headers
tridge | 6 Dec 2010 07:58
Picon
Favicon
Gravatar

dlz dlopen driver

Hi All,

I've been working with the bind9 developers on better integration
between Samba4 and bind9. As part of that I have proposed a set of
patches:

  http://samba.org/tridge/bind9-patches/

Included in the patches is a new dlz driver which allows for an
externally build dlz module to be used, like this:

dlz "example zone" {
	database "dlopen /some/path/module.so OPTIONS";
};

I'm hoping this driver will be integrated into a future release of
bind9.

Samba4 can make use of this patch using a new dlz_bind9.so module. The
code for that module is here:

  http://git.samba.org/?p=tridge/samba.git;a=blob;f=source4/dns_server/dlz_bind9.c

That module uses the Samba4 AD database to export a full AD DNS
database via bind9.

A dlopen dlz driver is very similar to a in-tree dlz driver, except
for the following differences:

 1) the functions are found using dlsym(). The symbol names are:
(Continue reading)

Permalink | Reply | 0 comments |
headers
tridge | 14 Dec 2010 10:44
Picon
Favicon
Gravatar

patches for DLZ update support

Mi Michael,

I've now gotten DLZ support for dynamic updates working quite
nicely. I have it setup against a Samba hosted AD domain with two
zones (the base zone, and the _msdcs zone).

The patches are a bit larger than the previous ones, but I hope you
will find them acceptable. Please let me know if there is something
you would like me to re-work.

The patches against 9.7.2-P2 are here:

  http://samba.org/tridge/bind9-patches/
  git://git.samba.org/tridge/bind9.git

I've also put patches against the rt22629 CVS branch in my home
directory on kechara as usual.

The approach I've taken with these patches is to keep the sdlz
interface as simple as possible, while exposing the ability to handle
updates. This is in keeping with the existing sdlz interface.

I've also expanded the dlz_dlopen driver to expose the new
methods. This makes it possible to write an external dlz driver that
supports dynamic updates.

Rob, if you have time, it would be great if you could look over the
patches as well and give me some comments. The key patches are the
ones starting with "dlz:" and "sdlz:".
(Continue reading)

Permalink | Reply | 1 comment |
headers
tridge | 14 Dec 2010 13:06
Picon
Favicon
Gravatar

Re: patches for DLZ update support

I've added an example external DLZ driver with update support here:

  http://git.samba.org/?p=tridge/bind9.git;a=blob;f=contrib/dlz/example/dlz_example.c;;hb=master

This should provide a reasonable example for anyone who might want to
extend an existing DLZ driver to add update support, or build it
outside the bind9 tree.

Cheers, Tridge

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
Permalink | Reply | 0 comments |
headers
Róbert Čerňanský | 28 Dec 2010 14:42
Picon
Favicon

Secure authentication to LDAP via TLS

Hi,

I'd like configure DLZ to use secure authentication to the LDAP server;
preferably via TLS.  However I can not figure out how to turn it on for
DLZ.

I've found post [1] where it is advised to follow openldap FAQ article
about TLS.  But TLS, in general, is working with LDAP in my case.
Standard openldap clients, like 'ldapsearch' have -Z[Z] parameter to
turn on/force TLS connection and it works here.

It seems that DLZ just uses plain authentication no matter what.  I can
not find a -Z[Z] equivalent for DLZ.  Also I did not find any option
outside DLZ (in openldap's ldap.conf) that would force TLS for all LDAP
clients.

When I've tried to use ldaps:// in queries (to use SSL) then I've got
error: "named[13094]: lookup query must not specify a port".

I'm using bind 9.7.2_p3 and openldap 2.4.23.

Does anyone know how to turn on TLS for DLZ to LDAP connections?

Regards,
Robert

[1] http://thread.gmane.org/gmane.network.dns.bind9.dlz/2167/focus=2170

--

-- 
Robert Cernansky
(Continue reading)

Permalink | Reply | 1 comment |

Gmane