[packages/dhcp.git] / dhcp-README.ldap

LDAP Support in DHCP
Brian Masney <masneyb@ntelos.net>
Last updated 3/23/2003

This document describes setting up the DHCP server to read it's configuration
from LDAP.  This work is based on the IETF document
draft-ietf-dhc-ldap-schema-01.txt included in the doc directory.  For the
latest version of this document, please see http://home.ntelos.net/~masneyb.

First question on most people's mind is "Why do I want to store my
configuration in LDAP?"  If you run a small DHCP server, and the configuration
on it rarely changes, then you won't need to store your configuration in LDAP.
But, if you have several DHCP servers, and you want an easy way to manage your
configuration, this can be a solution.

The first step will be to setup your LDAP server.  I am using OpenLDAP from
www.openldap.org.  Building and installing OpenLDAP is beyond the scope of
this document.  There is plenty of documentation out there about this.  Once
you have OpenLDAP installed, you will have to edit your slapd.conf file.  I
added the following 2 lines to my configuration file:

include         /etc/ldap/schema/dhcp.schema
index           dhcpHWAddress eq
index           dhcpClassData eq

The first line tells it to include the dhcp schema file.  You will find this
file under the contrib directory in this distribution.  You will need to copy
this file to where your other schema files are (maybe
/usr/local/openldap/etc/openldap/schema/).  The second line sets up an index
for the dhcpHWAddress parameter.  The third parameter is for reading subclasses
from LDAP every time a DHCP request comes in. Make sure you run the slapindex
command and restart slapd to have these changes to into effect.

Now that you have LDAP setup, you should be able to use gq
(http://biot.com/gq/) to verify that the dhcp schema file is loaded into LDAP.
Pull up gq, and click on the Schema tab.  Go under objectClasses, and you
should see at least the following object classes listed: dhcpClass, dhcpGroup,
dhcpHost, dhcpOptions, dhcpPool, dhcpServer, dhcpService, dhcpSharedNetwork,
dhcpSubClass, and dhcpSubnet.  If you do not see these, you need to check over
your LDAP configuration before you go any further.

You should now be ready to build DHCP.  If you would like to enable LDAP over
SSL, you will need to perform the following steps:

  * Edit the includes/site.h file and uncomment the USE_SSL line
    or specify "-DUSE_SSL" via CFLAGS.
  * Edit the dst/Makefile.dist file and remove md5_dgst.c and md5_dgst.o
    from the SRC= and OBJ= lines (around line 24)
  * Now run configure in the base source directory. If you chose to enable
    LDAP over SSL, you must append -lcrypto -lssl to the LIBS= line in the
    file work.os/server/Makefile (replace os with your operating system,
    linux-2.2 on my machine).  You should now be able to type make to build
    your DHCP server.

If you choose to not enable LDAP over SSL, then you only need to run configure
and make in the toplevel source directory.

Once you have DHCP installed, you will need to setup your initial plaintext
config file. In my /etc/dhcpd.conf file, I have:

ldap-server "localhost";
ldap-port 389;
ldap-username "cn=DHCP User, dc=ntelos, dc=net";
ldap-password "blah";
ldap-base-dn "dc=ntelos, dc=net";
ldap-method dynamic;
ldap-debug-file "/var/log/dhcp-ldap-startup.log";

If SSL has been enabled at compile time using the USE_SSL flag, the dhcp
server trys to use TLS if possible, but continues without TLS if not.

You can modify this behaviour using following option in /etc/dhcpd.conf:

ldap-ssl <off | ldaps | start_tls | on>
   off:       disables TLS/LDAPS.
   ldaps:     enables LDAPS -- don't forget to set ldap-port to 636.
   start_tls: enables TLS using START_TLS command
   on:        enables LDAPS if ldap-port is set to 636 or TLS in 
              other cases.

See also "man 5 ldap.conf" for description the following TLS related 
options:
   ldap-tls-reqcert, ldap-tls-ca-file, ldap-tls-ca-dir, ldap-tls-cert
   ldap-tls-key, ldap-tls-crlcheck, ldap-tls-ciphers, ldap-tls-randfile

All of these parameters should be self explanatory except for the ldap-method.
You can set this to static or dynamic.  If you set it to static, the
configuration is read once on startup, and LDAP isn't used anymore.  But, if
you set this to dynamic, the configuration is read once on startup, and the
hosts that are stored in LDAP are looked up every time a DHCP request comes
in.

