Isc Dhcpd Openldap on Ubuntu 16.04

Blog

  1. Home
  2. Network
isc dhcpd openldap

Isc Dhcpd Openldap on Ubuntu 16.04

In a lan ehe dhcp server is a primary network service. If your server will handle many networks, it could be easier to have a web interface for managing your dhcpd openldap.

Other times it is convenient to give the management to third parties, perhaps to the group that deals with the desktop, you had better have a web interface than give the Vi access to the configuration file to people who may not have much familiarity with the Linux environment.

In this configuration, I have planned to use the three servers; an OpenLDAP Master and two dhcp failover with ldap replicas ; 172.16.160.8, 172.16.160.9 and 172.16.160.10.
In this way, you have the maximum redundancy. For my configuration dhcp server have only one network interface, but provide IP addresses to 13 different subnets. In order to do this I use a pfSense that acts as a relay for the relative networks.
In this tutorial, I have just added only one subnet, but it is easy to add others without any problems directly on OpenLDAP using phpldapadmin.

Dhcp Openldap – dhcpldap Master

$ sudo apt install isc-dhcp-server-ldap slapd ldap-utils phpldapadmin

First, you need to remove the scheme from the dhcp package isc-dhcp-server-ldap.

$ sudo cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema /etc/ldap/schema/
$ sudo apt purge isc-dhcp-server isc-dhcp-server-ldap # remove not necessary packages

We can configure OpenLDAP as described here, using the following configuration files.

# inclusioni schema 
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
#include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/dhcp.schema

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

loglevel        -16384

moduleload	back_hdb.la
moduleload	syncprov.la # load replicas module

#######################################################################
# ldbm and/or hdb database definitions
#######################################################################

database        hdb
suffix          "dc=oneos,c=it"
rootdn          "cn=manager,dc=oneos,c=it"
rootpw          {SSHA}Bns4pc9vnlU6MDZBDF1XLBB6fRrNkcC5 

# password nonteladico

directory /var/lib/ldap

# indici
index objectClass eq,pres
index uid eq,pres,sub
index ou,cn,mail,surname,givenname eq,pres,sub
index default eq,sub
index dhcpHWAddress eq
index dhcpClassData eq


overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 500


# ACL, il rootdn potrà accedere ad ogni DIT in RW
# tutti gli altri no.
access to * by * read


cachesize 10000
checkpoint 128 15
dbnosync
dirtyread
searchstack 8
dn: dc=oneos,c=it
dc: oneos
o: oneos
objectclass: top
objectclass: dcObject
objectclass: organization

dn: ou=dhcpd,dc=oneos,c=it
objectclass: top
objectclass: organizationalUnit
ou: dhcpd

dn: ou=configs,ou=dhcpd,dc=oneos,c=it
objectclass: top
objectclass: organizationalUnit
ou: configs

dn: ou=servers,ou=dhcpd,o=cnr,c=it
objectclass: top
objectclass: organizationalUnit
ou: servers

dn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: dhcpd-Config
dhcpprimarydn: cn=dhcpserver1,ou=servers,ou=dhcpd,dc=oneos,c=it
dhcpsecondarydn: cn=dhcpserver2,ou=servers,ou=dhcpd,dc=oneos,c=it
dhcpstatements: ddns-update-style none
dhcpstatements: default-lease-time 1200
dhcpstatements: max-lease-time 1200
dhcpstatements: log-facility local0;
dhcpstatements: use-host-decl-names on;
dhcpstatements: authoritative;
dhcpstatements: omapi-port 7911;
objectclass: top
objectclass: dhcpService

dn: cn=DHCPServer1,ou=servers,ou=dhcpd,dc=oneos,c=it
cn: DHCPServer1
dhcpservicedn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
dhcpstatements: failover peer "dhcp-failover" { primary; address 172.16.160.9; port 520; peer address 172.16.160.10 ; peer port 520; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; mclt 300; split 128;}
objectclass: top
objectclass: dhcpServer

