1LDAP Support in DHCP 2Original Author: Brian Masney <masneyb@gftp.org> 3Current Maintainer: David Cantrell <dcantrell@redhat.com> 4Last updated 07-Jul-2009 5 6This document describes setting up the DHCP server to read it's configuration 7from LDAP. This work is based on the IETF document 8draft-ietf-dhc-ldap-schema-01.txt included in the doc directory. For the 9latest version of this document, please see 10http://dcantrel.fedorapeople.org/dhcp/ldap-patch/ 11 12First question on most people's mind is "Why do I want to store my 13configuration in LDAP?" If you run a small DHCP server, and the configuration 14on it rarely changes, then you won't need to store your configuration in LDAP. 15But, if you have several DHCP servers, and you want an easy way to manage your 16configuration, this can be a solution. 17 18The first step will be to setup your LDAP server. I am using OpenLDAP from 19www.openldap.org. Building and installing OpenLDAP is beyond the scope of 20this document. There is plenty of documentation out there about this. Once 21you have OpenLDAP installed, you will have to edit your slapd.conf file. I 22added the following 2 lines to my configuration file: 23 24include /etc/ldap/schema/dhcp.schema 25index dhcpHWAddress eq 26index dhcpClassData eq 27 28The first line tells it to include the dhcp schema file. You will find this 29file under the contrib directory in this distribution. You will need to copy 30this file to where your other schema files are (maybe /etc/openldap/schema/). 31The second line sets up an index for the dhcpHWAddress parameter. The third 32parameter is for reading subclasses from LDAP every time a DHCP request comes 33in. Make sure you run the slapindex command and restart slapd to have these 34changes to into effect. 35 36Now that you have LDAP setup, you should be able to use gq 37(http://biot.com/gq/) to verify that the dhcp schema file is loaded into LDAP. 38Pull up gq, and click on the Schema tab. Go under objectClasses, and you 39should see at least the following object classes listed: dhcpClass, dhcpGroup, 40dhcpHost, dhcpOptions, dhcpPool, dhcpServer, dhcpService, dhcpSharedNetwork, 41dhcpSubClass, and dhcpSubnet. If you do not see these, you need to check over 42your LDAP configuration before you go any further. 43 44You should now be ready to build DHCP. If you would like to enable LDAP in 45dhcpd, you will need to perform the following steps: 46 47 * Apply the patch here to the unpacked ISC dhcp source tree. 48 * Regenerate the configure script (requires GNU autoconf and automake): 49 aclocal 50 libtoolize --copy --force 51 autoconf 52 autoheader 53 automake --foreign --add-missing --copy 54 * Run ./configure with the '--with-ldap' argument to enable OpenLDAP. 55 If you want LDAP over SSL, also use the '--with-ldapcrypto' argument. 56 * Run 'make' to build ISC dhcp. 57 58Once you have DHCP installed, you will need to setup your initial plaintext 59config file. In my /etc/dhcpd.conf file, I have: 60 61ldap-server "localhost"; 62ldap-port 389; 63ldap-username "cn=DHCP User, dc=ntelos, dc=net"; 64ldap-password "blah"; 65ldap-base-dn "dc=ntelos, dc=net"; 66ldap-method dynamic; 67ldap-debug-file "/var/log/dhcp-ldap-startup.log"; 68 69If SSL has been enabled at compile time, the dhcp server trys to use TLS if 70possible, but continues without TLS if not. 71 72You can modify this behaviour using following option in /etc/dhcp/dhcpd.conf: 73 74ldap-ssl <off | ldaps | start_tls | on> 75 off: disables TLS/LDAPS. 76 ldaps: enables LDAPS -- don't forget to set ldap-port to 636. 77 start_tls: enables TLS using START_TLS command 78 on: enables LDAPS if ldap-port is set to 636 or TLS in 79 other cases. 80 81See also "man 5 ldap.conf" for description the following TLS related 82options: 83 ldap-tls-reqcert, ldap-tls-ca-file, ldap-tls-ca-dir, ldap-tls-cert 84 ldap-tls-key, ldap-tls-crlcheck, ldap-tls-ciphers, ldap-tls-randfile 85 86All of these parameters should be self explanatory except for the ldap-method. 87You can set this to static or dynamic. If you set it to static, the 88configuration is read once on startup, and LDAP isn't used anymore. But, if 89you set this to dynamic, the configuration is read once on startup, and the 90hosts that are stored in LDAP are looked up every time a DHCP request comes 91in. 92 93When the optional statement ldap-debug-file is specified, on startup the DHCP 94server will write out the configuration that it generated from LDAP. If you 95are getting errors about your LDAP configuration, this is a good place to 96start looking. 97 98The next step is to set up your LDAP tree. Here is an example config that will 99give a 10.100.0.x address to machines that have a host entry in LDAP. 100Otherwise, it will give a 10.200.0.x address to them. (NOTE: replace 101dc=ntelos, dc=net with your base dn). If you would like to convert your 102existing dhcpd.conf file to LDIF format, there is a script 103dhcpd-conf-to-ldap that will convert it for you. Type 104dhcpd-conf-to-ldap --help to see the usage information for this script. 105 106# You must specify the server's host name in LDAP that you are going to run 107# DHCP on and point it to which config tree you want to use. Whenever DHCP 108# first starts up, it will do a search for this entry to find out which 109# config to use 110dn: cn=brian.ntelos.net, dc=ntelos, dc=net 111objectClass: top 112objectClass: dhcpServer 113cn: brian.ntelos.net 114dhcpServiceDN: cn=DHCP Service Config, dc=ntelos, dc=net 115 116# Here is the config tree that brian.ntelos.net points to. 117dn: cn=DHCP Service Config, dc=ntelos, dc=net 118cn: DHCP Service Config 119objectClass: top 120objectClass: dhcpService 121dhcpPrimaryDN: dc=ntelos, dc=net 122dhcpStatements: ddns-update-style none 123dhcpStatements: default-lease-time 600 124dhcpStatements: max-lease-time 7200 125 126# Set up a shared network segment 127dn: cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net 128cn: WV 129objectClass: top 130objectClass: dhcpSharedNetwork 131 132# Set up a subnet declaration with a pool statement. Also note that we have 133# a dhcpOptions object with this entry 134dn: cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net 135cn: 10.100.0.0 136objectClass: top 137objectClass: dhcpSubnet 138objectClass: dhcpOptions 139dhcpOption: domain-name-servers 10.100.0.2 140dhcpOption: routers 10.100.0.1 141dhcpOption: subnet-mask 255.255.255.0 142dhcpOption: broadcast-address 10.100.0.255 143dhcpNetMask: 24 144 145# Set up a pool for this subnet. Only known hosts will get these IPs 146dn: cn=Known Pool, cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net 147cn: Known Pool 148objectClass: top 149objectClass: dhcpPool 150dhcpRange: 10.100.0.3 10.100.0.254 151dhcpPermitList: deny unknown-clients 152 153# Set up another subnet declaration with a pool statement 154dn: cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net 155cn: 10.200.0.0 156objectClass: top 157objectClass: dhcpSubnet 158objectClass: dhcpOptions 159dhcpOption: domain-name-servers 10.200.0.2 160dhcpOption: routers 10.200.0.1 161dhcpOption: subnet-mask 255.255.255.0 162dhcpOption: broadcast-address 10.200.0.255 163dhcpNetMask: 24 164 165# Set up a pool for this subnet. Only unknown hosts will get these IPs 166dn: cn=Known Pool, cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net 167cn: Known Pool 168objectClass: top 169objectClass: dhcpPool 170dhcpRange: 10.200.0.3 10.200.0.254 171dhcpPermitList: deny known clients 172 173# Set aside a group for all of our known MAC addresses 174dn: cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net 175objectClass: top 176objectClass: dhcpGroup 177cn: Customers 178 179# Host entry for my laptop 180dn: cn=brianlaptop, cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net 181objectClass: top 182objectClass: dhcpHost 183cn: brianlaptop 184dhcpHWAddress: ethernet 00:00:00:00:00:00 185 186You can use the command ldapadd to load all of these entries into your LDAP 187server. After you load this, you should be able to start up DHCP. If you run 188into problems reading the configuration, try running dhcpd with the -d flag. 189If you still have problems, edit the site.conf file in the DHCP source and 190add the line: COPTS= -DDEBUG_LDAP and recompile DHCP. (make sure you run make 191clean and rerun configure before you rebuild). 192