When the optional statement ldap-debug-file is specified, on startup the DHCP
server will write out the configuration that it generated from LDAP.  If you
are getting errors about your LDAP configuration, this is a good place to
start looking.

The next step is to set up your LDAP tree. Here is an example config that will
give a 10.100.0.x address to machines that have a host entry in LDAP.
Otherwise, it will give a 10.200.0.x address to them.  (NOTE: replace
dc=ntelos, dc=net with your base dn). If you would like to convert your
existing dhcpd.conf file to LDIF format, there is a script
contrib/dhcpd-conf-to-ldap.pl that will convert it for you.  Type
dhcpd-conf-to-ldap.pl --help to see the usage information for this script.

# You must specify the server's host name in LDAP that you are going to run
# DHCP on and point it to which config tree you want to use.  Whenever DHCP
# first starts up, it will do a search for this entry to find out which
# config to use
dn: cn=brian.ntelos.net, dc=ntelos, dc=net
objectClass: top
objectClass: dhcpServer
cn: brian.ntelos.net
dhcpServiceDN: cn=DHCP Service Config, dc=ntelos, dc=net

# Here is the config tree that brian.ntelos.net points to.
dn: cn=DHCP Service Config, dc=ntelos, dc=net
cn: DHCP Service Config
objectClass: top
objectClass: dhcpService
dhcpPrimaryDN: dc=ntelos, dc=net
dhcpStatements: ddns-update-style none
dhcpStatements: default-lease-time 600
dhcpStatements: max-lease-time 7200

# Set up a shared network segment
dn: cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
cn: WV
objectClass: top
objectClass: dhcpSharedNetwork

# Set up a subnet declaration with a pool statement.  Also note that we have
# a dhcpOptions object with this entry
dn: cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
cn: 10.100.0.0
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpOption: domain-name-servers 10.100.0.2
dhcpOption: routers 10.100.0.1
dhcpOption: subnet-mask 255.255.255.0
dhcpOption: broadcast-address 10.100.0.255
dhcpNetMask: 24

# Set up a pool for this subnet.  Only known hosts will get these IPs
dn: cn=Known Pool, cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
cn: Known Pool
objectClass: top
objectClass: dhcpPool
dhcpRange: 10.100.0.3 10.100.0.254
dhcpPermitList: deny unknown-clients

# Set up another subnet declaration with a pool statement
dn: cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
cn: 10.200.0.0
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpOption: domain-name-servers 10.200.0.2
dhcpOption: routers 10.200.0.1
dhcpOption: subnet-mask 255.255.255.0
dhcpOption: broadcast-address 10.200.0.255
dhcpNetMask: 24

# Set up a pool for this subnet. Only unknown hosts will get these IPs
dn: cn=Known Pool, cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
cn: Known Pool
objectClass: top
objectClass: dhcpPool
dhcpRange: 10.200.0.3 10.200.0.254
dhcpPermitList: deny known clients

# Set aside a group for all of our known MAC addresses
dn: cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net
objectClass: top
objectClass: dhcpGroup
cn: Customers

# Host entry for my laptop
dn: cn=brianlaptop, cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net
objectClass: top
objectClass: dhcpHost
cn: brianlaptop
dhcpHWAddress: ethernet 00:00:00:00:00:00

