ISC DHCP with ldap in AD?

Gémes Géza geza at kzsdabas.hu
Tue Mar 12 12:41:48 MDT 2013 

Hi,
> On 12/03/13 15:33, Alexis wrote:
>> Hello,
>>
>> Here some reports on what I have done:
>>
>> I converted the dhcp.schema to dhcp.ldiff using the  script here:
>> http://stuckinadoloop.wordpress.com/2011/04/14/script-to-convert-openldap-schema-files-to-ldif-format/ 
>>
>>
>> It gave me a dhcp.ldif file which I can inject
>> (after small edit to add th e base DC):
>> ldbmodify -H CN\=CONFIGURATION\,DC\=x.ldb dhcp.ldif --option 
>> "dsdb:schema
>> update allowed"=true
>
> The ldif you got is an OpenLDAP ldif not a Samba4 ldif, if you are 
> trying to convert a Openldap schema to a Samba4 ldif, you need to use 
> oLschema2ldif.
> What you are trying to do has been tried, there is quite a series of 
> postings about it, if you care to search the mailinglists archives. 
> From what I can remember it failed due to attributes clashing, same 
> names or something similar.
>
> Rowland
>
>> after that I can retrieve the entry like that:
>> ldbsearch -H CN\=CONFIGURATION\,DC\=x.ldb cn=dhcp
>>
>> But I can't add dhcp entry :
>> ldbmodify -H /usr/local/samba/private/sam.ldb /root/dhcptest.ldif
>> give me
>> ERR: (No such attribute) "objectclass dhcpService is not a valid 
>> objectClass
>> in schema"
>>
>> or if I try in this ldb file:
>> ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=x.ldb
>> /root/dhcptest.ldif
>> I lost acces to my AD and samba output this message till I remove those
>> entries:
>> ldb: acl_read: cannot get descriptor of ou=dhcp,dc=x
>>
>>
>> I don't know what to do from here.
>>
>> I join the dhcp.ldif file and here is the small ldap entry test:
>>
>> dn: ou=dhcp,dc=x
>> changetype: add
>> objectClass: organizationalUnit
>> ou: dhcp
>>
>> dn: cn=dhcpserveur,ou=dhcp,dc=x
>> changetype: add
>> objectClass: top
>> objectClass: dhcpService
>> cn: dhcpserveur
>>
>>
>
>
As someone who have tried it in the past I can tell you that converting 
the schema is the easy part. The problem is, that the schema used by ISC 
DHCPD conflicts with the AD schema, so if you forcibly load it you can 
have a destroyed domain. In the past (during the alphas) I had a test 
domain where was able to run ISC DHCPD (after loading its schema), by 
renaming two attributes in the default AD schema, but that is highly 
hackish. That renaming was allowed against a Samba AD DC (at an alpha 
version at least) but not with a Win2k8 server, where it complained 
about having a basic schema object, whose rename is impossible.
I've decided to postpone the integration of our ISC DHCP database into 
AD for now:
1. Short term: use OpenLDAP
2. Long term: rename all the dhcp... attributes and objectClasses to 
isc-dhcp... and load that schema into AD, patch isc-dhcpd to run with 
the modified schema (at least if you specify ldap-type=ad in the config 
file)

Regards

Geza Gemes

More information about the samba-technical mailing list