Re: Drafting a new LDAP structure for Squeeze

To: debian-edu@lists.debian.org
Subject: Re: Drafting a new LDAP structure for Squeeze
From: Petter Reinholdtsen <pere@hungry.com>
Date: Wed, 14 Jul 2010 23:45:05 +0200
Message-id: <[🔎] 20100714214505.GD2499@login1.uio.no>
In-reply-to: <[🔎] 20100709141605.GF23533@login1.uio.no>
References: <2flfx0ann7g.fsf@login2.uio.no> <[🔎] 20100707194552.GA15459@login2.uio.no> <[🔎] 20100708105518.GF15459@login2.uio.no> <[🔎] 201007090933.57996.benoit.mortier@opensides.be> <[🔎] 20100709141605.GF23533@login1.uio.no>

For a while now, I have wanted to find a way to change our DNS and
DHCP services to use the same LDAP objects for a given computer, to
avoid the possibility of having a inconsistent state for a computer in
LDAP (as in DHCP but no DNS entry or the other way around) and make it
easier to add computers to LDAP.

I've looked at how powerdns and dhcpd is using LDAP, and using this
information finally found a solution that seem to work.

The old setup required three LDAP objects for a given computer.  One
forward DNS entry, one reverse DNS entry and one DHCP entry.  If we
switch powerdns to use its strict LDAP method (ldap-method=strict in
pdns-debian-edu.conf), the forward and reverse DNS entries are merged
into one while making it impossible to transfer the reverse map to a
slave DNS server.

If we also replace the object class used to get the DNS related
attributes to one allowing these attributes to be combined with the
dhcpHost object class, we can merge the DNS and DHCP entries into one.
I've written such object class in the dnsdomainaux.schema file (need
proper OIDs, but that is a minor issue), and tested the setup.  It
seem to work.

With this test setup in place, we can get away with one LDAP object
for both DNS and DHCP, and even the LTSP configuration I suggested in
an earlier email.  The combined LDAP object will look something like
this:

  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
  cn: hostname
  objectClass: dhcpHost
  objectclass: domainrelatedobject
  objectclass: dnsDomainAux
  associateddomain: hostname.intern
  arecord: 10.11.12.13
  dhcpHWAddress: ethernet 00:00:00:00:00:00
  dhcpStatements: fixed-address hostname
  ldapConfigSound: Y

The DNS server uses the associateddomain and arecord entries, while
the DHCP server uses the dhcpHWAddress and dhcpStatements entries
before asking DNS to resolve the fixed-adddress.  LTSP will use
dhcpHWAddress or associateddomain and the ldapConfig* attributes.

I am not yet sure if I can get the DHCP server to look for its
dhcpHost in a different location, to allow us to put the objects
outside the "DHCP Config" subtree, but hope to figure out a way to do
that.  If I can't figure out a way to do that, we can still get rid of
the hosts subtree and move all its content into the DHCP Config tree
(which probably should be renamed to be more related to the new
content.  I suspect cn=dnsdhcp,ou=services or something like that
might be a good place to put it.

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

References:
- Re: Time for a alpha0 release of squeeze-test images?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Drafting a new LDAP structure for Squeeze (Was: Time for a alpha0 release of squeeze-test images?)
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Drafting a new LDAP structure for Squeeze (Was: Time for a alpha0 release of squeeze-test images?)
  - From: Benoit Mortier <benoit.mortier@opensides.be>
- Re: Drafting a new LDAP structure for Squeeze
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: debian-edu_0.848~svn66358_amd64.changes ACCEPTED
Next by Date: debian-edu-config_1.443~svn66426_i386.changes ACCEPTED
Previous by thread: Re: Drafting a new LDAP structure for Squeeze
Next by thread: Re: Time for a alpha0 release of squeeze-test images?
Index(es):
- Date
- Thread