This article provides information on how to migrate DHCP from OpenLDAP to eDirectory manually on SLES 9 or above, making sure that LDAP based applications do not break. SLES offers eDirectory to be used as an alternate to OpenLDAP, but applications already using LDAP on SLES would break unless there is a provision to migrate the existing data from OpenLDAP to eDirectory.
- Migrating from OpenLDAP to eDirectory
- Ensuring that DHCP works properly with eDirectory
|Topics:||Migrating schema, data and applications from OpenLDAP to eDirectory|
|Audience:||network administrators, consultants, integrators|
|Prerequisite Skills:||Familiarity with LDAP, DHCP, SLES|
|Operating System:||SLES 9 and above|
|Tools:||yast2, ldapmodify, ice|
SLES contains OpenLDAP as the default directory. SLES offering from Novell, makes eDirectory available to the customers. Hence, with SLES, the administrator would have an option to use eDirectory as the default directory. Since there are some SLES applications that can use LDAP directory, there would be a need to have the existing data in OpenLDAP migrated to eDirectory. The existing documentation of SLES can be referred to get information on eDirectory installation for various scenarios. Once the data is migrated to eDirectory, minor configuration changes might be needed to make the various directory enabled SLES applications work with eDirectory.
Wherever there is a mention of “SLES Applications” or “targeted applications”, it refers to DHCP.
Scope of this document
The focus of this document covers the scenarios, where the OpenLDAP server has some data, which needs to be migrated to eDirectory. This activity is needed to prevent any breakage in LDAP based applications as part of upgrade to eDirectory/SLES.
Scenarios not covered in this scope
Any scenarios where there are some applications other than DHCP which are installed that use LDAP, and for which OpenLDAP schema has been extended, are not covered by this document. Though all the issues arising out of such scenarios would not be addressed here, this document may be used as a set of broader guidelines about how to go about this migration.
Migration from one directory to another usually involves two steps. First schema is migrated, and then the data conforming to that schema is migrated.
DHCP does not use LDAP compulsorily. This can be configured not to use LDAP at all. Hence, this step is performed only when OpenLDAP schema has been extended for DHCP.
OpenLDAP schema gets extended when an application is configured for the first time to use LDAP. This extension is not reverted back if the configuration for the application changes from “Use LDAP” to “Do not use LDAP”.
Though there are multiple options to do the full migration, we do this by extending the eDirectory schema with DHCP schema.
For this approach to work, eDirectory should be running.
The default LDAP configuration for eDirectory includes “Require TLS for Simple Binds with Password=yes”. In order to successfully execute the following commands, this configuration needs to be changed to “no” temporarily. It can be done using the following command:
ldapconfig -w <password> -a <admin fdn in eDirectory format> -s "Require TLS for Simple Binds with Password=<yes/no>"
ldapconfig -w secret -a admin.acme -s "Require TLS for Simple Binds with Password=no"
Extending eDirectory schema with DHCP schema
To extend the eDirectory schema with DHCP schema to create the objectclasses like dhcpServer, dhcpOptions etc and the attributes that DHCP need such as dhcpOption, dhcpPrimaryDN etc, we need to import the DHCP schema from the LDIF file by executing the following command:
ice -v -e <name of ldif file for errors> -S LDIF -f <the DHCP nds schema file> -c -D LDAP -p <destination ldap port> -d <fdn of admin for destination in LDAP format> -w <password> -L <the trusted root certificate of the eDirectory server>
ice -v -e errorlog.ldif -S LDIF -f DHCP-nds.ldif -c -D LDAP -p 389 -d cn=admin,dc=acme -w secret
Once you see no errors, we can validate DHCP once with OpenLDAP itself.
Validating DHCP against OpenLDAP
Before stopping OpenLDAP and configuring with eDirectory, it is recommended to test DHCP against OpenLDAP. For this purpose there might be a need for some generic configuration changes and some application specific ones. This section describes the generic modifications in LDAP Client.
Ensure that the machine that runs the DHCP server contains the static IP address. This can be confirmed by checking the “Network Card” of the “Network Devices” option of Yast. Also mind that there can be only one DHCP server running at a time in a LAN.
The /etc/dhcpd.conf file has to be configured to make DHCP connect through LDAP (OpenLDAP). Remember that, by default, DHCP does not use LDAP.
