ISC DHCP with ldap in AD?
Gémes Géza
geza at kzsdabas.hu
Tue Mar 12 12:41:48 MDT 2013
Hi,
> On 12/03/13 15:33, Alexis wrote:
>> Hello,
>>
>> Here some reports on what I have done:
>>
>> I converted the dhcp.schema to dhcp.ldiff using the script here:
>> http://stuckinadoloop.wordpress.com/2011/04/14/script-to-convert-openldap-schema-files-to-ldif-format/
>>
>>
>> It gave me a dhcp.ldif file which I can inject
>> (after small edit to add th e base DC):
>> ldbmodify -H CN\=CONFIGURATION\,DC\=x.ldb dhcp.ldif --option
>> "dsdb:schema
>> update allowed"=true
>
> The ldif you got is an OpenLDAP ldif not a Samba4 ldif, if you are
> trying to convert a Openldap schema to a Samba4 ldif, you need to use
> oLschema2ldif.
> What you are trying to do has been tried, there is quite a series of
> postings about it, if you care to search the mailinglists archives.
> From what I can remember it failed due to attributes clashing, same
> names or something similar.
>
> Rowland
>
>> after that I can retrieve the entry like that:
>> ldbsearch -H CN\=CONFIGURATION\,DC\=x.ldb cn=dhcp
>>
>> But I can't add dhcp entry :
>> ldbmodify -H /usr/local/samba/private/sam.ldb /root/dhcptest.ldif
>> give me
>> ERR: (No such attribute) "objectclass dhcpService is not a valid
>> objectClass
>> in schema"
>>
>> or if I try in this ldb file:
>> ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=x.ldb
>> /root/dhcptest.ldif
>> I lost acces to my AD and samba output this message till I remove those
>> entries:
>> ldb: acl_read: cannot get descriptor of ou=dhcp,dc=x
>>
>>
>> I don't know what to do from here.
>>
>> I join the dhcp.ldif file and here is the small ldap entry test:
>>
>> dn: ou=dhcp,dc=x
>> changetype: add
>> objectClass: organizationalUnit
>> ou: dhcp
>>
>> dn: cn=dhcpserveur,ou=dhcp,dc=x
>> changetype: add
>> objectClass: top
>> objectClass: dhcpService
>> cn: dhcpserveur
>>
>>
>
>
As someone who have tried it in the past I can tell you that converting
the schema is the easy part. The problem is, that the schema used by ISC
DHCPD conflicts with the AD schema, so if you forcibly load it you can
have a destroyed domain. In the past (during the alphas) I had a test
domain where was able to run ISC DHCPD (after loading its schema), by
renaming two attributes in the default AD schema, but that is highly
hackish. That renaming was allowed against a Samba AD DC (at an alpha
version at least) but not with a Win2k8 server, where it complained
about having a basic schema object, whose rename is impossible.
I've decided to postpone the integration of our ISC DHCP database into
AD for now:
1. Short term: use OpenLDAP
2. Long term: rename all the dhcp... attributes and objectClasses to
isc-dhcp... and load that schema into AD, patch isc-dhcpd to run with
the modified schema (at least if you specify ldap-type=ad in the config
file)
Regards
Geza Gemes
More information about the samba-technical
mailing list