In a lan ehe dhcp server is a primary network service. If your server will handle many networks, it could be easier to have a web interface for managing your dhcpd openldap.
Other times it is convenient to give the management to third parties, perhaps to the group that deals with the desktop, you had better have a web interface than give the Vi access to the configuration file to people who may not have much familiarity with the Linux environment.
In this configuration, I have planned to use the three servers; an OpenLDAP Master and two dhcp failover with ldap replicas ; 172.16.160.8, 172.16.160.9 and 172.16.160.10.
In this way, you have the maximum redundancy. For my configuration dhcp server have only one network interface, but provide IP addresses to 13 different subnets. In order to do this I use a pfSense that acts as a relay for the relative networks.
In this tutorial, I have just added only one subnet, but it is easy to add others without any problems directly on OpenLDAP using phpldapadmin.
Dhcp Openldap – dhcpldap Master
$ sudo apt install isc-dhcp-server-ldap slapd ldap-utils phpldapadmin
First, you need to remove the scheme from the dhcp package isc-dhcp-server-ldap.
$ sudo cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema /etc/ldap/schema/ $ sudo apt purge isc-dhcp-server isc-dhcp-server-ldap # remove not necessary packages
We can configure OpenLDAP as described here, using the following configuration files.
# inclusioni schema include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema #include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/dhcp.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel -16384 moduleload back_hdb.la moduleload syncprov.la # load replicas module ####################################################################### # ldbm and/or hdb database definitions ####################################################################### database hdb suffix "dc=oneos,c=it" rootdn "cn=manager,dc=oneos,c=it" rootpw {SSHA}Bns4pc9vnlU6MDZBDF1XLBB6fRrNkcC5 # password nonteladico directory /var/lib/ldap # indici index objectClass eq,pres index uid eq,pres,sub index ou,cn,mail,surname,givenname eq,pres,sub index default eq,sub index dhcpHWAddress eq index dhcpClassData eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 500 # ACL, il rootdn potrà accedere ad ogni DIT in RW # tutti gli altri no. access to * by * read cachesize 10000 checkpoint 128 15 dbnosync dirtyread searchstack 8
dn: dc=oneos,c=it dc: oneos o: oneos objectclass: top objectclass: dcObject objectclass: organization dn: ou=dhcpd,dc=oneos,c=it objectclass: top objectclass: organizationalUnit ou: dhcpd dn: ou=configs,ou=dhcpd,dc=oneos,c=it objectclass: top objectclass: organizationalUnit ou: configs dn: ou=servers,ou=dhcpd,o=cnr,c=it objectclass: top objectclass: organizationalUnit ou: servers dn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it cn: dhcpd-Config dhcpprimarydn: cn=dhcpserver1,ou=servers,ou=dhcpd,dc=oneos,c=it dhcpsecondarydn: cn=dhcpserver2,ou=servers,ou=dhcpd,dc=oneos,c=it dhcpstatements: ddns-update-style none dhcpstatements: default-lease-time 1200 dhcpstatements: max-lease-time 1200 dhcpstatements: log-facility local0; dhcpstatements: use-host-decl-names on; dhcpstatements: authoritative; dhcpstatements: omapi-port 7911; objectclass: top objectclass: dhcpService dn: cn=DHCPServer1,ou=servers,ou=dhcpd,dc=oneos,c=it cn: DHCPServer1 dhcpservicedn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it dhcpstatements: failover peer "dhcp-failover" { primary; address 172.16.160.9; port 520; peer address 172.16.160.10 ; peer port 520; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; mclt 300; split 128;} objectclass: top objectclass: dhcpServer dn: cn=DHCPServer2,ou=servers,ou=dhcpd,dc=oneos,c=it cn: DHCPServer2 dhcpservicedn: cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it dhcpstatements: failover peer "dhcp-failover" { secondary; address 172.16.160.10; port 520; peer address 172.16.160.9; peer port 520; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; } objectclass: top objectclass: dhcpServer dn: cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it cn: 192.168.100.0 dhcpnetmask: 24 dhcpoption: routers 192.168.100.1 dhcpoption: subnet-mask 255.255.255.0 dhcpoption: domain-name-servers 192.168.100.1,8.8.8.8 objectclass: top objectclass: dhcpSubnet objectclass: dhcpOptions dn: cn=federico.fiordoliva,cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it cn: federico.fiordoliva dhcphwaddress: ethernet 00:90:33:06:18:d7 dhcpstatements: fixed-address 192.168.100.10 objectclass: dhcpHost objectclass: top dn: cn=pool,cn=192.168.100.0,cn=dhcpd-Config,ou=configs,ou=dhcpd,dc=oneos,c=it cn: pool dhcprange: 192.168.100.20 192.168.100.240 dhcpstatements: deny dynamic bootp clients dhcpstatements: failover peer "dhcp-failover" objectclass: top objectclass: dhcpPool
$ sudo systemctl stop slapd $ sudo find /var/lib/ldap -type f | grep -v "DB_CONFIG" | xargs rm $ sudo cd /etc/ldap $ sudo rm -fr slapd.d/* $ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -Q slap_startup failed (test would succeed using the -u switch) $ sudo chown -R openldap:openldap /etc/ldap/slapd.d/ $ sudo chown -R openldap:openldap /var/lib/ldap/ $ sudo systemctl enable slapd $ sudo systemctl start slapd
Let’s populate the tree
$ sudo ldapadd -x -D cn=manager,dc=oneos,c=it -W -f oneos.ldif Enter LDAP Password:
if $programname == 'slapd' and $syslogseverity <= 7 then /var/log/ldap.log & stop
Restart the the demon rsyslog
$ sudo systemctl restart rsyslog.service
Dhcpd Openldap – dhcpserver1
Install the necessary packages.
