Chapter 10. Network Client Management (210)

This topic has a total weight of 11 points and contains the following 4 objectives:

Objective 210.1; DHCP Configuration (2 points)

Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.

Objective 210.2; PAM authentication (3 points)

The candidate should be able to configure PAM to support authentication using various available methods.

Objective 210.3; LDAP client usage (2 points)

Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.

Objective 210.4; Configuring an OpenLDAP server (4 points)

Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls. An understanding of the role of SSSD in authentication and identity management is included.

DHCP Configuration (210.1)

Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.

Key Knowledge Areas

DHCP configuration files, terms and utilities

Subnet and dynamically-allocated range setup

Key files, terms and utilities include:

dhcpd.conf
dhcpd.leases
/var/log/daemon.log and /var/log/messages
arp
dhcpd

What is DHCP?

DHCP stands for Dynamic Host Configuration Protocol. DHCP consists of two components: a protocol for delivering client-specific configuration parameters from a DHCP server to a DHCP client and a mechanism for the allocation of network addresses to clients.

Amongst the most commonly used configuration items are: ip-address, host-name, domain-name, subnet-mask, broadcast-address, routers and domain-name-servers.

The information is requested by a DHCP client and provided by a DHCP server. By default, the server listens for requests on udp port 67 and answers through udp port 68, but it can be told to listen to another port instead with the -p option. The DHCP server will then answer through an udp port with a number one higher than the port it listens to.

The web-site Resources for DHCP contains a lot of (pointers to) information on the DHCP protocol, including RFC's.

How is the server configured?

The configuration of the DHCP server, dhcpd, is done by means of its configuration file /etc/dhcpd.conf.

The elements that can be used in a configuration file are: (global) parameters, shared networks, subnets, groups and hosts.

What are (global) parameters?

Parameters can be seen as variables that get assigned a value and are passed from the server to the client. Some parameters start with the option keyword and some do not. Parameters that do not start with the option keyword are either parameters that control the behaviour of the DHCP server or are parameters that are optional in the DHCP protocol.

The difference between normal parameters and global parameters lies purely in the scope of the parameters. If, for instance, the DNS is always the same, it is pointless to add a domain-name-servers parameter-definition statement to every network-definition statement. By assigning the domain-name-servers parameter a value at the beginning of the configuration file, the parameter becomes a global parameter and its value becomes the default value for that parameter.

The value of a global parameter can be overridden by assigning it another value in subsequent sections.

What is a shared-network declaration?

A shared-network declaration is used if there are multiple subnets on the same physical network. Parameters that are the same for all the subnets belonging to the shared-network can be defined once above the subnet-declarations within the shared-network declaration that encompasses those subnet-declarations.

What is a subnet declaration?

A subnet-declaration is used to define a network segment. Parameters that only apply to the subnet in question are defined within the subnet-declaration.

A subnet-declaration must contain a range statement that defines the IP-addresses the DHCP-server can give to clients on that subnet.

What is a group declaration?

A group-declaration is used to group other declarations, including group-declarations, that have a number of properties in common so that the common properties only have to be be specified once in stead of for every declaration.

What is a host declaration?

A host declaration is used to set properties for a specific client. The client identifies itself to the DHCP server by one of its unique properties such as its NIC address or its client-identifier.

An example

Consider a firm which has four departments: Sales, Administration, Engineering and Management. All departments are located in the same building and each department has three floors to its disposal.

On each floor, there are up to 200 workstations and one laser printer (LPRT-xx). Furthermore each department has its own colour laser-printer (CLPRT-xx) located on the middle floor. The printers can only be used by users of the department the printers belong to.

All users obtain an IP-address from the company's DHCP-server and must be able to reach the company's DNS-server and NTP-server. All users get their mail using the POP3 protocol, send their mail using the SMTP protocol and read their news using the NNTP protocol.

A graphical representation of the company's network is shown below:

Network layout of the company network.

The network architecture

Assuming that the IP range 21.31.x.x has been assigned to the company and that each department has its own network (determined by the highest four bits of the third octet; in other words: the netmask used is /20 or 255.255.240.0), the subnets could be set up as follows:

