~:: kalyan ::~

DHCP with LDAP support

First of all why would i want to store my dhcp configuration in to a directory? You need to have a LDAP support to achieve a better management and may be a fall back. If you have very small configuration and there is no change on it then you may not need to store it in directory. If you are in need to manage so many server then you would think of considering LDAP.

The patch is available here based on ISC‘s dhcp-3.0.5

You have a dhcp server based on file and the machine had gone down and you wanted to bring some other dhcp server with the same configuration then it might be a difficult one. If you have it in directory and the tree has expanded as well then it is very much possible to bring up other dhcp server with the same configuration. But the lease files are the problem they are not stored in LDAP. They are stored in files only. If you want to get your lease file as well then you might have to go to cluster setup.

This article will not explain how to install the dhcp with this patch. They are very well explained in ldap.README file.

Basically there will be two important objects, they are dhcpServer and dhcpService. This dhcpServer is the entry point for the dhcp server. This dhcpServr might have link to one or more dhcpService objects. The dhcp server reads each of them and use it.

Your /etc/dhcpd.conf will be replaced like,

ldap-server “”;
ldap-port 389;
ldap-base-dn “o=novell”;
ldap-dhcp-server-cn “ownserver”;
ldap-method static;
ldap-debug-file “/var/log/dhcp-ldap-startup.log”;

You might have several question.

  • If I apply the patch can is it possible for me to go back to file mode and use it?
    Yes, perfectly it works for both. It reads the /etc/dhcpd.conf file. If its find ldap related attribute it goes to specified LDAP server for the configuration detail other wise it read as it is.
  • I can only give IP address to the ldap-server attribute?
    No, you can give IP address (ldap-server “”) or the host name (ldap-server “test-server”) or the fqdn (ldap-server “test-server.example.com”)
  • How to authenticate to the LDAP server?
    There are two attributes (ldap-username “cn=dhcp-user,o=novell”; and ldap-password “secret”; ). You have to keep them in dhcpd.conf file.
  • My credentials are being a clear text, i cant afford it.
    No need, you can keep them in CASA store. First the dhcp server look for micasa daemon if the daemon is not running or the credentials are not available then it looks in to the dhcpd.conf file for the credential. This CASA by default is not enabled. You have to make CASA_AUTH flag enabled before compilation. See site.conf file
  • If i use CASA how do i store my credential in CASA.
    You can use the CASA manager to set this up. Your application name should be dhcp-ldap. Other wise you can compile the script(yet to upload) (with ldl) and use it. I think i would better send the script to Brian and keep in his patch itself. Will do it latter.
  • What if I have data in other replica and my LDAP server only can return referrals?
    Referral is supported but the same credential which ever is used for the first server will be used. Enable them by having the attribute ldap-referrals {on|off} in /etc/dhcpd.conf file.
  • What is the scope of creating all kind of objects?
    You can create host,pool,subnet,class,subclass,sharnednetwork,zones,tsig keys. If you wanted to have some special configuration you can add them using dhcpStatements. Which will be simply read and parsed and used by the dhcp server.
  • Is failover supported?
    Not yet, but the schema is ready. You can configure them using the dhcpStatements
  • Is ssl supported?
    Yes, by default it is not supported. Before compilation you have to enable USE_SSL flag. See site.conf file. Using the ldap-ssl {on|off|start_tls|ldaps} you can enable it. If you dont mention this attribute by default the dhcp server will try to connect using TLS. There are few more optional certificate related attributes available. They are (ldap-tls-reqcert, ldap-tls-cafile, ldap-tls-ca-dir, ldap-tls-cert, ldap-tls-key, ldap-tls-crlcheck, ldap-tls-ciphers, ldap-tls-randfile). Refer man ldap.conf file for further reference.
  • Is fault tolerance supported?
    No, if the LDAP server is down the dhcp server will not be able to come up. But there is a work around. While starting the dhcp server it reads the configuration and convert back to dhcpd.conf file format and dump it in the specified log file by ldap-debug-file attribute (eg: ldap-debug-file “/var/log/dhcp-ldap-startup.log”). So in the next time the LDAP server is down you can run the dhcp server by mentioning dhcpd -cf /var/log/dhcp-ldap-startup.log .
  • What are the available attributes?
    Totally there are 18 attributes supported.
    ldap-server <“hostname”|”fqdn”|”IP adress”>
    Host name or IP address of the LDAP server to reach for configuration.
    ldap-port <portno>
    Port number. If you dont mention any port number 389 (LDAP) will be taken be default.
    ldap-username <Username with context (DN)>
    User name should be specified with its full context. (cn=dhcp-user,og=group,o=company)
    ldap-password <“password”>
    Password for the user to authenticate.
    ldap-base-dn <“LDAP base DN”>
    Your dhcp server object will be searched from the given base DN to the whole subtree.
    ldap-dhcp-server-cn <“server obeject name”>
    The name of the dhcpServer object.
    ldap-referrals <on|off>
    To mention whether to follow the referral or not.
    ldap-method <static|dynamic>
    If you mention static all the objects will be read and after that LDAP server is never contacted. But if you mention dynamic the class and host objects are ignored at the beginning. They are being read whenever there is a request for them.
    ldap-debug-file <“filename with path”>
    The dhcp server reads the configuration and dump it in the specified file with the original dhcpd.conf file format.
    ldap-ssl <off|on|start_tls|ldaps>
    off: Disable ssl.
    start_tls: Eanble tls using start_tls
    ldaps: Try to initiate SSL connection. Port need to be secured one (636)
    on: Enable SSL if the port is secured or TLS in other case.
    See man dhcpd.conf file for below configuration
    ldap-tls-reqcert <never|try|allow|hard>


