mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Use LDAP instead of flat file for zone storage
This commit is contained in:
Martin Nagy
@@ -13,6 +13,7 @@ app_DATA = \
|
||||
caJarSigningCert.cfg.template \
|
||||
default-aci.ldif \
|
||||
default-keytypes.ldif \
|
||||
dns.ldif \
|
||||
kerberos.ldif \
|
||||
indices.ldif \
|
||||
bind.named.conf.template \
|
||||
|
||||
@@ -1,10 +1,4 @@
|
||||
options {
|
||||
/* make named use port 53 for the source of all queries, to allow
|
||||
* firewalls to block all ports except 53:
|
||||
*/
|
||||
query-source port 53;
|
||||
query-source-v6 port 53;
|
||||
|
||||
// Put files that named is allowed to write in the data/ directory:
|
||||
directory "/var/named"; // the default
|
||||
dump-file "data/cache_dump.db";
|
||||
@@ -34,8 +28,9 @@ zone "." IN {
|
||||
|
||||
include "/etc/named.rfc1912.zones";
|
||||
|
||||
zone "$DOMAIN" {
|
||||
type master;
|
||||
file "$DOMAIN.zone.db";
|
||||
dynamic-db "ipa" {
|
||||
library "ldap.so";
|
||||
arg "uri ldap://$FQDN";
|
||||
arg "base cn=dns, $SUFFIX";
|
||||
arg "auth_method none";
|
||||
};
|
||||
|
||||
|
||||
93
install/share/dns.ldif
Normal file
93
install/share/dns.ldif
Normal file
@@ -0,0 +1,93 @@
|
||||
dn: cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: nsContainer
|
||||
objectClass: top
|
||||
cn: dns
|
||||
|
||||
dn: idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: idnsZone
|
||||
objectClass: idnsRecord
|
||||
idnsName: $DOMAIN
|
||||
idnsZoneActive: True
|
||||
idnsAllowDynUpdate: True
|
||||
idnsUpdatePolicy: grant $REALM krb5-self * A;
|
||||
idnsSOAmName: $HOST.$DOMAIN.
|
||||
idnsSOArName: root.$HOST.$DOMAIN.
|
||||
idnsSOAserial: 1
|
||||
idnsSOArefresh: 10800
|
||||
idnsSOAretry: 900
|
||||
idnsSOAexpire: 604800
|
||||
idnsSOAminimum: 86400
|
||||
NSRecord: $HOST
|
||||
|
||||
dn: idnsName=$HOST,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: $HOST
|
||||
ARecord: $IP
|
||||
|
||||
dn: idnsName=_ldap._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _ldap._tcp
|
||||
SRVRecord: 0 100 389 $HOST
|
||||
|
||||
dn: idnsName=_kerberos,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _kerberos
|
||||
TXTRecord: $REALM
|
||||
|
||||
dn: idnsName=_kerberos._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _kerberos._tcp
|
||||
SRVRecord: 0 100 88 $HOST
|
||||
|
||||
dn: idnsName=_kerberos._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _kerberos._udp
|
||||
SRVRecord: 0 100 88 $HOST
|
||||
|
||||
dn: idnsName=_kerberos-master._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _kerberos-master._tcp
|
||||
SRVRecord: 0 100 88 $HOST
|
||||
|
||||
dn: idnsName=_kerberos-master._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _kerberos-master._udp
|
||||
SRVRecord: 0 100 88 $HOST
|
||||
|
||||
dn: idnsName=_kpasswd._tcp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _kpasswd._tcp
|
||||
SRVRecord: 0 100 464 $HOST
|
||||
|
||||
dn: idnsName=_kpasswd._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _kpasswd._udp
|
||||
SRVRecord: 0 100 464 $HOST
|
||||
|
||||
dn: idnsName=_ntp._udp,idnsName=$DOMAIN,cn=dns,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: idnsRecord
|
||||
objectClass: top
|
||||
idnsName: _ntp._udp
|
||||
SRVRecord: 0 100 123 $HOST
|
||||
@@ -236,7 +236,7 @@ def read_realm_name(domain_name, unattended):
|
||||
print "The kerberos protocol requires a Realm name to be defined."
|
||||
print "This is typically the domain name converted to uppercase."
|
||||
print ""
|
||||
|
||||
|
||||
if unattended:
|
||||
return domain_name.upper()
|
||||
realm_name = user_input("Please provide a realm name", domain_name.upper())
|
||||
@@ -392,8 +392,9 @@ def main():
|
||||
# check bind packages are installed
|
||||
if options.setup_bind:
|
||||
if not bindinstance.check_inst():
|
||||
print "--setup-bind was specified but bind is not installed on the system"
|
||||
print "Please install bind and restart the setup program"
|
||||
print "--setup-bind was specified but bind or the BIND LDAP plug-in"
|
||||
print "is not installed on the system"
|
||||
print "Please install bind and the LDAP plug-in and restart the setup program"
|
||||
return 1
|
||||
|
||||
# check the hostname is correctly configured, it must be as the kldap
|
||||
@@ -575,7 +576,8 @@ def main():
|
||||
fd.write("enable_ra=True\n")
|
||||
fd.close()
|
||||
|
||||
bind = bindinstance.BindInstance(fstore)
|
||||
# Create a BIND instance
|
||||
bind = bindinstance.BindInstance(fstore, dm_password)
|
||||
bind.setup(host_name, ip_address, realm_name, domain_name)
|
||||
if options.setup_bind:
|
||||
bind.create_instance()
|
||||
|
||||
Reference in New Issue
Block a user