Fedora's FreeIPA project is an interesting piece of software that has pulled together several pieces of open source software and given it a point-and-click interface as something of an answer to Active Directory.
The major pieces are the BIND DNS server from ISC, the 389 Directory Server (which started its life as the Netscape Directory Server so many moons ago), DogTag Certificate Server (also of Netscape lineage), and MIT Kerberos. Each of those packages can be daunting to setup on their own, but the IPA project has done an admirable job of integrating them and making their setup and use simple.
I have been tracking the evolution of IPA for some time now and have finally decided to take the plunge. So far things have been fairly smooth, with one exception:
IPA does not currently support wildcard DNS.
For a lot of people this would not matter, but when combined with EZproxy in a proxy-by-hostname configuration, it becomes a major problem, since wildcard support is key to its function.
The root of the problem is that the software that ties the DNS server to the LDAP storage engine -- the creatively named bind-dyndb-ldap -- does not support wildcard DNS entries yet. Like others, when the UI did not allow me to create the wildcard entries, I opened up my favorite LDAP editor (Apache Directory Studio) and created an entry manually. Alas, it was not a simple UI issue, but rather non-support in the back-end software. There are bugs entered for both IPA (3148) and bind-dyndb-ldap (95) to track the issue.
Until that is addressed, sites that adopt IPA and use EZproxy need a work-around for this issue. All both of us.
Now in a traditional BIND setup, you could of course use wildcard entries directly, or you could just point the NS record at the EZproxy server a documented by OCLC on the DNS configuration page, and enabling the DNS functionality built into EZproxy:
ezproxy.example.edu IN A 192.0.2.1
ezproxy.example.edu IN NS ezproxy.example.edu.
Unfortunately, adding that NS record does not seem to work in IPA. I have not yet taken time to peel back the layers of the onion to figure out exactly why it does not work and where it fails, but adding a NS record for the EZproxy host to IPA caused the lookups to fail completely when they were added to the host entry.
I tried a few other approaches to get this to work in IPA -- setting up a dummy zone for the proxy server and changing with the zone forwarder settings, putting the host and the service names in different zones -- to no avail. Some approaches looked more promising than others, but none ultimately worked.
Clearly I was not going to be able to address this in the 2.2.0 release of IPA, and would need to go outside the system until wildcard support is natively supported.
My first instinct was to just setup a traditional BIND zone file for each proxy server. This certainly worked, but required both a named.conf entry, as well as a separate file for each proxy server "zone". I wanted a solution that would involve less configuration litter to clean up later.
What I finally settled on was setting up simple static-stub zones in BIND with forwarders set to EZproxy:
zone "ezproxy.example.edu" IN {
type static-stub;
server-named { "ezproxy.example.edu"; };
forwarders { 192.0.2.1; };
};
It feels a little dirty having to resort to that, and I'm reminded of the scene from Star Trek: First Contact where Dr. Crusher mutters "I swore I'd never use one of these things" as she activates the Emergency Medical Hologram to create a diversion as she escapes the Borg, but it does work and will buy time until the bind-dyndb-ldap developers can figure out how they want to support wildcard DNS entries.
Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating Hadoop Administration Online course Bangalore
ReplyDelete