$ sudo apt install isc-dhcp-server isc-dhcp-server-ldap slapd ldap-utils
To create the openldap reply use this configuration, but before make the usual cleaning of the DB
$ sudo systemctl stop slapd $ sudo find /var/lib/ldap -type f | grep -v "DB_CONFIG" | xargs rm $ sudo cd /etc/ldap $ sudo rm -fr slapd.d/* $ sudo cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema /etc/ldap/schema/
# inclusioni schema include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema #include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/dhcp.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel -16384 moduleload back_hdb.la ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database hdb suffix "dc=oneos,c=it" rootdn "cn=manager,dc=oneos,c=it" rootpw {SSHA}Bns4pc9vnlU6MDZBDF1XLBB6fRrNkcC5 # password nonteladico directory /var/lib/ldap # indici index objectClass eq,pres index uid eq,pres,sub index ou,cn,mail,surname,givenname eq,pres,sub index default eq,sub index dhcpHWAddress eq index dhcpClassData eq access to * by * read cachesize 5000 syncrepl rid="133" provider="ldap://172.16.160.8:389" type="refreshAndPersist" retry="60 10 300 +" searchbase="dc=oneos,c=it" filter="(objectClass=*)" scope="sub" attrs="*,+" schemachecking="off" bindmethod="simple" binddn="cn=manager,dc=oneos,c=it" credentials="nonteladico"
As you can see, the type of ldap reply, is refreshAndPersist, this is the best method if you want to use the dhcp reservation because once inserted in the ldap master you will receive immediately a notification of the tree changes to the replies. Furthermore, there is no need to restart the service for the reservation but only for subnet change or pool range.
In the same way, set all the openldap server logs in a separate file, and it is the same thing for the dhcp server.
Change the /etc/rsyslog.d/50-default.conf file and add on top of the file this command:
if $programname == 'slapd' and $syslogseverity <= 7 then /var/log/ldap.log & stop if $programname == 'dhcpd' and $syslogseverity <= 7 then /var/log/dhcpd.log & stop
Restart the demon rsyslog.
Now we set the ldap reply.
$ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -Q slap_startup failed (test would succeed using the -u switch) $ sudo chown -R openldap:openldap /etc/ldap/slapd.d/ $ sudo chown -R openldap:openldap /var/lib/ldap/ $ sudo systemctl enable slapd $ sudo systemctl start slapd
In order to verify that replication is successful you should have something similar.
root@dhcpserver1:~$ ls -la /var/lib/ldap/ total 14956 drwxr-xr-x 2 openldap openldap 4096 lug 8 14:07 . drwxr-xr-x 43 root root 4096 lug 7 15:50 .. -rw-r--r-- 1 openldap openldap 2048 lug 8 14:07 alock -rw------- 1 openldap openldap 733184 lug 7 16:41 cn.bdb -rw------- 1 openldap openldap 532479 lug 8 14:07 __db.001 -rw------- 1 openldap openldap 139263 lug 8 14:07 __db.002 -rw------- 1 openldap openldap 2629631 lug 8 14:07 __db.003 -rw-r--r-- 1 openldap openldap 97 mag 25 11:58 DB_CONFIG -rw------- 1 openldap openldap 69632 lug 8 14:07 dhcpHWAddress.bdb -rw------- 1 openldap openldap 331776 lug 7 16:41 dn2id.bdb -rw------- 1 openldap openldap 1310720 lug 8 14:07 id2entry.bdb -rw------- 1 openldap openldap 10485759 lug 8 14:07 log.0000000001 -rw------- 1 openldap openldap 10485759 lug 7 16:35 log.0000000002 -rw------- 1 openldap openldap 106496 lug 7 16:41 objectClass.bdb -rw------- 1 openldap openldap 8192 lug 7 16:41 ou.bdb
You just have to configure the DHCP server to use openldap , we edit the file /etc/dhcp/dhcpd.conf
ldap-server "127.0.0.1"; ldap-port 389; ldap-username "cn=manager, dc=oneos, c=it"; ldap-password "nonteladico"; ldap-dhcp-server-cn "dhcpserver1"; ldap-init-retry 10; ldap-base-dn "ou=dhcpd, dc=oneos, c=it"; ldap-method dynamic; ldap-debug-file "/var/log/dhcp-ldap-startup.log";
Start the server dhcp
$ sudo systemctl start isc-dhcp-server
Dhcpd Openldap – dhcpserver2
To create the second server just follow the same steps as the first by changing only the syncrepl parameters (slapd.conf) and dhcp-server-ldap-cn (dhcpd.conf) respectively rid=”134″ and dhcpserver2 .
Now we can check the operation of the system, what to see?
- Obtaining of the pool ip address
- Obtaining of the IP address from the reservation
- Modification of the reservation, and verification of the synchronization in the logs of both ldap replies
- Obtaining of the address after the change
- Brutal shutdown of the master dhcp server
- Functionality testing, looking at the dhcp log
- Restore master dhcp
- Always verify the dhcp log
If everything goes well you have your server Isc Dhcpd OpenLDAP on Ubuntu 16.04.
Enjoy!
- SSH Keys pair, how to generate it and use. - Aug 18,2019
- Let’s Encrypt on pfSense – webConfigurator - Apr 04,2017
- Isc Dhcpd Openldap on Ubuntu 16.04 - Oct 03,2016
Leave a Comment