|
 |
0f9f19c |
LDAP Support in DHCP
|
|
|
0f9f19c |
Brian Masney <masneyb@ntelos.net>
|
|
|
0f9f19c |
Last updated 8/16/2002
|
|
|
0f9f19c |
|
|
|
0f9f19c |
This document describes setting up the DHCP server to read it's configuration
|
|
|
0f9f19c |
from LDAP. This work is based on the IETF document
|
|
|
0f9f19c |
draft-ietf-dhc-ldap-schema-01.txt included in the doc directory. For the latest
|
|
|
0f9f19c |
version of this document, please see http://home.ntelos.net/~masneyb.
|
|
|
0f9f19c |
|
|
|
0f9f19c |
First question on most people's mind is "Why do I want to store my
|
|
|
0f9f19c |
configuration in LDAP?" If you run a small DHCP server, and the configuration
|
|
|
0f9f19c |
on it rarely changes, then you won't need to store your configuration in LDAP.
|
|
|
0f9f19c |
But, if you have several DHCP servers, and you want an easy way to manage your
|
|
|
0f9f19c |
configuration, this can be a solution.
|
|
|
0f9f19c |
|
|
|
0f9f19c |
The first step will be to setup your LDAP server. I am using OpenLDAP from
|
|
|
0f9f19c |
www.openldap.org. Building and installing OpenLDAP is beyond the scope of this
|
|
|
0f9f19c |
document. There is plenty of documentation out there about this. Once you have
|
|
|
0f9f19c |
OpenLDAP installed, you will have to edit your slapd.conf file. I added the
|
|
|
0f9f19c |
following 2 lines to my configuration file:
|
|
|
0f9f19c |
|
|
|
0f9f19c |
include /etc/ldap/schema/dhcp.schema
|
|
|
0f9f19c |
index dhcpHWAddress eq
|
|
|
0f9f19c |
index dhcpClassData eq
|
|
|
0f9f19c |
|
|
|
0f9f19c |
The first line tells it to include the dhcp schema file. You will find this
|
|
|
0f9f19c |
file under the contrib directory in this distribution. You will need to copy
|
|
|
0f9f19c |
this file to where your other schema files are (maybe
|
|
|
0f9f19c |
/usr/local/openldap/etc/openldap/schema/). The second line sets up
|
|
|
0f9f19c |
an index for the dhcpHWAddress parameter. The third parameter is for reading
|
|
|
0f9f19c |
subclasses from LDAP every time a DHCP request comes in. Make sure you run the
|
|
|
0f9f19c |
slapindex command and restart slapd to have these changes to into effect.
|
|
|
0f9f19c |
|
|
|
0f9f19c |
Now that you have LDAP setup, you should be able to use gq (http://biot.com/gq/)
|
|
|
0f9f19c |
to verify that the dhcp schema file is loaded into LDAP. Pull up gq, and click
|
|
|
0f9f19c |
on the Schema tab. Go under objectClasses, and you should see at least the
|
|
|
0f9f19c |
following object classes listed: dhcpClass, dhcpGroup, dhcpHost, dhcpOptions,
|
|
|
0f9f19c |
dhcpPool, dhcpServer, dhcpService, dhcpSharedNetwork, dhcpSubClass, and
|
|
|
0f9f19c |
dhcpSubnet. If you do not see these, you need to check over your LDAP
|
|
|
0f9f19c |
configuration before you go any further.
|
|
|
0f9f19c |
|
|
|
0f9f19c |
You should be ready to build DHCP. Edit the includes/site.h file and uncomment
|
|
|
0f9f19c |
the #define LDAP_CONFIGURATION. Now run configure in the base source directory.
|
|
|
0f9f19c |
Edit the work.os/server/Makefile and add -lldap to the LIBS= line. (replace os
|
|
|
0f9f19c |
with your operating system, linux-2.2 on my machine). You should be able to
|
|
|
0f9f19c |
type make to build your DHCP server.
|
|
|
0f9f19c |
|
|
|
0f9f19c |
Once you have DHCP installed, you will need to setup your initial plaintext
|
|
|
0f9f19c |
config file. In my /etc/dhcpd.conf file, I have:
|
|
|
0f9f19c |
|
|
|
0f9f19c |
ldap-server "localhost";
|
|
|
0f9f19c |
ldap-port 389;
|
|
|
0f9f19c |
ldap-username "cn=DHCP User, dc=ntelos, dc=net";
|
|
|
0f9f19c |
ldap-password "blah";
|
|
|
0f9f19c |
ldap-base-dn "dc=ntelos, dc=net";
|
|
|
0f9f19c |
ldap-method dynamic;
|
|
|
0f9f19c |
|
|
|
0f9f19c |
All of these parameters should be self explanatory except for the ldap-method.
|
|
|
0f9f19c |
You can set this to static or dynamic. If you set it to static, the
|
|
|
0f9f19c |
configuration is read once on startup, and LDAP isn't used anymore. But, if you
|
|
|
0f9f19c |
set this to dynamic, the configuration is read once on startup, and the
|
|
|
0f9f19c |
hosts that are stored in LDAP are looked up every time a DHCP request comes in.
|
|
|
0f9f19c |
|
|
|
0f9f19c |
The next step is to set up your LDAP tree. Here is an example config that will
|
|
|
0f9f19c |
give a 10.100.0.x address to machines that have a host entry in LDAP.
|
|
|
0f9f19c |
Otherwise, it will give a 10.200.0.x address to them. (NOTE: replace
|
|
|
0f9f19c |
dc=ntelos, dc=net with your base dn). If you would like to convert your
|
|
|
0f9f19c |
existing dhcpd.conf file to LDIF format, there is a script
|
|
|
0f9f19c |
contrib/dhcpd-conf-to-ldap.pl that will convert it for you.
