1. Docs
  2. Per Server Config in LDAP

Per Server Config in LDAP

Overview

Currently local bind-dyndb-ldap configuration (like global forwarder) is present only in /etc/named.conf. All configuration in LDAP applies globally to all plugin instances and takes precedence over local configuration. This is not easy to manage from FreeIPA because FreeIPA does not have facilities to centrally change named.conf.

Use Cases

  • Administrator wants to change per-server configuration (like IP addresses of forwarders) from central place, e.g. from FreeIPA web UI.

Design

  • Each bind-dyndb-ldap instance (i.e. IPA DNS server) will have own configuration entry in LDAP
    • The configuration entry allows the user to define variables which will be used by particular instance of bind-dyndb-ldap.
  • Object for a particular server is identified by arbitrary string stored in idnsServerId attribute.

Configuration objects will be stored in a LDAP container should be visible to all DNS servers and DNS server admins.

dn: cn=servers,cn=dns,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: servers

Server configuration attributes and object class:

attributeTypes: ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' EQUALITY caseIgnoreMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4' )
objectClasses: ( 2.16.840.1.113730.3.8.6.6 NAME 'idnsServerConfigObject' DESC 'DNS server configuration options' STRUCTURAL MUST ( idnsServerId ) MAY ( idnsSubstitutionVariable $ idnsSOAmName $ idnsForwarders $ idnsForwardPolicy ) X-ORIGIN 'IPA v4.4' )

Configuration entry for particular server should be visible only to DNS admins and DNS servers.

Example

Configuration for server ipa-brno.example.com defines SOA MNAME = ipa-brno.example.com so this server will advertise itself as master accepting updates and will ignore value defined by idnsSoaMName attribute in zones.

dn: idnsServerId=ipa-brno.example.com
objectClass: idnsServerConfigObject
idnsServerId: ipa-brno.example.com.
idnsSOAMname: ipa-brno.example.com.

Similarly, configuration for server ipa-london.example.com defines SOA MNAME = ipa-london.example.com so this server will advertise itself as master accepting updates and will ignore value defined by idnsSOAMName attribute in zones.

dn: idnsServerId=ipa-london.example.com
objectClass: idnsServerConfigObject
idnsServerId: ipa-london.example.com.
idnsSOAMname: ipa-london.example.com.

Priority order for configuration

Highest priority is on top:

  • DNS zone: idnsZone entry
    • SOA MNAME is an exception - server’s config overrides zone’s config
  • per-server config in LDAP: idnsServerConfig entry
  • global config in LDAP: idnsConfig entry
  • per-server config on disk: named.conf
  • built-in defaults

Configuration

bind-dyndb-ldap will get a new option server_id which can be used to specify string to use in idnsServerId filter.

Implementation

  • Dependencies: No expected impact.
  • Reverse dependencies: FreeIPA needs to provide UI and API for management.
  • Backup and Restore: No expected impact.

Feature Management - FreeIPA part

UI

A new page needs to be created: Network Services -> DNS -> DNS Servers

This page will list all servers. From this list it will be possible to open a page with configuration options for particular server.

CLI

Command Options Meaning
dnsserver-add <server name> –type=ipa create an empty server object; Not exposed in API.
dnsserver-show <server name> show server object and its variables
dnsserver-find [substring] list all servers
dnsserver-mod <server name> –forwarder same as in dnsconfig-mod, affects one server
dnsserver-mod <server name> –forward-policy same as in dnsconfig-mod, affects one server
dnsserver-mod <server name> –soa-mname-override same as fake_mname option in named.conf
dnsserver-set-variable <server name> <variable name> <value> set variable specified in Design/RecordGenerator. Not exposed in API. Valid only for IPA DNS servers.
dnsserver-del-variable <server name> <variable name> delete variable specified in Design/RecordGenerator. Not exposed in API. Valid only for IPA DNS servers.

Compatibility with older versions of bind-dyndb-ldap

The object is using a new objectClass so older versions of bind-dyndb-ldap will ignore it.

Upgrade

Following options from named.conf should be migrated to newly created idnsServerConfigObject during IPA upgrade:

  • fake_mname -> idnsSOAMName
  • forward -> idnsForwardPolicy
  • forwarders -> idnsForwarders

At the same time, named.conf needs to be updated to contain server_id option equal to FreeIPA server’s FQDN without trailing period (for consistency with names used in cn=masters).

How to Test

Easy to follow instructions how to test the new feature. FreeIPA user needs to be able to follow the steps and demonstrate the new features.

Test Plan

Test scenarios that will be transformed to test cases for FreeIPA Continuous Integration during implementation or review phase. This can be also link to source in git with the test, if appropriate.

© Copyright 2017, bind-dyndb-ldap contributors. Created using Sphinx.