (to me) to be a good fit for storing that type of
> thing. It is surprising to me that almost nobody else does it this way (from
> what I can tell). I suppose if I want to do it then I will need to run
> seperate instances of bind, either on different servers or the same server
> using different ports for each instance, and doing some NATing with iptables.
> Either method complicates things more than I would like...
> 
> Can you speculate on why there would be no log messages at all when the ldap
> plugin fails to load (if that is indeed what is happening)?
> If there was something in the log it would have saved me quite a bit of time
> investigating this. Thank you for helping me track down the problem.

Interesting, this is a bug in integration with BIND.

It works just fine if dynamic-db part is inside a view {};. If there is no
view explicitly defined then BIND is using implicit view "_default".

It does not work if you have some views explicitly defined and dynamic-db
section is defined outside of any view. It means that dynamic-db section does
not belong to any view and init() is not called for it.

So, workaround is to put dynamic-db section to a view.

I hope it helps.

-- 
Petr^2 Spacek