DHCP failover with LDAP support

Providing important services as redundant as possible is always a good idea. Providing a fail-over and load-balancing solution for DHCP if the most parts of your DHCP configuration is stored inside an LDAP database is a bit tricky, but if you know how it works it’s easy again…

As I need to learn LDAP for my LPI-3 exam, I think this is also a good learning example – but I did not manage it without using some workarounds yet.

I started with YaST, setup the LDAP server and used the YaST2 dhcpd-server module to configure the dhcp server. As result, the dhcpd.conf file on the master server already get’s the needed data from LDAP. It looks like this one:

ldap-debug-file "/var/log/dhcp-ldap-startup.log";
ldap-port 389;
ldap-base-dn "ou=DHCP,dc=example,dc=com";
ldap-method static;
ldap-server "localhost";

Normally, it should course be possible to store all needed additional values in the LDAP tree, too, but I did not manage this right now – and therefor keept the failover settings in my /etc/dhcpd.conf as additional config options (please have a look at the manpage for dhcpd.conf) until I learned more about LDAP. Having the failover settings in the dhcpd.conf for now makes also easier to adapt the config options during testing. So I added (for the designated primary server) the following lines below the lines listed above:

failover peer "dhcp-failover" {
  primary;
  address 192.168.1.9;
  port 647;
  peer address 192.168.1.7;
  peer port 647;
  max-response-delay 30;
  max-unacked-updates 10;
  load balance max seconds 3;
  mclt 1800;
  split 128;
}

As you can see, the primary DHCP server has the IP 192.168.1.9 and the secondary will have 192.168.1.7. The ports are the same on both servers – having them on different ports is not needed – so use the possibility to align the config as much as possible.

Update: you can also set the failover definition directly via YaST, too. For this, just open the YaST dhcp-server module and open the “Global Options” declaration by clicking on the “Edit” button. Here you can simply click on the “Add” button and insert a new “Selected Option” by removing the default “allow” and instead typing “failover” (without the double quotes) in the field. After clicking on “OK“, you need to enter the rest of the definition above in one line – this will look like:

peer "dhcp-failover" { primary;
 address 192.168.1.9;
 port 647;
 peer address 192.168.1.7;
 peer port 647;
 max-response-delay 30;
 max-unacked-updates 10;
 load balance max seconds 3;
 mclt 1800;
 split 128; }

Before the settings are in effect, please make sure you have a pool definition containing the dhcp-failover option in your configuration (otherwise the server will not start any more). I did the first pool definition via YaST by simply adding a new option called “failover” and the values

peer "dhcp-failover"

inside the pool definition.

If you like, you can also use a ldif file to import the needed statement manually on the command line. The simplest way to find out where to place the needed statement is by creating a LDAP dump via slapcat.

Here I searched for the pool definition and used the DN there as base for a small add_dhcp-failover.ldif file:

dn: cn=anonymous,cn=192.168.1.0,cn=config1,cn=master,ou=DHCP,dc=testpool,dc=example,dc=com
changetype: modify
add: dhcpStatements
dhcpStatements: failover peer "dhcp-failover"

But please note that this ldif is not needed if you add the Statement via YaST already.

As the master LDAP here runs on the local machine, I used the simple bind method to add the statement into the LDAP server via the command line:
ldapmodify -W -D cn=Administrator,dc=example,dc=com -f add_dhcp-failover.ldif

After entering the admin password, the new statement is now in the LDAP tree. The next command activates the DHCP failover on the master server:
rcdhcpd restart

The only thing left is the configuration on the slave DHCP server. Here is my /etc/dhcpd.conf for this machine:

ldap-debug-file "/var/log/dhcp-ldap-startup.log";
ldap-port 389;
ldap-base-dn "ou=DHCP,dc=build,dc=opensuse,dc=org";
ldap-method static;
ldap-server "192.168.1.9";
ldap-dhcp-server-cn "master";

failover peer "dhcp-failover" {
  secondary; 
  address 192.168.1.7;
  port 647;
  peer address 192.168.1.9;
  peer port 647;
  max-response-delay 30;
  max-unacked-updates 10;
  load balance max seconds 3;
  mclt 1800;
}

Please note: As I have NO separate definitions inside the LDAP database for the “master” and the “slave” DHCP server at the moment, I need to add the cn entry of the master into the dhcpd.conf via the line ldap-dhcp-server-cn “master”;. Otherwise the dhcp server would not start – as there is no LDAP subtree like cn=config1,cn=slave,ou=DHCP,dc=testpool,dc=example,dc=com.

Once I learned more about LDAP, I hope to get all the values stored in the LDAP tree correctly to not need any of the workarounds above. But until then, the above setup works for me.

Please note: the file /var/log/dhcp-ldap-startup.log contains the configuration of the DHCP server after a successful start. Errors are logged to /var/log/messages and /var/log/rc.dhcpd.log instead.

About these ads

About lvogdt

This is the private blog space of Lars Vogdt, the topics will be in first place work related.
This entry was posted in network, openSUSE, SUSE Linux Enterprise and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s