dn: cn=DHCPServer2,ou=servers,ou=dhcpd,dc=oneos,c=it
cn: DHCPServer2
dhcpservicedn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
dhcpstatements: failover peer "dhcp-failover" { secondary; address 172.16.160.10; port 520; peer address 172.16.160.9; peer port 520; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; }
objectclass: top
objectclass: dhcpServer

dn: cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: 192.168.100.0
dhcpnetmask: 24
dhcpoption: routers 192.168.100.1
dhcpoption: subnet-mask 255.255.255.0
dhcpoption: domain-name-servers 192.168.100.1,8.8.8.8
objectclass: top
objectclass: dhcpSubnet
objectclass: dhcpOptions

dn: cn=federico.fiordoliva,cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: federico.fiordoliva
dhcphwaddress: ethernet 00:90:33:06:18:d7
dhcpstatements: fixed-address 192.168.100.10
objectclass: dhcpHost
objectclass: top

dn: cn=pool,cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it
cn: pool
dhcprange: 192.168.100.20 192.168.100.240
dhcpstatements: deny dynamic bootp clients
dhcpstatements: failover peer "dhcp-failover"
objectclass: top
objectclass: dhcpPool
$ sudo systemctl stop slapd
$ sudo find /var/lib/ldap -type f | grep -v "DB_CONFIG" | xargs rm
$ sudo cd /etc/ldap
$ sudo rm -fr slapd.d/*
$ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -Q
slap_startup failed (test would succeed using the -u switch)
$ sudo chown -R openldap:openldap /etc/ldap/slapd.d/
$ sudo chown -R openldap:openldap /var/lib/ldap/

$ sudo systemctl enable slapd
$ sudo systemctl start slapd

Let’s populate the tree

$ sudo ldapadd -x -D cn=manager,dc=oneos,c=it -W -f oneos.ldif
Enter LDAP Password:
I suggest you set the OpenLDAP log files on a different, much more comfortable file. Change the /etc/rsyslog.d/50-default.conf file and add on top of the file this command:
if $programname == 'slapd' and $syslogseverity <= 7 then /var/log/ldap.log
& stop

Restart the the demon rsyslog

$ sudo systemctl restart rsyslog.service
 Now we check from the phpldapadmin if everything goes well. Remember to start apache2.

Dhcpd Openldap – dhcpserver1

Install the necessary packages.

$ sudo apt install isc-dhcp-server isc-dhcp-server-ldap slapd ldap-utils

To create the openldap reply use this configuration, but before make the usual cleaning of the DB

$ sudo systemctl stop slapd
$ sudo find /var/lib/ldap -type f | grep -v "DB_CONFIG" | xargs rm
$ sudo cd /etc/ldap
$ sudo rm -fr slapd.d/*
$ sudo cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema /etc/ldap/schema/
# inclusioni schema 
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
#include         /etc/ldap/schema/dyngroup.schema
include         /etc/ldap/schema/nis.schema
include		/etc/ldap/schema/dhcp.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel      -16384

moduleload    back_hdb.la

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        hdb
suffix          "dc=oneos,c=it"
rootdn          "cn=manager,dc=oneos,c=it"
rootpw          {SSHA}Bns4pc9vnlU6MDZBDF1XLBB6fRrNkcC5 
# password nonteladico

directory       /var/lib/ldap

# indici
index objectClass                       eq,pres
index uid                               eq,pres,sub
index ou,cn,mail,surname,givenname      eq,pres,sub
index default                           eq,sub
index dhcpHWAddress 			eq
index dhcpClassData 			eq

access to * by * read

cachesize 5000

syncrepl rid="133"
        provider="ldap://172.16.160.8:389"
        type="refreshAndPersist"
        retry="60 10 300 +"
        searchbase="dc=oneos,c=it"
        filter="(objectClass=*)"
        scope="sub"
        attrs="*,+"
        schemachecking="off"
        bindmethod="simple"
        binddn="cn=manager,dc=oneos,c=it"
        credentials="nonteladico"

As you can see, the type of ldap reply, is refreshAndPersist, this is the best method if you want to use the dhcp reservation because once inserted in the ldap master you will receive immediately a notification of the tree changes to the replies. Furthermore, there is no need to restart the service for the reservation but only for subnet change or pool range.

