ISC DHCPD with LDAP Config Part 1

The average environment with one or two admins can probably do just fine with the /etc/dhcp/dhcpd.conf flat file.  Syntax isn’t the challenge.  As soon as you get into access control and many devices/subnets, the flat file gets long and that’s when mistakes happen. LDAP backend makes everything easier.

It’s important to note at the outset I’m running Debian Testing,  February 2016, Debian’s repositories.  Maybe by the time you read this, things have changed.  If you are new to LDAP, it’s a learning curve.  This first part might take a while.  I’m rushing through setup.

Get Ready

I like using an LDAP browser.  I like jxplorer because it supports the modern cn=config editing.  On Windows, the popular (and useful) ldapadmin is good, but does not support cn=config editing.

Get Packages
apt-get install slapd isc-dhcp-server-ldap isc-dhcp-server

Debian’s packages set up slapd (that’s the openldap server) for you, prompting you for an admin password.  It seems like they want you to use the command line tools ldapsearch and ldapmodify to edit cn=config. Check out what’s configured with this.

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

 

This is probably bad advice: I set a cn=config password.  A little later on, I can use jxplorer to change the config.

To start: use ldapsearch to find the config database.

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Then you write the file that adds the password.

dn: olcDatabase={0}config,cn=config #be sure config is database 0.  
#You looked carefully at the output of ldapsearch, right?
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}some_hashed_password #this was made with slappasswd

Then ldapmodify to add a password field. ldapmodify -c -Y EXTERNAL -H ldapi:/// -f /home/thatsme/pwd.ldif

If you aren’t familiar with ldif syntax, that should take a while to learn.

Add the DHCP LDIF

Debian’s package includes the schema file.  Openldap’s cn=config doesn’t support old-school schema files and that’s what the Debian package maintainer ships.  So, you have to find someone who has converted it for you if you don’t want to do a bunch of search/replace.

https://github.com/markllama/dhcp-ldap-example/blob/master/LDIF/dhcp.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/dhcp.ldif

This is a good stopping place.  Next article, the ISC DHCP server setup.