In a lan ehe dhcp server is a primary network service. If your server will handle many networks, it could be easier to have a web interface for managing your dhcpd openldap.
Other times it is convenient to give the management to third parties, perhaps to the group that deals with the desktop, you had better have a web interface than give the Vi access to the configuration file to people who may not have much familiarity with the Linux environment.
In this configuration, I have planned to use the three servers; an OpenLDAP Master and two dhcp failover with ldap replicas ; 172.16.160.8, 172.16.160.9 and 172.16.160.10.
In this way, you have the maximum redundancy. For my configuration dhcp server have only one network interface, but provide IP addresses to 13 different subnets. In order to do this I use a pfSense that acts as a relay for the relative networks.
In this tutorial, I have just added only one subnet, but it is easy to add others without any problems directly on OpenLDAP using phpldapadmin.
Dhcp Openldap – dhcpldap Master
$ sudo apt install isc-dhcp-server-ldap slapd ldap-utils phpldapadmin
First, you need to remove the scheme from the dhcp package isc-dhcp-server-ldap.
$ sudo cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema /etc/ldap/schema/ $ sudo apt purge isc-dhcp-server isc-dhcp-server-ldap # remove not necessary packages
We can configure OpenLDAP as described here, using the following configuration files.
# inclusioni schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
#include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/dhcp.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel -16384
moduleload back_hdb.la
moduleload syncprov.la # load replicas module
#######################################################################
# ldbm and/or hdb database definitions
#######################################################################
database hdb
suffix "dc=oneos,c=it"
rootdn "cn=manager,dc=oneos,c=it"
rootpw {SSHA}Bns4pc9vnlU6MDZBDF1XLBB6fRrNkcC5
# password nonteladico
directory /var/lib/ldap
# indici
index objectClass eq,pres
index uid eq,pres,sub
index ou,cn,mail,surname,givenname eq,pres,sub
index default eq,sub
index dhcpHWAddress eq
index dhcpClassData eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 500
# ACL, il rootdn potrà accedere ad ogni DIT in RW
# tutti gli altri no.
access to * by * read
cachesize 10000
checkpoint 128 15
dbnosync
dirtyread
searchstack 8
dn: dc=oneos,c=it
dc: oneos
o: oneos
objectclass: top
objectclass: dcObject
objectclass: organization
dn: ou=dhcpd,dc=oneos,c=it
objectclass: top
objectclass: organizationalUnit
ou: dhcpd
dn: ou=configs,ou=dhcpd,dc=oneos,c=it
objectclass: top
objectclass: organizationalUnit
ou: configs
dn: ou=servers,ou=dhcpd,o=cnr,c=it
objectclass: top
objectclass: organizationalUnit
ou: servers
dn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: dhcpd-Config
dhcpprimarydn: cn=dhcpserver1,ou=servers,ou=dhcpd,dc=oneos,c=it
dhcpsecondarydn: cn=dhcpserver2,ou=servers,ou=dhcpd,dc=oneos,c=it
dhcpstatements: ddns-update-style none
dhcpstatements: default-lease-time 1200
dhcpstatements: max-lease-time 1200
dhcpstatements: log-facility local0;
dhcpstatements: use-host-decl-names on;
dhcpstatements: authoritative;
dhcpstatements: omapi-port 7911;
objectclass: top
objectclass: dhcpService
dn: cn=DHCPServer1,ou=servers,ou=dhcpd,dc=oneos,c=it
cn: DHCPServer1
dhcpservicedn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
dhcpstatements: failover peer "dhcp-failover" { primary; address 172.16.160.9; port 520; peer address 172.16.160.10 ; peer port 520; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; mclt 300; split 128;}
objectclass: top
objectclass: dhcpServer
dn: cn=DHCPServer2,ou=servers,ou=dhcpd,dc=oneos,c=it
cn: DHCPServer2
dhcpservicedn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
dhcpstatements: failover peer "dhcp-failover" { secondary; address 172.16.160.10; port 520; peer address 172.16.160.9; peer port 520; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; }
objectclass: top
objectclass: dhcpServer
dn: cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: 192.168.100.0
dhcpnetmask: 24
dhcpoption: routers 192.168.100.1
dhcpoption: subnet-mask 255.255.255.0
dhcpoption: domain-name-servers 192.168.100.1,8.8.8.8
objectclass: top
objectclass: dhcpSubnet
objectclass: dhcpOptions
dn: cn=federico.fiordoliva,cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: federico.fiordoliva
dhcphwaddress: ethernet 00:90:33:06:18:d7
dhcpstatements: fixed-address 192.168.100.10
objectclass: dhcpHost
objectclass: top
dn: cn=pool,cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: pool
dhcprange: 192.168.100.20 192.168.100.240
dhcpstatements: deny dynamic bootp clients
dhcpstatements: failover peer "dhcp-failover"
objectclass: top
objectclass: dhcpPool
$ sudo systemctl stop slapd $ sudo find /var/lib/ldap -type f | grep -v "DB_CONFIG" | xargs rm $ sudo cd /etc/ldap $ sudo rm -fr slapd.d/* $ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -Q slap_startup failed (test would succeed using the -u switch) $ sudo chown -R openldap:openldap /etc/ldap/slapd.d/ $ sudo chown -R openldap:openldap /var/lib/ldap/ $ sudo systemctl enable slapd $ sudo systemctl start slapd
Let’s populate the tree
$ sudo ldapadd -x -D cn=manager,dc=oneos,c=it -W -f oneos.ldif Enter LDAP Password:
if $programname == 'slapd' and $syslogseverity <= 7 then /var/log/ldap.log & stop
Restart the the demon rsyslog
$ sudo systemctl restart rsyslog.service
Dhcpd Openldap – dhcpserver1
Install the necessary packages.