  1. […] back. This three days of holiday making be bored and pushing forward to write it down. I think the article is good […]

    Pingback by Wrote something of DHCP with LDAP « ~:: kalyan ::~ — March 17, 2007 @ 6:16 pm

  2. Is it possible to create classess of LDAP groups so that LDAP groups can be given specific IP ranges from many subnets?.


    Comment by mike — August 14, 2007 @ 2:22 pm

  3. Mike, I am sorry for the delayed response. well, I am not sure what you mean by LDAP groups. I guess you are trying to give IP from different subnet to different clients based on its id or mac or whatever. Whatever is possible using dhcpd.conf is also possible with this ldap patch. If the dhcpd-conf-to-ldif.pl does not convert to your requirement. Copy your dhcpd.conf statements and add as dhcpStatements to your objects and thats it.

    Comment by skalyanasundaram — October 9, 2007 @ 11:22 am

  4. […] 9, 2007 The link for the project dhcp-ldap integration which i had mention in my previous page (http://home.ntelos.net/~masneyb/dhcp-3.0.5-ldap-patch) is temporarily not available due to […]

    Pingback by dhcp-ldap patch temporarily not available « ~:: kalyan ::~ — October 9, 2007 @ 11:48 am

  5. Hi,

    I’m french… sorry fr my english…

    What about the patch for new release of dhcpd ?

    thank you

    Comment by Sid — February 27, 2010 @ 6:23 pm

  6. Thanks for ones marvelous posting! I really enjoyed reading it, you
    may be a great author.I will remember to bookmark your blog and will
    eventually come back in the future. I want to encourage you to continue your
    great job, have a nice evening!

    Comment by haios — January 25, 2013 @ 4:24 am

  7. Hello

    I am trying to build a dual dhcp setup in LDAP, but I have problem in that the DHCP daemon requires objects to be defined before they are used in any network. Eg. the entry “failover-spec” and the tsig key entry must be parsed before it can be used in any shared-network.
    How can I ensure that these records are placed into the .conf file before other statements?


    Comment by Klaus — October 23, 2013 @ 7:41 am

  8. Hi,
    How to define two ldap with ldap-server??
    thank you

    Comment by Marilyn — June 17, 2014 @ 2:21 pm

    • Hi, I was wondering the same thing: is it possible to have multiple ldap-server directives?
      Would the daemon try them in order, if the first fails, or something similar?

      Comment by canne74 — October 23, 2014 @ 7:52 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at WordPress.com.

%d bloggers like this: