Configure BIND LDAP driver to use SASL authentication

We use /etc/named.keytab generated by ipa-server-install to authenticate
against the LDAP server. Also tidy up /etc/named.conf since we're there.

1 files changed, 16 insertions, 15 deletions

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index a04fc181..69bd86b0 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -1,24 +1,23 @@
 options {
 	// Put files that named is allowed to write in the data/ directory:
 	directory "/var/named"; // the default
-	dump-file               "data/cache_dump.db";
-	statistics-file         "data/named_stats.txt";
-	memstatistics-file      "data/named_mem_stats.txt";
+	dump-file		"data/cache_dump.db";
+	statistics-file		"data/named_stats.txt";
+	memstatistics-file	"data/named_mem_stats.txt";
 
-        /* Not used yet, support only on very recent bind versions */
-#       tkey-gssapi-credential "DNS/$FQDN";
-#       tkey-domain "$REALM";
+	tkey-gssapi-credential "DNS/$FQDN";
+	tkey-domain "$REALM";
 };
 
-logging {
-/*      If you want to enable debugging, eg. using the 'rndc trace' command,
- *      By default, SELinux policy does not allow named to modify the /var/named directory,
- *      so put the default debug log file in data/ :
+/* If you want to enable debugging, eg. using the 'rndc trace' command,
+ * By default, SELinux policy does not allow named to modify the /var/named directory,
+ * so put the default debug log file in data/ :
  */
-        channel default_debug {
-                file "data/named.run";
-                severity dynamic;
-        };
+logging {
+	channel default_debug {
+		file "data/named.run";
+		severity dynamic;
+	};
 };
 
 zone "." IN {
@@ -32,5 +31,7 @@ dynamic-db "ipa" {
 	library "ldap.so";
 	arg "uri ldap://$FQDN";
 	arg "base cn=dns, $SUFFIX";
-	arg "auth_method none";
+	arg "auth_method sasl";
+	arg "sasl_mech GSSAPI";
+	arg "sasl_user DNS/$FQDN";
 };