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# You must specify the server's host name in LDAP that you are going to run
|
|
|
0f9f19c |
# DHCP on and point it to which config tree you want to use. Whenever DHCP
|
|
|
0f9f19c |
# first starts up, it will do a search for this entry to find out which
|
|
|
0f9f19c |
# config to use
|
|
|
0f9f19c |
dn: cn=brian.ntelos.net, dc=ntelos, dc=net
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpServer
|
|
|
0f9f19c |
cn: brian.ntelos.net
|
|
|
0f9f19c |
dhcpServiceDN: cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Here is the config tree that brian.ntelos.net points to.
|
|
|
0f9f19c |
dn: cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
cn: DHCP Service Config
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpService
|
|
|
0f9f19c |
dhcpPrimaryDN: dc=ntelos, dc=net
|
|
|
0f9f19c |
dhcpStatements: ddns-update-style ad-hoc
|
|
|
0f9f19c |
dhcpStatements: default-lease-time 600
|
|
|
0f9f19c |
dhcpStatements: max-lease-time 7200
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Set up a shared network segment
|
|
|
0f9f19c |
dn: cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
cn: WV
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpSharedNetwork
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Set up a subnet declaration with a pool statement. Also note that we have
|
|
|
0f9f19c |
# a dhcpOptions object with this entry
|
|
|
0f9f19c |
dn: cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
cn: 10.100.0.0
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpSubnet
|
|
|
0f9f19c |
objectClass: dhcpOptions
|
|
|
0f9f19c |
dhcpOption: domain-name-servers 10.100.0.2
|
|
|
0f9f19c |
dhcpOption: routers 10.100.0.1
|
|
|
0f9f19c |
dhcpOption: subnet-mask 255.255.255.0
|
|
|
0f9f19c |
dhcpOption: broadcast-address 10.100.0.255
|
|
|
0f9f19c |
dhcpNetMask: 24
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Set up a pool for this subnet. Only known hosts will get these IPs
|
|
|
0f9f19c |
dn: cn=Known Pool, cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
cn: Known Pool
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpPool
|
|
|
0f9f19c |
dhcpRange: 10.100.0.3 10.100.0.254
|
|
|
0f9f19c |
dhcpPermitList: deny unknown-clients
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Set up another subnet declaration with a pool statement
|
|
|
0f9f19c |
dn: cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
cn: 10.200.0.0
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpSubnet
|
|
|
0f9f19c |
objectClass: dhcpOptions
|
|
|
0f9f19c |
dhcpOption: domain-name-servers 10.200.0.2
|
|
|
0f9f19c |
dhcpOption: routers 10.200.0.1
|
|
|
0f9f19c |
dhcpOption: subnet-mask 255.255.255.0
|
|
|
0f9f19c |
dhcpOption: broadcast-address 10.200.0.255
|
|
|
0f9f19c |
dhcpNetMask: 24
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Set up a pool for this subnet. Only unknown hosts will get these IPs
|
|
|
0f9f19c |
dn: cn=Known Pool, cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
cn: Known Pool
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpPool
|
|
|
0f9f19c |
dhcpRange: 10.200.0.3 10.200.0.254
|
|
|
0f9f19c |
dhcpPermitList: deny known clients
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Set aside a group for all of our known MAC addresses
|
|
|
0f9f19c |
dn: cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpGroup
|
|
|
0f9f19c |
cn: Customers
|
|
|
0f9f19c |
|
|
|
0f9f19c |
# Host entry for my laptop
|
|
|
0f9f19c |
dn: cn=brianlaptop, cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net
|
|
|
0f9f19c |
objectClass: top
|
|
|
0f9f19c |
objectClass: dhcpHost
|
|
|
0f9f19c |
cn: brianlaptop
|
|
|
0f9f19c |
dhcpHWAddress: ethernet 00:00:00:00:00:00
|
|
|
0f9f19c |
|
|
|
0f9f19c |
You can use the command slapadd to load all of these entries into your LDAP
|
|
|
0f9f19c |
server. After you load this, you should be able to start up DHCP. If you run
|
|
|
0f9f19c |
into problems reading the configuration, try running dhcpd with the -d flag.
|
|
|
0f9f19c |
If you still have problems, edit the site.conf file in the DHCP source and
|
|
|
0f9f19c |
add the line: COPTS= -DDEBUG_LDAP and recompile DHCP. (make sure you run make
|
|
|
0f9f19c |
clean and rerun configure before you rebuild).
|
|
|
0f9f19c |
|