You can use the command slapadd to load all of these entries into your LDAP 
server. After you load this, you should be able to start up DHCP. If you run
into problems reading the configuration, try running dhcpd with the -d flag. 
If you still have problems, edit the site.conf file in the DHCP source and
add the line: COPTS= -DDEBUG_LDAP and recompile DHCP. (make sure you run make 
clean and rerun configure before you rebuild).
Commit	Line	Data
8c878a4c ER	1	LDAP Support in DHCP
	2	Brian Masney <masneyb@ntelos.net>
	3	Last updated 3/23/2003
	4
	5	This document describes setting up the DHCP server to read it's configuration
	6	from LDAP. This work is based on the IETF document
	7	draft-ietf-dhc-ldap-schema-01.txt included in the doc directory. For the
	8	latest version of this document, please see http://home.ntelos.net/~masneyb.
	9
	10	First question on most people's mind is "Why do I want to store my
	11	configuration in LDAP?" If you run a small DHCP server, and the configuration
	12	on it rarely changes, then you won't need to store your configuration in LDAP.
	13	But, if you have several DHCP servers, and you want an easy way to manage your
	14	configuration, this can be a solution.
	15
	16	The first step will be to setup your LDAP server. I am using OpenLDAP from
	17	www.openldap.org. Building and installing OpenLDAP is beyond the scope of
	18	this document. There is plenty of documentation out there about this. Once
	19	you have OpenLDAP installed, you will have to edit your slapd.conf file. I
	20	added the following 2 lines to my configuration file:
	21
	22	include /etc/ldap/schema/dhcp.schema
	23	index dhcpHWAddress eq
	24	index dhcpClassData eq
	25
	26	The first line tells it to include the dhcp schema file. You will find this
	27	file under the contrib directory in this distribution. You will need to copy
	28	this file to where your other schema files are (maybe
	29	/usr/local/openldap/etc/openldap/schema/). The second line sets up an index
	30	for the dhcpHWAddress parameter. The third parameter is for reading subclasses
	31	from LDAP every time a DHCP request comes in. Make sure you run the slapindex
	32	command and restart slapd to have these changes to into effect.
	33
	34	Now that you have LDAP setup, you should be able to use gq
	35	(http://biot.com/gq/) to verify that the dhcp schema file is loaded into LDAP.
	36	Pull up gq, and click on the Schema tab. Go under objectClasses, and you
	37	should see at least the following object classes listed: dhcpClass, dhcpGroup,
	38	dhcpHost, dhcpOptions, dhcpPool, dhcpServer, dhcpService, dhcpSharedNetwork,
	39	dhcpSubClass, and dhcpSubnet. If you do not see these, you need to check over
	40	your LDAP configuration before you go any further.
	41
	42	You should now be ready to build DHCP. If you would like to enable LDAP over
	43	SSL, you will need to perform the following steps:
	44
	45	* Edit the includes/site.h file and uncomment the USE_SSL line
	46	or specify "-DUSE_SSL" via CFLAGS.
	47	* Edit the dst/Makefile.dist file and remove md5_dgst.c and md5_dgst.o
	48	from the SRC= and OBJ= lines (around line 24)
	49	* Now run configure in the base source directory. If you chose to enable
	50	LDAP over SSL, you must append -lcrypto -lssl to the LIBS= line in the
	51	file work.os/server/Makefile (replace os with your operating system,
	52	linux-2.2 on my machine). You should now be able to type make to build
	53	your DHCP server.
	54
	55	If you choose to not enable LDAP over SSL, then you only need to run configure
	56	and make in the toplevel source directory.
	57
	58	Once you have DHCP installed, you will need to setup your initial plaintext
	59	config file. In my /etc/dhcpd.conf file, I have:
	60
	61	ldap-server "localhost";
	62	ldap-port 389;
	63	ldap-username "cn=DHCP User, dc=ntelos, dc=net";
	64	ldap-password "blah";
65	ldap-base-dn "dc=ntelos, dc=net";
66	ldap-method dynamic;
67	ldap-debug-file "/var/log/dhcp-ldap-startup.log";
68
69	If SSL has been enabled at compile time using the USE_SSL flag, the dhcp
70	server trys to use TLS if possible, but continues without TLS if not.
71
72	You can modify this behaviour using following option in /etc/dhcpd.conf:
73
74	ldap-ssl <off \| ldaps \| start_tls \| on>
75	off: disables TLS/LDAPS.
76	ldaps: enables LDAPS -- don't forget to set ldap-port to 636.
77	start_tls: enables TLS using START_TLS command
78	on: enables LDAPS if ldap-port is set to 636 or TLS in
79	other cases.
80
81	See also "man 5 ldap.conf" for description the following TLS related
82	options:
83	ldap-tls-reqcert, ldap-tls-ca-file, ldap-tls-ca-dir, ldap-tls-cert