Table 10.1.  The first two octets are 21.31

Dept.FloorIP rangeRouterDescription
0001000121.31.17.0 - 21.31.17.255 Sales floor #1
0001001021.31.18.0 - 21.31.18.25521.31.17.1Sales floor #2
0001001121.31.19.0 - 21.31.19.255 Sales floor #3
0010010021.31.36.0 - 21.31.36.255 Administration #4
0010010121.31.37.0 - 21.31.37.25521.31.36.1Administration #5
0010011021.31.38.0 - 21.31.38.255 Administration #6
0011011121.31.55.0 - 21.31.55.255 Engineering floor #7
0011100021.31.56.0 - 21.31.56.25521.31.55.1Engineering floor #8
0011100121.31.57.0 - 21.31.57.255 Engineering floor #9
0100101021.31.74.0 - 21.31.74.255 Management floor #10
0100101121.31.75.0 - 21.31.75.25521.31.74.1Management floor #11
0100110021.31.76.0 - 21.31.76.255 Management floor #12


The network services available to workstations

The workstations on the company's network obtain their IP-address and the IP-addresses of the available network services from the company's DHCP-server via the department's DHCP-relay which also functions as a router.

Subnet-independent Services

Subnet-independent services are the services that are available to all workstations on the company's network regardless the subnet they are on. The table below shows those services and their fixed IP-addresses.

Table 10.2.  Company-wide services

ServiceDescriptionIP-addressHost name
DHCPThe company's DHCP-server21.31.0.1dhcp.company.com
DNSThe company's DNS21.31.0.2dns.company.com
SMTPThe company's SMTP-server21.31.0.3smtp.company.com
POP3The company's POP3-server21.31.0.4pop3.company.com
NEWSThe company's NNTP-server21.31.0.5news.company.com
NTPThe company's NTP-server21.31.0.6ntp.company.com


Subnet dependent services

Subnet-dependent services are the services that are only available to the workstations on the same subnet as the service. The table below shows those services and their fixed IP-addresses.

Table 10.3.  Subnet-dependent Services

DepartmentServiceDescriptionIP-addressName
 RouterSales Router floor #221.31.17.1rtr-02.company.com
 PrinterLaser Printer floor #121.31.17.2lprt-01.company.com
SalesPrinterLaser Printer floor #221.31.18.2lprt-02.company.com
 PrinterLaser Printer floor #321.31.19.2lprt-03.company.com
 PrinterColor Laser Printer floor #221.31.18.3clprt-02.company.com
 RouterAdministration Router floor #521.31.36.1rtr-05.company.com
 PrinterLaser Printer floor #421.31.36.2lprt-04.company.com
AdministrationPrinterLaser Printer floor #521.31.37.2lprt-05.company.com
 PrinterLaser Printer floor #621.31.38.2lprt-06.company.com
 PrinterColor Laser Printer floor #521.31.37.3clprt-05.company.com
 RouterEngineering Router floor #821.31.55.1rtr-08.company.com
 PrinterLaser Printer floor #721.31.55.2lprt-07.company.com
EngineeringPrinterLaser Printer floor #821.31.56.2lprt-08.company.com
 PrinterLaser Printer floor #921.31.57.2lprt-09.company.com
 PrinterColor Laser Printer floor #821.31.56.3clprt-08.company.com
 RouterManagement Router floor #1121.31.74.1rtr-11.company.com
 PrinterLaser Printer floor #1021.31.74.2lprt-10.company.com
ManagementPrinterLaser Printer floor #1121.31.75.2lprt-11.company.com
 PrinterLaser Printer floor #1221.31.76.2lprt-12.company.com
 PrinterColor Laser Printer floor #1121.31.75.3clprt-11.company.com


Building the DHCP-server's configuration file

The information needed to be able to build a configuration file has already been gathered in the previous sections when the network topology was devised.

In this section the actual configuration file /etc/dhcpd.conf will be filled with the necessary information.

The global parameters for services

Global parameters are put at the top of the configuration file:

# DNS
option domain-name-servers 21.31.0.2;
# SMTP
option smtp-server 21.31.0.3;
# POP3
option pop-server 21.31.0.4;
# NEWS
option nntp-server 21.31.0.5;
# NTP
option time-servers 21.31.0.6;
            

Another way to do this is by using domain names. A single domain name must resolve to a single IP-address. Using domain names, you would put the following entries in the configuration file:

# DNS
option domain-name-servers dns.company.com;
# SMTP
option smtp-server smtp.company.com;
# POP3
option pop-server pop3.company.com;
# NEWS
option nntp-server news.company.com;
# NTP
option time-servers ntp.company.com;
            

The company's shared-networks and subnets

As has been discussed in the previous sections, there are four different networks, one for each department and there are twelve different IP-address ranges, one for each floor. Furthermore, each network has its own router and printers.

This translates into four shared-networks each having their own netmask and broadcast-address and encompassing three IP-address ranges.

