SUSE Conversations


DHCP – Manual Migration From OpenLDAP to eDirectory on SLES



By: palaniappan1

August 18, 2009 3:36 pm

Reads:190

Comments:0

Rating:0

This article provides information on how to migrate DHCP from OpenLDAP to eDirectory manually on SLES 9 or above, making sure that LDAP based applications do not break. SLES offers eDirectory to be used as an alternate to OpenLDAP, but applications already using LDAP on SLES would break unless there is a provision to migrate the existing data from OpenLDAP to eDirectory.

Contents:

Topics: Migrating schema, data and applications from OpenLDAP to eDirectory
Audience: network administrators, consultants, integrators
Level: intermediate
Prerequisite Skills: Familiarity with LDAP, DHCP, SLES
Operating System: SLES 9 and above
Tools: yast2, ldapmodify, ice
Sample Code: no

Introduction

SLES contains OpenLDAP as the default directory. SLES offering from Novell, makes eDirectory available to the customers. Hence, with SLES, the administrator would have an option to use eDirectory as the default directory. Since there are some SLES applications that can use LDAP directory, there would be a need to have the existing data in OpenLDAP migrated to eDirectory. The existing documentation of SLES can be referred to get information on eDirectory installation for various scenarios. Once the data is migrated to eDirectory, minor configuration changes might be needed to make the various directory enabled SLES applications work with eDirectory.

Wherever there is a mention of “SLES Applications” or “targeted applications”, it refers to DHCP.

Scope of this document

The focus of this document covers the scenarios, where the OpenLDAP server has some data, which needs to be migrated to eDirectory. This activity is needed to prevent any breakage in LDAP based applications as part of upgrade to eDirectory/SLES.

Scenarios not covered in this scope

Any scenarios where there are some applications other than DHCP which are installed that use LDAP, and for which OpenLDAP schema has been extended, are not covered by this document. Though all the issues arising out of such scenarios would not be addressed here, this document may be used as a set of broader guidelines about how to go about this migration.

Migrating from OpenLDAP to eDirectory

Migration from one directory to another usually involves two steps. First schema is migrated, and then the data conforming to that schema is migrated.

DHCP does not use LDAP compulsorily. This can be configured not to use LDAP at all. Hence, this step is performed only when OpenLDAP schema has been extended for DHCP.

OpenLDAP schema gets extended when an application is configured for the first time to use LDAP. This extension is not reverted back if the configuration for the application changes from “Use LDAP” to “Do not use LDAP”.

Though there are multiple options to do the full migration, we do this by extending the eDirectory schema with DHCP schema.

For this approach to work, eDirectory should be running.

The default LDAP configuration for eDirectory includes “Require TLS for Simple Binds with Password=yes”. In order to successfully execute the following commands, this configuration needs to be changed to “no” temporarily. It can be done using the following command:

ldapconfig -w <password> -a <admin fdn in eDirectory format> -s "Require TLS for Simple Binds with Password=<yes/no>"

Example:

ldapconfig -w secret -a admin.acme -s "Require TLS for Simple Binds with Password=no"

Extending eDirectory schema with DHCP schema

To extend the eDirectory schema with DHCP schema to create the objectclasses like dhcpServer, dhcpOptions etc and the attributes that DHCP need such as dhcpOption, dhcpPrimaryDN etc, we need to import the DHCP schema from the LDIF file by executing the following command:

ice -v -e <name of ldif file for errors> -S LDIF -f <the DHCP nds schema file> -c -D LDAP -p <destination ldap port> -d <fdn of admin for destination in LDAP format> -w <password> -L <the trusted root certificate of the eDirectory server>

Example:

ice -v -e errorlog.ldif -S LDIF -f DHCP-nds.ldif -c -D LDAP -p 389 -d cn=admin,dc=acme -w secret

Once you see no errors, we can validate DHCP once with OpenLDAP itself.

Validating DHCP against OpenLDAP

Before stopping OpenLDAP and configuring with eDirectory, it is recommended to test DHCP against OpenLDAP. For this purpose there might be a need for some generic configuration changes and some application specific ones. This section describes the generic modifications in LDAP Client.

Ensure that the machine that runs the DHCP server contains the static IP address. This can be confirmed by checking the “Network Card” of the “Network Devices” option of Yast. Also mind that there can be only one DHCP server running at a time in a LAN.

The /etc/dhcpd.conf file has to be configured to make DHCP connect through LDAP (OpenLDAP). Remember that, by default, DHCP does not use LDAP.