84	ldap-tls-key, ldap-tls-crlcheck, ldap-tls-ciphers, ldap-tls-randfile
85
86	All of these parameters should be self explanatory except for the ldap-method.
87	You can set this to static or dynamic. If you set it to static, the
88	configuration is read once on startup, and LDAP isn't used anymore. But, if
89	you set this to dynamic, the configuration is read once on startup, and the
90	hosts that are stored in LDAP are looked up every time a DHCP request comes
91	in.
92
93	When the optional statement ldap-debug-file is specified, on startup the DHCP
94	server will write out the configuration that it generated from LDAP. If you
95	are getting errors about your LDAP configuration, this is a good place to
96	start looking.
97
98	The next step is to set up your LDAP tree. Here is an example config that will
99	give a 10.100.0.x address to machines that have a host entry in LDAP.
100	Otherwise, it will give a 10.200.0.x address to them. (NOTE: replace
101	dc=ntelos, dc=net with your base dn). If you would like to convert your
102	existing dhcpd.conf file to LDIF format, there is a script
103	contrib/dhcpd-conf-to-ldap.pl that will convert it for you. Type
104	dhcpd-conf-to-ldap.pl --help to see the usage information for this script.
105
106	# You must specify the server's host name in LDAP that you are going to run
107	# DHCP on and point it to which config tree you want to use. Whenever DHCP
108	# first starts up, it will do a search for this entry to find out which
109	# config to use
110	dn: cn=brian.ntelos.net, dc=ntelos, dc=net
111	objectClass: top
112	objectClass: dhcpServer
113	cn: brian.ntelos.net
114	dhcpServiceDN: cn=DHCP Service Config, dc=ntelos, dc=net
115
116	# Here is the config tree that brian.ntelos.net points to.
117	dn: cn=DHCP Service Config, dc=ntelos, dc=net
118	cn: DHCP Service Config
119	objectClass: top
120	objectClass: dhcpService
121	dhcpPrimaryDN: dc=ntelos, dc=net
122	dhcpStatements: ddns-update-style none
123	dhcpStatements: default-lease-time 600
124	dhcpStatements: max-lease-time 7200
125
126	# Set up a shared network segment
127	dn: cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
128	cn: WV
129	objectClass: top
130	objectClass: dhcpSharedNetwork
131
132	# Set up a subnet declaration with a pool statement. Also note that we have
133	# a dhcpOptions object with this entry
134	dn: cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
135	cn: 10.100.0.0
136	objectClass: top
137	objectClass: dhcpSubnet
138	objectClass: dhcpOptions
139	dhcpOption: domain-name-servers 10.100.0.2
140	dhcpOption: routers 10.100.0.1
141	dhcpOption: subnet-mask 255.255.255.0
142	dhcpOption: broadcast-address 10.100.0.255
143	dhcpNetMask: 24
144
145	# Set up a pool for this subnet. Only known hosts will get these IPs
146	dn: cn=Known Pool, cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
147	cn: Known Pool
148	objectClass: top
149	objectClass: dhcpPool
150	dhcpRange: 10.100.0.3 10.100.0.254
151	dhcpPermitList: deny unknown-clients
152
153	# Set up another subnet declaration with a pool statement
154	dn: cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
155	cn: 10.200.0.0
156	objectClass: top
157	objectClass: dhcpSubnet
158	objectClass: dhcpOptions
159	dhcpOption: domain-name-servers 10.200.0.2
160	dhcpOption: routers 10.200.0.1
161	dhcpOption: subnet-mask 255.255.255.0
162	dhcpOption: broadcast-address 10.200.0.255
163	dhcpNetMask: 24
164
165	# Set up a pool for this subnet. Only unknown hosts will get these IPs
166	dn: cn=Known Pool, cn=10.200.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
167	cn: Known Pool
168	objectClass: top
169	objectClass: dhcpPool
170	dhcpRange: 10.200.0.3 10.200.0.254
171	dhcpPermitList: deny known clients
172
173	# Set aside a group for all of our known MAC addresses
174	dn: cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net
175	objectClass: top
176	objectClass: dhcpGroup
177	cn: Customers
178
179	# Host entry for my laptop
180	dn: cn=brianlaptop, cn=Customers, cn=DHCP Service Config, dc=ntelos, dc=net
181	objectClass: top
182	objectClass: dhcpHost
183	cn: brianlaptop
184	dhcpHWAddress: ethernet 00:00:00:00:00:00
185
186	You can use the command slapadd to load all of these entries into your LDAP
187	server. After you load this, you should be able to start up DHCP. If you run
188	into problems reading the configuration, try running dhcpd with the -d flag.
189	If you still have problems, edit the site.conf file in the DHCP source and
190	add the line: COPTS= -DDEBUG_LDAP and recompile DHCP. (make sure you run make
191	clean and rerun configure before you rebuild).
192