In the same way, set all the openldap server logs in a separate file, and it is the same thing for the dhcp server.

Change the /etc/rsyslog.d/50-default.conf file and add on top of the file this command:

if $programname == 'slapd' and $syslogseverity <= 7 then /var/log/ldap.log
& stop
if $programname == 'dhcpd' and $syslogseverity <= 7 then /var/log/dhcpd.log
& stop

Restart the demon rsyslog.

Now we set the ldap reply.

$ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -Q
slap_startup failed (test would succeed using the -u switch)

$ sudo chown -R openldap:openldap /etc/ldap/slapd.d/
$ sudo chown -R openldap:openldap /var/lib/ldap/

$ sudo systemctl enable slapd
$ sudo systemctl start slapd

In order to verify that replication is successful you should have something similar.

root@dhcpserver1:~$ ls -la /var/lib/ldap/
total 14956
drwxr-xr-x  2 openldap openldap     4096 lug  8 14:07 .
drwxr-xr-x 43 root     root         4096 lug  7 15:50 ..
-rw-r--r--  1 openldap openldap     2048 lug  8 14:07 alock
-rw-------  1 openldap openldap   733184 lug  7 16:41 cn.bdb
-rw-------  1 openldap openldap   532479 lug  8 14:07 __db.001
-rw-------  1 openldap openldap   139263 lug  8 14:07 __db.002
-rw-------  1 openldap openldap  2629631 lug  8 14:07 __db.003
-rw-r--r--  1 openldap openldap       97 mag 25 11:58 DB_CONFIG
-rw-------  1 openldap openldap    69632 lug  8 14:07 dhcpHWAddress.bdb
-rw-------  1 openldap openldap   331776 lug  7 16:41 dn2id.bdb
-rw-------  1 openldap openldap  1310720 lug  8 14:07 id2entry.bdb
-rw-------  1 openldap openldap 10485759 lug  8 14:07 log.0000000001
-rw-------  1 openldap openldap 10485759 lug  7 16:35 log.0000000002
-rw-------  1 openldap openldap   106496 lug  7 16:41 objectClass.bdb
-rw-------  1 openldap openldap     8192 lug  7 16:41 ou.bdb

You just have to configure the DHCP server to use openldap , we edit the file /etc/dhcp/dhcpd.conf

ldap-server "127.0.0.1";
ldap-port 389;
ldap-username "cn=manager, dc=oneos, c=it";
ldap-password "nonteladico";
ldap-dhcp-server-cn "dhcpserver1";
ldap-init-retry 10;
ldap-base-dn "ou=dhcpd, dc=oneos, c=it";
ldap-method dynamic;
ldap-debug-file "/var/log/dhcp-ldap-startup.log";

Start the server dhcp

$ sudo systemctl start isc-dhcp-server

Dhcpd Openldap – dhcpserver2

To create the second server just follow the same steps as the first by changing only the syncrepl parameters (slapd.conf) and dhcp-server-ldap-cn (dhcpd.conf) respectively rid=”134″ and dhcpserver2 .

Now we can check the operation of the system, what to see?

  • Obtaining of the pool ip address
  • Obtaining of the IP address from the reservation
  • Modification of the reservation, and verification of the synchronization in the logs of both ldap replies
  • Obtaining of the address after the change
  • Brutal shutdown of the master dhcp server
  • Functionality testing, looking at the dhcp log
  • Restore master dhcp
  • Always verify the dhcp log

If everything goes well you have your server Isc Dhcpd OpenLDAP on Ubuntu 16.04.

Enjoy!

Federico

Federico

Network & System Administrator at OneOs
Federico

Latest posts by Federico (see all)

, , , , , , , ,

Leave a Comment

Your email address will not be published. Required fields are marked *

©2018 OneOS P IVA 10495730581