This can be done by setting the options like ldap-port , ldap-username , ldap-password n, ldap-base-dn etc.

A sample /ete/dhcpd.conf file for a DHCP server can look like:

ldap-port 389;
ldap-username "cn=admin,dc=acme";
ldap-password secret;
ldap-base-dn "dc=acme";
ldap-server "myHost";

Now few objects with specific attributes have to be created in the OpenLDAP server viz dhcpservice and myHost under the root, where myHost is the name of the server. This can be added using the ldapmodify tool as follows:

ldapmodify -f <the ldif file containing the entries to be added> -D <fdn of admin for destination in LDAP format> -w <password> -a 

Example:

ldapmodify -f addentries.ldif -D "cn=admin,dc=acme" -w secret -a

Where the addentries.ldif file may contain:

dn: cn=dhcpservice, dc=acme
cn: dhcpservice
objectClass: top
objectClass: dhcpService
objectClass: dhcpOptions
#Specify the DNS IP
dhcpOption: domain-name-servers <some DNS ip>
dhcpStatements: ddns-update-style none
dhcpStatements: authoritative
dhcpPrimaryDN: cn=<myHost>,dc=acme

dn: cn=<myHost>,dc=acme
cn: <myHost>
objectClass: top
objectClass: dhcpServer
dhcpServiceDN: cn=dhcpservice,dc=novell


dn: cn=<some subnet ip>, cn=dhcpservice,dc=novell1
#Specify the Subnet Mask IP
cn: <some subnet ip>
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpNetMask: 24
#Specify the range of IP that the DHCP clients can contain.
dhcpRange: <some start ip> <some end ip> 
dhcpStatements: default-lease-time 10
dhcpStatements: max-lease-time 50
dhcpStatements: authoritative
dhcpOption: domain-name "test.com"

Once this is done, start the DHCP server by starting the daemon ‘dhcpd’ as

/etc/init.d/dhcpd start

which should start without any error.

Now the clients connected in the LAN where the DHCP server is placed can acquire IP address from this server (and the IP issued will be between the IP range specified in the ldif file). Note that the DHCP clients can acquire IP only if they don’t have static IP addresses.

In the following sections we describe how to ensure that DHCP that was using OpenLDAP before migration, continues to work with eDirectory.

Ensuring that DHCP works properly with eDirectory

In this section we do more or less same as we did with that of OpenLDAP.

Confirm that eDirectory has been extended with the DHCP schema, which can be verified running the query:

ldapsearch -x -h <the host name> -D <fdn of admin for destination in LDAP format> -w <password> -p <port number> cn=schema -s base

Example:

ldapsearch -x -h  myHost -D cn=admin,dc=acme -w secret -p 389 -b cn=schema -s base

The output will contain the DHCP specific objectclasses and attributetypes.

Now do exactly the same procedures which had been done earlier in this document with OpenLDAP.

  1. Start the eDirectory server using the command
    /ete/init.d/ndsd start
  2. Cnfigure the /etc/dhcpd.conf properly by setting the options like ldap-port, ldap-username, ldap-password n, ldap-base-dn etc.
  3. Add the objects viz dhcpservice and myHost under the root with specific attributes as specified in the previous section using the ldapmodify tool.

    The same sample ldif file used above can be used here.
  4. Start the DHCP server by starting the daemon ‘dhcpd’ as
    /etc/init.d/dhcpd start

    which should start without any error.

Now the clients connected in the LAN where the DHCP server is placed can acquire IP address from this server (and the IP issued will be between the IP range specified in the ldif file).

Test DHCP connectivity

This can be tested through any DHCP client connected in the network along with the DHCP server.

Restart the network again in the DHCP client and check th IP address. The IP address acquired from the DHCP server will be with in the range specified in the ldif file above.

Conclusion

Thereby we can migrate DHCP from OpenLDAP to eDirectory manually, making sure that LDAP based applications do not break. Though SLES offers eDirectory to be used as an alternate to OpenLDAP, applications like DHCP which use LDAP on SLES would break unless there is a provision to migrate the existing data from OpenLDAP to eDirectory. This document will help in this case.

References:

  1. iManager Help – http://www.novell.com/documentation/imanager25/index.html?page=/documentation/imanager25/imanager_admin_25/data/bu04qdu.html
  2. LDAP Tools Help – http://developer.novell.com/documentation/cldap/index.html?page=/documentation/cldap/ltoolenu/data/hevgtl7k.html
  3. DHCP Help – http://support.novell.com/techcenter/articles/ana19981101.html
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS