Tuesday, October 21, 2014

Configure ISC DHCP Server with OpenLDAP


Configure ISC DHCP Server with OpenLDAP

This is my experience of configuring ISC (Internet System Consortium) DHCP  (Dynamic Host Configuration Protocol) with OpenLDAP. First lets go through each components which will be used here.

ISC DHCP Server

ISC DHCP Server is an open source software that implements the Dynamic Host Configuration Protocol in order to provide IPs and other configuration information (DNS Server , Gateway Address...) to the devices such as servers,desktops. Earlier BOOTP (Bootstrap Protocol) was  used to provide IP addresses to devices. BOOTP required manual  steps for adding configuration information on each client and also it does not have mechanisim to reclaim unused IP addresses.

Components of ISC DHCP server can be listed down as below.

  1.     DHCP Server :- server which handles the client request for configuration.
  2.     DHCP Client :- A agent which request configuration information from the DHCP server.
  3.     DHCP relay agent :- This component passes the DHCP request from one network to another which eliminate the need of having separate DHCP server per LAN.


OpenLDAP Server

OpenLDAP is a open source implementation of Lightweight Directory Access Protocol. Directory is a specialized database optimized for read access. In OpenLDAP informations are stored as entries, entries contains attributes. Attributes are consist of  type and value, typically types are uid(User ID) , mail (mail address). Values are depend on types, such as for uid: foo , for mail : foo@example.com.
Each entry is uniquely identified by using DN (Distinguished Name), as a example DN for foo  is dn: uid=foo,dc=example,dc=com. Information in OpenLDAP is arranged in tree-like hierarchical structure, this structure usually represent  organizational structures.

Further Readings

Install OpenLDAP on Ubuntu 14.04

For OpenLDAP  server and management utilities , respectively you need to install slapd and ldap-utils packages.
  $sudo apt-get install slapd ldap-utils  

During slapd installation you will be prompted for Administrator password , at this point provide some password because we will be configuring the slapd again. Onward OpenLDAP 2.3,  for the purpose of storing configuration  there is entry in the DIT (Directory Information Tree) known as cn=config. When you use this method you no need to restart the slapd server once you change the configurations, this method is also known as OLC (Online Configuration)

Futher Readings

Once installtion is finish , lets configure slapd.
  $sudo dpkg-reconfigure slapd  

When prompted provide answers as follows.

  1.     Omit OpenLDAP Server configuration :- no
  2.     DNS Doman name (this will be used to create base DN),if you provide example.com , base DN would be dc=example,dc=com , so provide this appropriately.
  3.     Organization name :- Example
  4.     Administrator password , this password will be used for the admin entry of the base  DN defined above.
  5.     Database Back-end :- HDB

For the remaining  questions go with defaults.

Verify the openLDAP installation by querying the DIT.
  $ldapsearch -x -H ldap://127.0.0.1 -b dc=example,dc=com  

Above command should show you entries in BaseDN.

 -x :-  Ignore SASL and use simple authentication
-H :- LDAP URI
-b :- base DN (search base)

Also you can check the LDAP server configurations in the DIT as below.
  $ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Once OpenLDAP server is working , now we need to add groups for storing people related information. (uid,name,email...etc.). We are performing the data adding and modification using LDIF (Ldap Data Interchange Format). Now lets add groups called People and Groups.  When you are adding data , you need to provide the  Administrator password defined earlier.

addPeople.ldif

 dn: ou=People,dc=example,dc=com  
 objectClass: organizationalUnit  
 ou: People  

Add  above data to the Ldap server.

 $ ldapadd -x -H ldap://127.0.0.1 -D cn=admin,dc=example,dc=com -W -f addPeople.ldif  

-D :-  Use the given bindDN value to bind the Ldap directory.
-W :- prompt for password.
-f :- Read data from the file.

Again as above, add group called Groups  for storing groups.

addGroups.ldif

 dn: ou=Groups,dc=example,dc=com  
 objectClass: organizationalUnit  
 ou: Groups  

Once DIT is defined for storing users and groups ,lets start adding group first.

addGroupData.ldif
 dn: cn=dev,ou=Groups,dc=example,dc=com  
 objectClass: posixGroup  
 cn: dev  
 gidNumber: 5000  

  ldapadd -x -H ldap://127.0.0.1 -D cn=admin,dc=example,dc=com -W -f addGroupData.ldif  


Now lets add a user.
addUserData.ldif

 dn: uid=saman,ou=People,dc=example,dc=com  
 objectClass: inetOrgPerson  
 objectClass: posixAccount  
 objectClass: shadowAccount  
 uid: saman  
 sn: Perera  
 givenName: Saman  
 cn: Saman Perera  
 displayName: Saman Perera  
 uidNumber: 10000  
 gidNumber: 5000  
 userPassword: saman  
 gecos: Saman Perera  
 loginShell: /bin/bash  
 homeDirectory: /home/saman  

  ldapadd -x -H ldap://127.0.0.1 -D cn=admin,dc=example,dc=com -W -f addUserData.ldif   

Now you have OpenLDAP server with basic DIT which is having one group for storing groups and another is for storing users. OpenLDAP is having features for providing SSL , Replication and many other. Now lets start integrating the ISC DHCP server with OpenLDAP server.