$ sudo apt install isc-dhcp-server isc-dhcp-server-ldap slapd ldap-utils
To create the openldap reply use this configuration, but before make the usual cleaning of the DB
$ sudo systemctl stop slapd $ sudo find /var/lib/ldap -type f | grep -v "DB_CONFIG" | xargs rm $ sudo cd /etc/ldap $ sudo rm -fr slapd.d/* $ sudo cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema /etc/ldap/schema/
# inclusioni schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
#include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/dhcp.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel -16384
moduleload back_hdb.la
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database hdb
suffix "dc=oneos,c=it"
rootdn "cn=manager,dc=oneos,c=it"
rootpw {SSHA}Bns4pc9vnlU6MDZBDF1XLBB6fRrNkcC5
# password nonteladico
directory /var/lib/ldap
# indici
index objectClass eq,pres
index uid eq,pres,sub
index ou,cn,mail,surname,givenname eq,pres,sub
index default eq,sub
index dhcpHWAddress eq
index dhcpClassData eq
access to * by * read
cachesize 5000
syncrepl rid="133"
provider="ldap://172.16.160.8:389"
type="refreshAndPersist"
retry="60 10 300 +"
searchbase="dc=oneos,c=it"
filter="(objectClass=*)"
scope="sub"
attrs="*,+"
schemachecking="off"
bindmethod="simple"
binddn="cn=manager,dc=oneos,c=it"
credentials="nonteladico"
As you can see, the type of ldap reply, is refreshAndPersist, this is the best method if you want to use the dhcp reservation because once inserted in the ldap master you will receive immediately a notification of the tree changes to the replies. Furthermore, there is no need to restart the service for the reservation but only for subnet change or pool range.
In the same way, set all the openldap server logs in a separate file, and it is the same thing for the dhcp server.
Change the /etc/rsyslog.d/50-default.conf file and add on top of the file this command:
if $programname == 'slapd' and $syslogseverity <= 7 then /var/log/ldap.log & stop if $programname == 'dhcpd' and $syslogseverity <= 7 then /var/log/dhcpd.log & stop
Restart the demon rsyslog.
Now we set the ldap reply.
$ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -Q slap_startup failed (test would succeed using the -u switch) $ sudo chown -R openldap:openldap /etc/ldap/slapd.d/ $ sudo chown -R openldap:openldap /var/lib/ldap/ $ sudo systemctl enable slapd $ sudo systemctl start slapd
In order to verify that replication is successful you should have something similar.
root@dhcpserver1:~$ ls -la /var/lib/ldap/ total 14956 drwxr-xr-x 2 openldap openldap 4096 lug 8 14:07 . drwxr-xr-x 43 root root 4096 lug 7 15:50 .. -rw-r--r-- 1 openldap openldap 2048 lug 8 14:07 alock -rw------- 1 openldap openldap 733184 lug 7 16:41 cn.bdb -rw------- 1 openldap openldap 532479 lug 8 14:07 __db.001 -rw------- 1 openldap openldap 139263 lug 8 14:07 __db.002 -rw------- 1 openldap openldap 2629631 lug 8 14:07 __db.003 -rw-r--r-- 1 openldap openldap 97 mag 25 11:58 DB_CONFIG -rw------- 1 openldap openldap 69632 lug 8 14:07 dhcpHWAddress.bdb -rw------- 1 openldap openldap 331776 lug 7 16:41 dn2id.bdb -rw------- 1 openldap openldap 1310720 lug 8 14:07 id2entry.bdb -rw------- 1 openldap openldap 10485759 lug 8 14:07 log.0000000001 -rw------- 1 openldap openldap 10485759 lug 7 16:35 log.0000000002 -rw------- 1 openldap openldap 106496 lug 7 16:41 objectClass.bdb -rw------- 1 openldap openldap 8192 lug 7 16:41 ou.bdb
You just have to configure the DHCP server to use openldap , we edit the file /etc/dhcp/dhcpd.conf
ldap-server "127.0.0.1"; ldap-port 389; ldap-username "cn=manager, dc=oneos, c=it"; ldap-password "nonteladico"; ldap-dhcp-server-cn "dhcpserver1"; ldap-init-retry 10; ldap-base-dn "ou=dhcpd, dc=oneos, c=it"; ldap-method dynamic; ldap-debug-file "/var/log/dhcp-ldap-startup.log";
Start the server dhcp
$ sudo systemctl start isc-dhcp-server
Dhcpd Openldap – dhcpserver2
To create the second server just follow the same steps as the first by changing only the syncrepl parameters (slapd.conf) and dhcp-server-ldap-cn (dhcpd.conf) respectively rid=”134″ and dhcpserver2 .
Now we can check the operation of the system, what to see?
- Obtaining of the pool ip address
- Obtaining of the IP address from the reservation
- Modification of the reservation, and verification of the synchronization in the logs of both ldap replies
- Obtaining of the address after the change
- Brutal shutdown of the master dhcp server
- Functionality testing, looking at the dhcp log
- Restore master dhcp
- Always verify the dhcp log
If everything goes well you have your server Isc Dhcpd OpenLDAP on Ubuntu 16.04.
Enjoy!
- SSH Keys pair, how to generate it and use. - Aug 18,2019
- Let’s Encrypt on pfSense – webConfigurator - Apr 04,2017
- Isc Dhcpd Openldap on Ubuntu 16.04 - Oct 03,2016
Federico
Leave a Comment