The netmask is an IP-address used to determine the network a workstation, or some other network device that uses an IP-address, is on. A netmask has 1's in the bit-positions that are the same for all network devices in that network and 0's in the other positions. Since all the subnets on a department's shared-network are on the same physical network, the distinction is made on the shared-network level, not on the floor level. The floor level has been coded into the IP-address (low-nibble of the third octet) to prepare for the planned instalment next year of one router per floor in stead of one router per department. The netmask is calculated as follows:

21.31.16.0 - : | 0001 0101 | 0001 1111 | 0001 0000 | 0000 0000 | SALES
21.31.31.255 : | 0001 0101 | 0001 1111 | 0001 1111 | 1111 1111 | NETWORK

21.31.32.0 - : | 0001 0101 | 0001 1111 | 0010 0000 | 0000 0000 | ADMINISTRATION
21.31.47.255 : | 0001 0101 | 0001 1111 | 0010 1111 | 1111 1111 | NETWORK 

21.31.48.0 - : | 0001 0101 | 0001 1111 | 0011 0000 | 0000 0000 | ENGINEERING
21.31.63.255 : | 0001 0101 | 0001 1111 | 0011 1111 | 1111 1111 | NETWORK

21.31.64.0 - : | 0001 0101 | 0001 1111 | 0100 0000 | 0000 0000 | MANAGEMENT 
21.31.79.255 : | 0001 0101 | 0001 1111 | 0100 1111 | 1111 1111 | NETWORK

fixed-bits   : | 1111 1111 | 1111 1111 | 1111 0000 | 0000 0000 | NETMASK
                    255         255         240          0
            

Using a netmask of 255.255.240.0, the network an IP-address is on can be determined. This is done by AND-ing the IP-address with the netmask. To determine on which of the four networks a workstation with IP-address 21.31.57.105 is, the following calculation is performed:

21.31.57.105 : | 0001 0101 | 0001 1111 | 0011 1001 | 0110 1001 | IP-ADDRESS
255.255.240.0: | 1111 1111 | 1111 1111 | 1111 0000 | 0000 0000 | AND NETMASK
21.31.48.0:    | 0001 0101 | 0001 1111 | 0011 0000 | 0000 0000 | GIVES NETWORK
            

The IP-address 21.31.57.105 is on the 21.31.48.0 network, which is the Engineering-network.

The broadcast-address is used to send packets to every workstation on a network. A broadcast-address differs per network and can be determined by replacing all bits reserved/used for the host address (as denoted by the subnet mask) with 1's.

Another way of determining the broadcast-address is to take the inverse of the netmask, in this case 0.0.15.255, and then OR the result with the network address:

21.31.16.0 - : | 0001 0101 | 0001 1111 | 0001 0000 | 0000 0000 | SALES
0.0.15.255   : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.31.255 : | 0001 0101 | 0001 1111 | 0001 1111 | 1111 1111 | GIVES BCAST

21.31.32.0 - : | 0001 0101 | 0001 1111 | 0010 0000 | 0000 0000 | ADMINISTRATION
0.0.15.255   : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.47.255 : | 0001 0101 | 0001 1111 | 0010 1111 | 1111 1111 | GIVES BCAST

21.31.48.0 - : | 0001 0101 | 0001 1111 | 0011 0000 | 0000 0000 | ENGINEERING
0.0.15.255   : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.63.255 : | 0001 0101 | 0001 1111 | 0011 1111 | 1111 1111 | GIVES BCAST

21.31.64.0 - : | 0001 0101 | 0001 1111 | 0100 0000 | 0000 0000 | MANAGEMENT 
0.0.15.255   : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.79.255 : | 0001 0101 | 0001 1111 | 0100 1111 | 1111 1111 | GIVES BCAST
            

The broadcast-address for the network an IP-address is on can be determined by OR-ing the IP-address with the inverse-netmask. For a workstation with IP-address 21.31.57.105, the broadcast-address can be calculated as follows:

21.31.57.105 : | 0001 0101 | 0001 1111 | 0011 1001 | 0110 1001 | IP-ADDRESS
0.0.15.255   : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.63.255 : | 0001 0101 | 0001 1111 | 0011 1111 | 1111 1111 | GIVES BCAST
            

The IP-address 21.31.57.105 belongs to a network that has broadcast-address 21.31.63.255, which is correct since the IP-address is on the Engineering-network.

To tell the DHCP-server what IP-addresses to give-out per subnet, a range statement must be added to the subnet. Is this example the IP-addresses 21.31.x.0 to 21.31.x.10 and 21.31.x.211 to 21.31.x.255 on every floor are reserved for printers and routers. This means that for every subnet the range statement is:

range 21.31.x.11 21.31.x.210
            

Where x depends on the department and the floor.

