Configure ISC DHCP Server with OpenLDAP
This is my experience of configuring ISC (Internet System Consortium) DHCP (Dynamic Host Configuration Protocol) with OpenLDAP. First lets go through each components which will be used here.
ISC DHCP Server
ISC DHCP Server is an open source software that implements the Dynamic Host Configuration Protocol in order to provide IPs and other configuration information (DNS Server , Gateway Address...) to the devices such as servers,desktops. Earlier BOOTP (Bootstrap Protocol) was used to provide IP addresses to devices. BOOTP required manual steps for adding configuration information on each client and also it does not have mechanisim to reclaim unused IP addresses.
Components of ISC DHCP server can be listed down as below.
- DHCP Server :- server which handles the client request for configuration.
- DHCP Client :- A agent which request configuration information from the DHCP server.
- DHCP relay agent :- This component passes the DHCP request from one network to another which eliminate the need of having separate DHCP server per LAN.
OpenLDAP Server
OpenLDAP is a open source implementation of Lightweight Directory Access Protocol. Directory is a specialized database optimized for read access. In OpenLDAP informations are stored as entries, entries contains attributes. Attributes are consist of type and value, typically types are uid(User ID) , mail (mail address). Values are depend on types, such as for uid: foo , for mail : foo@example.com.
Each entry is uniquely identified by using DN (Distinguished Name), as a example DN for foo is dn: uid=foo,dc=example,dc=com. Information in OpenLDAP is arranged in tree-like hierarchical structure, this structure usually represent organizational structures.
Further Readings
Install OpenLDAP on Ubuntu 14.04
For OpenLDAP server and management utilities , respectively you need to install slapd and ldap-utils packages.
$sudo apt-get install slapd ldap-utils
During slapd installation you will be prompted for Administrator password , at this point provide some password because we will be configuring the slapd again. Onward OpenLDAP 2.3, for the purpose of storing configuration there is entry in the DIT (Directory Information Tree) known as cn=config. When you use this method you no need to restart the slapd server once you change the configurations, this method is also known as OLC (Online Configuration)
Futher Readings
Once installtion is finish , lets configure slapd.
$sudo dpkg-reconfigure slapd
When prompted provide answers as follows.
- Omit OpenLDAP Server configuration :- no
- DNS Doman name (this will be used to create base DN),if you provide example.com , base DN would be dc=example,dc=com , so provide this appropriately.
- Organization name :- Example
- Administrator password , this password will be used for the admin entry of the base DN defined above.
- Database Back-end :- HDB
For the remaining questions go with defaults.
Verify the openLDAP installation by querying the DIT.
$ldapsearch -x -H ldap://127.0.0.1 -b dc=example,dc=com
Above command should show you entries in BaseDN.
-x :- Ignore SASL and use simple authentication
-H :- LDAP URI
-b :- base DN (search base)
Also you can check the LDAP server configurations in the DIT as below.
$ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Once OpenLDAP server is working , now we need to add groups for storing people related information. (uid,name,email...etc.). We are performing the data adding and modification using LDIF (Ldap Data Interchange Format). Now lets add groups called People and Groups. When you are adding data , you need to provide the Administrator password defined earlier.
addPeople.ldif
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
Add above data to the Ldap server.
$ ldapadd -x -H ldap://127.0.0.1 -D cn=admin,dc=example,dc=com -W -f addPeople.ldif
-D :- Use the given bindDN value to bind the Ldap directory.
-W :- prompt for password.
-f :- Read data from the file.
Again as above, add group called Groups for storing groups.
addGroups.ldif
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
Once DIT is defined for storing users and groups ,lets start adding group first.
addGroupData.ldif
dn: cn=dev,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: dev
gidNumber: 5000
ldapadd -x -H ldap://127.0.0.1 -D cn=admin,dc=example,dc=com -W -f addGroupData.ldif
Now lets add a user.
addUserData.ldif
dn: uid=saman,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: saman
sn: Perera
givenName: Saman
cn: Saman Perera
displayName: Saman Perera
uidNumber: 10000
gidNumber: 5000
userPassword: saman
gecos: Saman Perera
loginShell: /bin/bash
homeDirectory: /home/saman
ldapadd -x -H ldap://127.0.0.1 -D cn=admin,dc=example,dc=com -W -f addUserData.ldif
Now you have OpenLDAP server with basic DIT which is having one group for storing groups and another is for storing users. OpenLDAP is having features for providing SSL , Replication and many other. Now lets start integrating the ISC DHCP server with OpenLDAP server.
