2
Using nss-ldap with BIND/IRS under FreeBSD / Quick'n'Dirty guide
3
================================================================
5
[ Notes by Luke Howard <lukeh@padl.com> Sep 2001 ]
7
Emile's patch was a little unclean, and I'm not able to generate
8
a clean diff, so here is a list of the modifications you need to
9
make to the IRS to get things to compile "right". You will
10
need to apply these diffs by hand, sorry.
12
- Add a prototype to irs/gen.c:
14
struct irs_acc *irs_ldap_acc(const char *);
16
- Edit gen.c and add "ldap" to the two stanzas, I suggest between
19
diff -u --recursive --new-file bind/src/lib/irs/gen.c bind-nss/src/lib/irs/gen.c
20
--- bind/src/lib/irs/gen.c Wed Oct 13 18:39:29 1999
21
+++ bind-nss/src/lib/irs/gen.c Fri Sep 1 15:31:09 2000
26
+ { "ldap", irs_ldap },
42
- Edit gen_p.h and add irs_ldap between irs_nis and irs_irp:
44
diff -u --recursive --new-file bind/src/lib/irs/gen_p.h bind-nss/src/lib/irs/gen_p.h
45
--- bind/src/lib/irs/gen_p.h Mon Jan 18 08:46:50 1999
46
+++ bind-nss/src/lib/irs/gen_p.h Fri Sep 1 15:31:23 2000
49
irs_dns, /* DNS or Hesiod. */
50
irs_nis, /* Sun NIS ("YP"). */
51
+ irs_ldap, /* LDAP */
53
- Edit the Makefile and add the full path to each object file
56
diff -u --recursive --new-file bind/src/lib/irs/Makefile bind-nss/src/lib/irs/Makefile
57
--- bind/src/lib/irs/Makefile Mon Feb 22 03:47:58 1999
58
+++ bind-nss/src/lib/irs/Makefile Thu Aug 31 18:18:52 2000
60
INSTALL_LIB=-o bin -g bin
63
+LDAP=/usr/local/src/nss_ldap
65
SRCS= dns.c dns_gr.c dns_ho.c dns_nw.c dns_pr.c dns_pw.c \
66
dns_sv.c gai_strerror.c gen.c gen_gr.c gen_ho.c \
67
gen_ng.c gen_nw.c gen_pr.c gen_pw.c gen_sv.c \
69
lcl.${O} lcl_gr.${O} \
70
lcl_ho.${O} lcl_ng.${O} lcl_nw.${O} lcl_pr.${O} lcl_pw.${O} \
71
lcl_sv.${O} nis.${O} nis_gr.${O} nis_ho.${O} nis_ng.${O} nis_nw.${O} \
72
- nis_pr.${O} nis_pw.${O} nis_sv.${O} nul_ng.${O} util.${O}
73
+ nis_pr.${O} nis_pw.${O} nis_sv.${O} nul_ng.${O} util.${O} \
74
+ ${LDAP}/ldap-nss.o ${LDAP}/ldap-pwd.o ${LDAP}/ldap-grp.o \
75
+ ${LDAP}/ldap-hosts.o ${LDAP}/ldap-network.o ${LDAP}/ldap-proto.o \
76
+ ${LDAP}/ldap-service.o ${LDAP}/util.o ${LDAP}/globals.o \
77
+ ${LDAP}/ltf.o ${LDAP}/resolve.o ${LDAP}/dnsconfig.o ${LDAP}/irs-nss.o \
80
[ Instructions from Emile Heitor <eheitor@isdnet.net> ]
82
Tested under FreeBSD 4.1, but should work under 3.x & 4.x.
84
o Get nss_ldap (http://www.padl.com/nss_ldap.html)
85
o Get bind-8.2.2p5 (http://www.isc.org)
87
nss_ldap includes a patch to IRS in irs-nss.diff.
91
tar zxvf nss_ldap-115.tar.gz
94
tar zxvf ../bind-src.tar.gz
95
patch -p1 < ../irs-nss.diff
100
At this point, you may modify Makefile's TOP variable to suit to your
107
Ok, I know about nslookup's warnings and errors here, this is because of
108
newly linked nss-ldap stuff, just ignore it if you plan to use only
109
libbind for its IRS feature ( hey, I said "Quick'n'Dirty ;) ).
110
This will be cleaner very soon, i.e. when I'll make it a dynamic library
111
& will work around bind Makefiles.