This can be done by setting the options like ldap-port , ldap-username , ldap-password n, ldap-base-dn etc.
A sample /ete/dhcpd.conf file for a DHCP server can look like:
ldap-port 389; ldap-username "cn=admin,dc=acme"; ldap-password secret; ldap-base-dn "dc=acme"; ldap-server "myHost";
Now few objects with specific attributes have to be created in the OpenLDAP server viz dhcpservice and myHost under the root, where myHost is the name of the server. This can be added using the ldapmodify tool as follows:
ldapmodify -f <the ldif file containing the entries to be added> -D <fdn of admin for destination in LDAP format> -w <password> -a
ldapmodify -f addentries.ldif -D "cn=admin,dc=acme" -w secret -a
Where the addentries.ldif file may contain:
dn: cn=dhcpservice, dc=acme cn: dhcpservice objectClass: top objectClass: dhcpService objectClass: dhcpOptions #Specify the DNS IP dhcpOption: domain-name-servers <some DNS ip> dhcpStatements: ddns-update-style none dhcpStatements: authoritative dhcpPrimaryDN: cn=<myHost>,dc=acme dn: cn=<myHost>,dc=acme cn: <myHost> objectClass: top objectClass: dhcpServer dhcpServiceDN: cn=dhcpservice,dc=novell dn: cn=<some subnet ip>, cn=dhcpservice,dc=novell1 #Specify the Subnet Mask IP cn: <some subnet ip> objectClass: top objectClass: dhcpSubnet objectClass: dhcpOptions dhcpNetMask: 24 #Specify the range of IP that the DHCP clients can contain. dhcpRange: <some start ip> <some end ip> dhcpStatements: default-lease-time 10 dhcpStatements: max-lease-time 50 dhcpStatements: authoritative dhcpOption: domain-name "test.com"
Once this is done, start the DHCP server by starting the daemon ‘dhcpd’ as
which should start without any error.
Now the clients connected in the LAN where the DHCP server is placed can acquire IP address from this server (and the IP issued will be between the IP range specified in the ldif file). Note that the DHCP clients can acquire IP only if they don’t have static IP addresses.
In the following sections we describe how to ensure that DHCP that was using OpenLDAP before migration, continues to work with eDirectory.
In this section we do more or less same as we did with that of OpenLDAP.
Confirm that eDirectory has been extended with the DHCP schema, which can be verified running the query:
ldapsearch -x -h <the host name> -D <fdn of admin for destination in LDAP format> -w <password> -p <port number> cn=schema -s base
ldapsearch -x -h myHost -D cn=admin,dc=acme -w secret -p 389 -b cn=schema -s base
The output will contain the DHCP specific objectclasses and attributetypes.
Now do exactly the same procedures which had been done earlier in this document with OpenLDAP.
- Start the eDirectory server using the command
- Cnfigure the /etc/dhcpd.conf properly by setting the options like ldap-port, ldap-username, ldap-password n, ldap-base-dn etc.
- Add the objects viz dhcpservice and myHost under the root with specific attributes as specified in the previous section using the ldapmodify tool.
The same sample ldif file used above can be used here.
- Start the DHCP server by starting the daemon ‘dhcpd’ as
which should start without any error.
Now the clients connected in the LAN where the DHCP server is placed can acquire IP address from this server (and the IP issued will be between the IP range specified in the ldif file).
Test DHCP connectivity
This can be tested through any DHCP client connected in the network along with the DHCP server.
Restart the network again in the DHCP client and check th IP address. The IP address acquired from the DHCP server will be with in the range specified in the ldif file above.
Thereby we can migrate DHCP from OpenLDAP to eDirectory manually, making sure that LDAP based applications do not break. Though SLES offers eDirectory to be used as an alternate to OpenLDAP, applications like DHCP which use LDAP on SLES would break unless there is a provision to migrate the existing data from OpenLDAP to eDirectory. This document will help in this case.
- iManager Help – http://www.novell.com/documentation/imanager25/index.html?page=/documentation/imanager25/imanager_admin_25/data/bu04qdu.html
- LDAP Tools Help – http://developer.novell.com/documentation/cldap/index.html?page=/documentation/cldap/ltoolenu/data/hevgtl7k.html
- DHCP Help – http://support.novell.com/techcenter/articles/ana19981101.html