To implement this structure, the following lines are added to the configuration-file:

# The Sales network, floors 1-3
shared-network sales-net {
  # Sales-net specific parameters
  option routers 21.31.17.1;
  option lpr-servers 21.31.17.2, 21.31.18.2, 21.31.19.2, 21.31.18.3;
  option broadcast-address 21.31.31.255;
  subnet 21.31.17.0 netmask 255.255.240.0 {
    # Floor #1 specific parameters
    range 21.31.17.11 21.31.17.210;
  }
  subnet 21.31.18.0 netmask 255.255.240.0 {
    # Floor #2 specific parameters
    range 21.31.18.11 21.31.18.210;
  }
  subnet 21.31.19.0 netmask 255.255.240.0 {
    # Floor #3 specific parameters
    range 21.31.19.11 21.31.19.210;
  }
}

# The Administration network, floors 4-6
shared-network administration-net {
  # Administration-net specific parameters
  option routers 21.31.36.1;
  option lpr-servers 21.31.36.2, 21.31.37.2, 21.31.38.2, 21.31.37.3;
  option broadcast-address 21.31.47.255;
  subnet 21.31.36.0 netmask 255.255.240.0 {
    # Floor #4 specific parameters
    range 21.31.36.11 21.31.36.210;
  }
  subnet 21.31.37.0 netmask 255.255.240.0 {
    # Floor #5 specific parameters
    range 21.31.37.11 21.31.37.210;
  }
  subnet 21.31.38.0 netmask 255.255.240.0 {
    # Floor #6 specific parameters
    range 21.31.38.11 21.31.38.210;
  }
}

# The Engineering network, floors 7-9
shared-network engineering-net {
  # Engineering-net specific parameters
  option routers 21.31.55.1;
  option lpr-servers 21.31.55.2, 21.31.56.2, 21.31.57.2, 21.31.56.3;
  option broadcast-address 21.31.63.255;
  subnet 21.31.55.0 netmask 255.255.240.0 {
    # Floor #7 specific parameters
    range 21.31.55.11 21.31.55.210;
  }
  subnet 21.31.56.0 netmask 255.255.240.0 {
    # Floor #8 specific parameters
    range 21.31.56.11 21.31.56.210;
  }
  subnet 21.31.57.0 netmask 255.255.240.0 {
    # Floor #9 specific parameters
    range 21.31.57.11 21.31.57.210;
  }
}

# The Management network, floors 10-12
shared-network management-net {
  # Management-net specific parameters
  option routers 21.31.74.1;
  option lpr-servers 21.31.74.2, 21.31.75.2, 21.31.76.2, 21.31.75.3;
  option broadcast-address 21.31.79.255;
  subnet 21.31.74.0 netmask 255.255.240.0 {
    # Floor #10 specific parameters
    range 21.31.74.11 21.31.74.210;
  }
  subnet 21.31.75.0 netmask 255.255.240.0 {
    # Floor #11 specific parameters
    range 21.31.75.11 21.31.75.210;
  }
  subnet 21.31.76.0 netmask 255.255.240.0 {
    # Floor #12 specific parameters
    range 21.31.76.11 21.31.76.210;
  }
}
            

Static hosts

A static host is a host that always gets the same IP-address from the DHCP-server in opposite to dynamic hosts which get their IP-address from a range of IP-addresses.

Obviously, the DHCP-server must be able recognize the host to be able to conclude that the host has been defined as a static one in the DHCP-server's configuration file. This can be done by using the dhcp-client-identifier option or by using the hardware ethernet option.

The dhcp-client-identifier is send to the server by the client (host) and must uniquely identify that client. This is not safe because there is no way to be sure that there isn't a second client that uses the same identifier.

The hardware ethernet option causes the match to be done on the client's NIC-address which is world-wide unique.

If the client does not send a dhcp-client-identifier, then the NIC-address is used to identify the client.

There are two designers, working for the Engineering department, that come to the office sometimes to get a hardcopy of their designs in colour. These designers are called luke and leah and they bring their laptops and connect them to the Engineering-network. The host names of their machines will be luke and leah.

To make this so, the administrator has added the following lines to the DHCP-server's configuration file:

group {
      # options that apply to all the static hosts
      option routers 21.31.55.1;
      option lpr-servers 21.31.56.3;
      option broadcast-address 21.31.63.255;
      netmask 255.255.240.0;
      host luke {
              # specific for luke
              hardware ethernet AA:88:54:72:7F:92;
              fixed-address 21.31.55.211;
              option host-name "luke";
      }

      host leah {
              # specific for leah
              hardware ethernet CC:88:54:72:84:4F;
              fixed-address 21.31.55.212;
              option host-name "leah";
      }
}
          

Static BOOTP hosts

This is a special static host. If luke and leah's laptops were BOOTP-clients, the administrator could have added the following lines to the DHCP-server's configuration file:

group {
      # options that apply to all the static hosts
      option routers 21.31.55.1;
      option lpr-servers 21.31.56.3;
      option broadcast-address 21.31.63.255;
      netmask 255.255.240.0;
      host luke {
              # specific for luke
              filename "lukes-boot-file";
              server-name "server name to send to luke";
              next-server <address of server to load boot-file from>;
              hardware ethernet AA:88:54:72:7F:92;
              fixed-address 21.31.55.211;
              option host-name "luke";
      }

      host leah {
              # specific for leah
              filename "leahs-boot-file";
              server-name "server name to send to leah";
              next-server <address of server to load boot-file from>;
              hardware ethernet CC:88:54:72:84:4F;
              fixed-address 21.31.55.212;
              option host-name "leah";
      }
}
          

The filename option states the name of the file to get from the server defined in the next-server option. If the next-server is omitted, the server to get the file from is the DHCP-server. The server-name can be used to send the name of the server the client is booting from to the client.

For information on the valid options, consult the dhcp-options man page (man dhcp-options) and the dhcpd.conf man page (man dhcpd.conf).

Controlling the DHCP-server's behaviour

Leases

A lease is the amount of time a client may use the IP-address it got from the DHCP-server. The client must refresh the lease periodically because the IP-address can be given to another client if the lease is expired. Normally, a client will be given the same IP-address if the lease is refreshed before it expired.

The option max-lease-time is used to specify the maximum amount of time in seconds that will be assigned to a lease if the client asks for a specific expiration time.

The option default-lease-time is used to specify the amount of time in seconds that will be assigned to a lease if a client does not ask for a specific expiration time.

The DHCP-server keeps a database of the leases it has issued in the file /var/dhcp/dhcpd.leases. If this file is empty, this is probably caused by the fact that you have only defined static hosts in the DHCP-server's configuration file and you haven't used any range statements.

Interfaces the DHCP-server listens on

Unless you specify otherwise, dhcpd will listen on all interfaces for a dhcp request. If you only want to serve requests on eth0 for instance, you can tell this to the daemon by including the parameter on the command line that starts the daemon.

Reloading the DHCP-server after making changes

This is done as follows:

# /etc/init.d/dhcp restart
          

This will stop the running daemon, wait two seconds, then start a new daemon which causes /etc/dhcpd.conf to be read again.

Logging

By default the DHCP server logs using syslogd. Logging is configured in the dhcpd.conf file using the log-facility keyword. This statement causes the DHCP server to do all of its logging on the specified log facility once the dhcpd.conf file has been read. By default the DHCP server logs to the daemon facility. Possible log facilities include auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, ntp, security, syslog, user, uucp, and local0 through local7. Not all of these facilities are available on all systems, and there may be other facilities available on other systems. In addition to setting log-facility value, you may need to modify your syslog.conf file to configure logging of the DHCP server. For example, you might add a line like this:

    	local7.debug /var/log/dhcpd.log
	

The syntax of the syslog.conf file may be different on some operating systems - consult the syslog.conf manual page to be sure. To get syslog to start logging to the new file, you must first create the file with correct ownership and permissions (usually, the same owner and permissions of your /var/log/messages or /usr/adm/messages file should be fine) and send a SIGHUP to syslogd.

DHCP-relaying

What is DHCP-relaying?

In our earlier example there is one DHCP-server for the whole network and there are routers between the clients and that server.

If a client would be able to connect to the DHCP-server through a router, the DHCP-server would not see the NIC-address of the client but the NIC-address of the router. This would mean that a static host for instance, could not be recognized by its hardware address.

A DHCP-relay agent, such as dhcrelay provides a means for relaying DHCP and BOOTP requests from one of the subnets to the company's DHCP-server.

If you need more information, consult The Internet Consortium DHCP Homepage.

The DHCP Relay Agent listens for DHCP and BOOTP queries and responses. When a query is received from a client, dhcrelay forwards it to the list of DHCP servers specified on the command line. When a reply is received from a server, it is broadcast or unicast (according to the relay agent's ability or the client's request) on the network from which the original request came. If no interface names are specified on the command line dhcrelay will identify all network interfaces, elimininating non-broadcast interfaces if possible, and attempt to configure each interface.

Please consult the man page (man dhcrelay) for further details.

Copyright Snow B.V. The Netherlands