Install ISC DHCP Server
Now let's install ISC DHCP server which can be used it's backend as LDAP.
sudo apt-get install dhcp3-server-ldap
After DHCP package is installed , let's setup LDAP for storing DHCP configurations. First copy the LDAP schema for DHCP as below.cd /usr/share/doc/isc-dhcp-server-ldap/;
gunzip dhcp.schema.gz
cp dhcp.schema /etc/ldap/schema/
Now we need to add the above schema to the DIT, before that we need to convert it to LDIF format. For old LDAP versions which used slapd.conf instead of dynamic configuration (cn=config) copying schema file and restarting the slapd server is enough, But for newer versions (which I am using here) , we need to add the configurations to the DIT through the LDIF.Using slaptest utility we can convert the schema file to LDIF format. First create a file called dhcp.conf which contains following.
include /etc/ldap/schema/dhcp.schema
There after execute below commands.mkdir /tmp/dhcp
slaptest -f /tmp/dhcp.conf -F /tmp/dhcp
Once LDIF file is created at /tmp/dhcp/cn\=config/cn\=schema/cn\=\{0\}dhcp.ldif , remove below unwanted lines at the bottom.structuralObjectClass: olcSchemaConfig
entryUUID: 9bcf5d1c-ee67-1033-8cfe-8d23f897bb77
creatorsName: cn=config
createTimestamp: 20141022184725Z
entryCSN: 20141022184725.031859Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20141022184725Z
Also change below configuration at the top of LDIFdn: cn={0}dhcp
objectClass: olcSchemaConfig
cn: {0}dhcp
Todn: cn=dhcp,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: dhcp
Now add the LDIF to DIT.
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/dhcp/cn\=config/cn\=schema/cn\=\{0\}dhcp.ldif
Once LDIF for DHCP is added , now we need to add data to DIT. There are 4 main components we should add to LDAP in order to have working DHCP server.- DHCP Server itself need to define in top level, below the base DN (dc=example,d=com).
- DHCP Service
- DHCP Subnet definition.
- DHCP Host definition
dhcp.ldif
dn: ou=dhcp,dc=example,dc=com
ou: dhcp
objectClass: top
objectClass: organizationalUnit
description: DHCP Servers
ldapadd -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcp.ldif
Now let's add DHCP server entries.dhcpserver.ldif
dn: cn=server,ou=dhcp,dc=example,dc=com cn: server objectClass: top objectClass: dhcpServer dhcpServiceDN: cn=
config,ou=dhcp,dc=example,dc=com
ldapadd -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcpserver.ldif
Now Lets add DHCP service entries.
dhcpservice.ldif
dn: cn=config, ou=dhcp,dc=example,dc=com cn: config objectClass: top objectClass: dhcpService dhcpPrimaryDN:
cn=server
,ou=dhcp,dc=example,dc=com dhcpStatements: ddns-update-style none dhcpStatements: get-lease-hostnames true dhcpStatements: use-host-decl-names true
ldapadd -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcpservice.ldif
Let's add DHCP subnet information now.dhcpsubnet.ldif
dn: cn=192.168.1.0, cn=config, ou=dhcp,dc=example,dc=com
cn: 192.168.1.0
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpNetMask: 24
dhcpRange: 192.168.1.150 192.168.1.200
dhcpStatements: default-lease-time 600
dhcpStatements: max-lease-time 7200
dhcpOption: netbios-name-servers 192.168.1.16
dhcpOption: subnet-mask 255.255.255.0
dhcpOption: routers 192.168.1.1
dhcpOption: domain-name-servers 192.168.1.11
dhcpOption: domain-name "example.com"
ldapadd -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcpsubnet.ldif
Now lets add a Host entry which bind Mac to Ip.host.ldif
dn: cn=client01, cn=config, ou=dhcp,dc=example,dc=com cn:
client01
objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:16:3e:3d:eb:87 dhcpStatements: fixed-address 192.168.1.111
ldapadd -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f host.ldif
Finally you need to configure DHCP server to communicate OpenLDAP for getting configuration
/etc/dhcp/dhcpd.conf
ldap-server "localhost";
ldap-port 389;
# We do an anonymous bind
# ldap-username "cn=directorymanagerloginname";
# ldap-password "mypassword";
ldap-base-dn "ou=dhcp,dc=example,dc=com";
ldap-method static;
ldap-debug-file "/var/log/dhcp-ldap-startup.log";
ldap-dhcp-server-cn "server"
Before starting DHCP server follow below steps too. Make sure to shut down slapd daemon.
/etc/init.d/slapd stop
vim /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif , add below lines after the line with "olcDbIndex: objectClass eq" for missing indexes. After that run the "slapindex" for reindexing and start the slapd daemon.
(http://muzso.hu/2010/04/26/fixing-bdb_equality_candidates-errors-on-your-openldap-server)
olcDbIndex: cn eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
sudo -u openldap slapindex -F /etc/ldap/slapd.d/
etc/init.d/slapd start
Finally restart the DHCP server and now it should be ready to server with basic configurations. /etc/init.d/isc-dhcp-server restart
Current dynamic leases are stored in below file.
/var/lib/dhcp/dhcpd.leases
Steps need to follow in order to configure ISC DHCP server with secured OpenLDAP can be find at http://mageconfig.blogspot.com/2014/11/enable-ssl-in-openldap.htmlReferences
- https://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00
- http://wiki.herzbube.ch/index.php/ISCDHCP#Converting_dhcpd.conf_to_LDIF