116
Launch an LDAP server with your favourite data inside, then compile the
120
/* NSS-LDAP use exemple code */
122
#include <sys/types.h>
125
int main(int argc, char **argv) {
130
printf("bad arg number\n");
134
pw=getpwnam(argv[1]);
137
printf("Failure\n", argv[1]);
139
printf("getpwnam return value:\n%s\ns%s\n",
140
pw->pw_name, pw->pw_passwd);
146
With the following Makefile :
147
( change LIBBIND and LIBDIR to suit to your needs )
150
LIBBIND=/home/imil/pub/net/bind-nss/src/lib/libbind.a
151
LIBDIR=-L/usr/local/openldap2/lib
152
LIBS=-lldap_r -llber -lc_r
156
tpass: tpass.o $(LIBBIND)
157
cc -g -o tpass tpass.o $(LIBBIND) $(LIBDIR) $(LIBS)
167
Watch your LDAP server logs, they should be nice ;)
173
--------------------------
175
Ingenieur Systeme Unix
176
Cable & Wireless isdnet
177
http://www.isdnet.net
178
Email : eheitor@isdnet.net
180
--------------------------
183
Subject: Re: Documentation for IRS in BIND 8.x
184
From: Paul Vixie <paul@vix.com>
186
Message-ID: <g3radp5avm.fsf@wisdom.home.vix.com>
187
Newsgroups: comp.protocols.dns.bind
191
Ooops. I forgot to check in the man page for irs.conf(5). Here's one:
193
IRS.CONF(5) BSD Programmer's Manual IRS.CONF(5)
196
irs.conf - Information Retrieval System configuration file
202
The irs(3) functions are a set of routines in the C library which provide
203
access to various system maps. The maps that irs currently controls are
204
the following: passwd, group, services, protocols, hosts, networks and
205
netgroup. When a program first calls a function that accesses one of
206
these maps, the irs configuration file is read, and the source of each
207
map is determined for the life of the process.
209
If this file does not exist, the irs routines default to using local
210
sources for all information, with the exception of the host and networks
211
maps, which use the Domain Name System (DNS).
213
Each record in the file consists of one line. A record consists of a
214
map-name, an access-method and possibly a (comma delimited) set of op-
215
tions, separated by tabs or spaces. Blank lines, and text between a #
216
and a newline are ignored.
220
Map name Information in map
221
========= ==================================
222
passwd User authentication information
223
group User group membership information
224
services Network services directory
225
protocols Network protocols directory
226
hosts Network hosts directory
227
networks Network "network names" directory
228
netgroup Network "host groups" directory
230
Available access methods:
232
Access method Description
233
============= =================================================
234
local Use a local file, usually in /etc
235
dns Use the domain name service (includes hesiod)
236
nis Use the Sun-compatible Network Information Service
237
>> ldap Use the Lightweight Directory Access Protocol
242
======== ================================================
243
continue don't stop searching if you can't find something
244
merge don't stop searching if you CAN find something
246
The continue option creates ``union namespaces'' whereby subsequent ac-
247
cess methods of the same map type can be tried if a name cannot be found
248
using earlier access methods. This can be quite confusing in the case of
249
host names, since the name to address and address to name mappings can be
250
visibly asymmetric even though the data used by any given access method
251
is entirely consistent. This behavior is, therefore, not the default.
253
The merge option only affects lookups in the groups map. If set, subse-
254
quent access methods will be tried in order to cause local users to ap-
255
pear in NIS (or other remote) groups in addition to the local groups.
258
# Get password entries from local file, or failing that, NIS
259
passwd local continue
262
# Build group membership from both local file, and NIS.
263
group local continue,merge
266
# Services comes from just the local file.
271
# Hosts comes first from DNS, failing that, the local file
280
If a local user needs to be in the local host's ``wheel'' group but not
281
in every host's ``wheel'' group, put them in the local host's /etc/group
282
``wheel'' entry and set up the ``groups'' portion of your /etc/irs.conf
285
group local continue,merge
288
The dns access method is only supported for the ``hosts'' and
289
``networks'' maps. The other maps fall under the control of Hesiod, and
290
have not been well tested.
292
NIS takes a long time to time out. Especially for hosts if you use the
293
-d option to your server's ``ypserv'' daemon.
295
It is important that the irs.conf file contain an entry for each map. If
296
a map is not mentioned in the irs.conf file, all queries to that map will
300
/etc/irs.conf The file irs.conf resides in /etc.
303
groups(5), hosts(5), netgroup(5), networks(5), passwd(5),
304
protocols(5), services(5)
306
BSDI August 8, 1996 2
310
<_paul@vix.com_> "Many NANOG members have been around
311
pacbell!vixie!paul longer than most." --Jim Fleming