Univention Bugzilla – Bug 56194
Replace deprecated LDAP SDB backend with bind-dyndb-ldap
Last modified: 2024-02-07 10:33:52 CET
Our version of BIND9 still carries the abandoned [LDAP sdb back-end for BIND 9](http://bind9-ldap.bayour.com/) in <https://git.knut.univention.de/univention/ucs-patches/-/blob/main/bind9/ucs_5.2-0/1%3A9.18.12-1/0004-Bug-41714-Add-LDAP-support.quilt>. No update since 2007. For BIND 9.11 there is the newer [bind-dyndb-ldap](https://docs.pagure.org/bind-dyndb-ldap/). Among others it supports - DNSSEC support (Bug #43293) - dynamic updates similar to Samba backend The implementation also better integrates with LDAP and provides "… read-query performance nearly same as with plain BIND", which would allow us to get rid of the UCS specific "LDAP-BIND" + "PROXY-BIND" construct required to solve the performance issue of the "SDB back-end" implementation. curl https://pagure.io/bind-dyndb-ldap/raw/master/f/doc/schema.ldif | ldapsearch-wrapper | grep ^[^#] > dns.schema sed -rne "s/^(attributeTypes|objectClasses): .* NAME '([^']*)' .*/\1\t\2/p" dns.schema > dns.defs ldapsearch -xLLLo ldif-wrap=no -s base -b cn=Subschema attributeTypes objectClasses > ucs.schema grep -F -f <(grep "NAME '[^']*'" dns.schema) ucs.schema sed -rne "s/^(attributeTypes|objectClasses): .* NAME '([^']*)' .*/\1\t\2/p" ucs.schema > ucs.defs echo "These ATs/OCs are already in UCS" grep -Fxf dns.defs ucs.defs attributeTypes aRecord attributeTypes mDRecord attributeTypes mXRecord attributeTypes nSRecord attributeTypes cNAMERecord attributeTypes dNSTTL attributeTypes dNSClass attributeTypes pTRRecord attributeTypes hInfoRecord attributeTypes mInfoRecord attributeTypes tXTRecord attributeTypes aAAARecord attributeTypes LocRecord attributeTypes nXTRecord attributeTypes sRVRecord attributeTypes nAPTRRecord attributeTypes kXRecord attributeTypes certRecord attributeTypes a6Record attributeTypes dNameRecord echo "These ATs/OCs are new" grep -Fxvf ucs.defs dns.defs attributeTypes dNSdefaultTTL attributeTypes aFSDBRecord attributeTypes dSRecord attributeTypes sSHFPRecord attributeTypes nSEC3PARAMRecord attributeTypes TLSARecord attributeTypes DLVRecord attributeTypes UnknownRecord attributeTypes idnsName attributeTypes idnsAllowDynUpdate attributeTypes idnsZoneActive attributeTypes idnsSOAmName attributeTypes idnsSOArName attributeTypes idnsSOAserial attributeTypes idnsSOArefresh attributeTypes idnsSOAretry attributeTypes idnsSOAexpire attributeTypes idnsSOAminimum attributeTypes idnsUpdatePolicy attributeTypes idnsAllowQuery attributeTypes idnsAllowTransfer attributeTypes idnsAllowSyncPTR attributeTypes idnsForwardPolicy attributeTypes idnsForwarders attributeTypes idnsSecInlineSigning attributeTypes idnsTemplateAttribute attributeTypes idnsSubstitutionVariable objectClasses idnsRecord objectClasses idnsZone objectClasses idnsConfigObject objectClasses idnsForwardZone objectClasses idnsServerConfigObject objectClasses idnsTemplateObject Conclusion: Switching the implementation will require changing they way we store our DNS configuration in LDAP. - we need to migrate the data in LDAP - we need to update the UDM modules - this might break mixed environments with old and new servers
Also note that the BIND9 source code already carries version "1.0-beta" in "contrib/sdb/ldap/", but our patch is version"1.1.1". - diff both versions - only put that diff into out GIT patches repository - change build process to build "contrib/sbd/ldap/".