Install ISC DHCP Server

Now let's install ISC DHCP server which can be used it's backend as LDAP.

 sudo apt-get install dhcp3-server-ldap
After DHCP package is installed , let's setup LDAP for storing DHCP configurations. First copy the LDAP schema for DHCP as below.
cd /usr/share/doc/isc-dhcp-server-ldap/;
gunzip dhcp.schema.gz
cp dhcp.schema  /etc/ldap/schema/ 
Now we need to add the above schema to the DIT, before that we need to convert it to LDIF format. For old LDAP versions which used slapd.conf instead of dynamic configuration (cn=config) copying schema file and restarting the slapd server is enough, But for newer versions (which I am using here) , we need to add the configurations to the DIT through the LDIF.

Using slaptest utility we can convert the schema file to LDIF format. First create a file called dhcp.conf  which contains following.
include /etc/ldap/schema/dhcp.schema
There after execute below commands.
mkdir /tmp/dhcp
slaptest  -f /tmp/dhcp.conf  -F /tmp/dhcp
Once LDIF file is created at /tmp/dhcp/cn\=config/cn\=schema/cn\=\{0\}dhcp.ldif , remove below unwanted lines at the bottom.
structuralObjectClass: olcSchemaConfig
entryUUID: 9bcf5d1c-ee67-1033-8cfe-8d23f897bb77
creatorsName: cn=config
createTimestamp: 20141022184725Z
entryCSN: 20141022184725.031859Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20141022184725Z
Also change below configuration at the top of LDIF
dn: cn={0}dhcp
objectClass: olcSchemaConfig
cn: {0}dhcp
To
dn: cn=dhcp,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: dhcp

Now add the LDIF to DIT.

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/dhcp/cn\=config/cn\=schema/cn\=\{0\}dhcp.ldif
Once LDIF for DHCP is added , now we need to add data to DIT. There are 4 main components we should add to LDAP in order to have working DHCP server.
  1. DHCP Server itself need to define in top level, below the base DN (dc=example,d=com).
  2. DHCP Service
  3. DHCP Subnet definition.
  4. DHCP Host definition
Before adding  DHCP server  entries to the DIT, let's create separate tree for storing DHCP configuration as below under the baseDN.

dhcp.ldif

dn: ou=dhcp,dc=example,dc=com
ou: dhcp
objectClass: top
objectClass: organizationalUnit
description: DHCP Servers

ldapadd  -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcp.ldif 
Now let's add DHCP server entries.

dhcpserver.ldif
dn: cn=server,ou=dhcp,dc=example,dc=com
cn: server
objectClass: top
objectClass: dhcpServer
dhcpServiceDN: cn=config,ou=dhcp,dc=example,dc=com

ldapadd  -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcpserver.ldif

Now  Lets add DHCP service entries.

dhcpservice.ldif
dn: cn=config, ou=dhcp,dc=example,dc=com
cn: config
objectClass: top
objectClass: dhcpService
dhcpPrimaryDN:  cn=server,ou=dhcp,dc=example,dc=com
dhcpStatements: ddns-update-style none
dhcpStatements: get-lease-hostnames true
dhcpStatements: use-host-decl-names true

 ldapadd  -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcpservice.ldif 
Let's add DHCP subnet information now.

dhcpsubnet.ldif
dn: cn=192.168.1.0, cn=config, ou=dhcp,dc=example,dc=com
cn: 192.168.1.0
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpNetMask: 24
dhcpRange: 192.168.1.150 192.168.1.200
dhcpStatements: default-lease-time 600
dhcpStatements: max-lease-time 7200
dhcpOption: netbios-name-servers 192.168.1.16
dhcpOption: subnet-mask 255.255.255.0
dhcpOption: routers 192.168.1.1
dhcpOption: domain-name-servers 192.168.1.11
dhcpOption: domain-name "example.com"

 ldapadd  -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f dhcpsubnet.ldif
Now lets add a Host entry which bind Mac to Ip.

host.ldif
dn: cn=client01, cn=config, ou=dhcp,dc=example,dc=com
cn: client01
objectClass: top
objectClass: dhcpHost
dhcpHWAddress: ethernet 00:16:3e:3d:eb:87
dhcpStatements: fixed-address 192.168.1.111

ldapadd  -x -H ldap://localhost/ -D cn=admin,dc=example,dc=com -W -f host.ldif



Finally you need to configure DHCP server to communicate OpenLDAP for getting configuration
/etc/dhcp/dhcpd.conf
ldap-server                 "localhost";
ldap-port                   389;
# We do an anonymous bind
# ldap-username             "cn=directorymanagerloginname";
# ldap-password             "mypassword";
ldap-base-dn                "ou=dhcp,dc=example,dc=com";
ldap-method                 static;
ldap-debug-file             "/var/log/dhcp-ldap-startup.log";
ldap-dhcp-server-cn         "server"

Before starting DHCP server follow below steps too. Make sure to shut down slapd daemon.
/etc/init.d/slapd stop

vim /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif , add below lines after the line with "olcDbIndex: objectClass eq"  for missing indexes. After that run the "slapindex" for reindexing and start the slapd daemon.
(http://muzso.hu/2010/04/26/fixing-bdb_equality_candidates-errors-on-your-openldap-server)

olcDbIndex: cn eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
sudo -u openldap slapindex -F /etc/ldap/slapd.d/
etc/init.d/slapd start
Finally restart the DHCP server and now it should be ready to server with basic configurations.
 /etc/init.d/isc-dhcp-server restart

Current dynamic leases are stored in below file.
 /var/lib/dhcp/dhcpd.leases
Steps need to follow in order to configure ISC DHCP server with secured OpenLDAP can be find at http://mageconfig.blogspot.com/2014/11/enable-ssl-in-openldap.html


References 

  • https://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00
  • http://wiki.herzbube.ch/index.php/ISCDHCP#Converting_dhcpd.conf_to_LDIF