LDAP

The Lightweight Directory Access Protocol (LDAP) lets you use directory services to integrate Network Registrar client and lease information. By building on your existing standard schema for objects stored in LDAP directories, you can handle information about DHCP client entries. Thus, instead of maintaining client information in the DHCP server's database, you can ask the Network Registrar DHCP server to issue queries to one or more LDAP servers for information in response to DHCP client requests.

After the Network Registrar DHCP server has given a client a lease, you can have that lease-state data written back to your LDAP server. Thus, you can store information such as the client's host name, the machine's MAC address, the state of the lease, and when the lease expires. Since a copy of this information is in a central place (your LDAP server), you can run queries to monitor your IP address usage or the state of your leases.

You can configure multiple independent LDAP servers that the Network Registrar DHCP server can use in preference order (for failover protection), or in round-robin fashion (for load balancing).

Note Network Registrar ships with the LDAP version 1.0 libraries.

LDAP Attributes

LDAP directory servers provide a way to name, manage, and access collections of attribute-value pairs. LDAP servers consist of entries that hold information about some thing or concept, such as a person or organization. Every entry in an LDAP server belongs to one or more object classes. The object class defines the attributes and their associated valid values. For example, the person object class might have an attribute to hold a person's Social Security number, which would be single-valued; or an attribute to hold a telephone number, which would ignore spaces and dashes. The schema defines an entry's valid attributes and their values. You can turn off schema checking if you want to use the attributes to hold other values. Or, you can change the schema by adding new object classes to an entry.

Network Registrar Client Attributes

To use your LDAP server for DHCP queries, enter the MAC addresses of all your clients. You can optionally enter any other information on a per-client basis, such as a unique host name or if you are using client-class---exceptions to the client's client-class definition.

Any of the DHCP client-entry attributes that you can configure through Network Registrar can be stored in the LDAP server. All these attributes are of the type string.

action---The action to take for this client, which is either exclude, one-shot, or use-release-grace-period.
authenticate-until---Controls whether to limit the authentication time to the duration you have specified.
client-class-name---The client-class to which this client belongs.
domain-name---The domain name to use when performing DNS updates.
environment-dictionary---Contains a series of name-value pairs that are available to DHCP user-written extensions.
host-name---The name of the host that replaces any host name DHCP option sent by the DHCP client.
policy-name---The policy to add to Network Registrar's DHCP policy search list for this client.
selection-criteria---The scope selection tags to use to build the scope's inclusion list.
s election-criteria-excluded---The scope selection tags to use to build the scope's exclusion list.
unauthenticated-client-class-name---The name of the client-class to use if this client is no longer authenticated.
user-defined---A user-defined string that can be retrieved with the other client data.

For more information about these attributes, see the Network Registrar CLI Reference Guide.

Note Network Registrar is only able to read individual client-entries using LDAP. Create client-classes and the `default' client-entry in the server's local database using the Network Registrar graphical user interface (GUI) or the command line interface (CLI).

LDAP Directories

The Network Registrar DHCP server can write lease-related data to pre-existing entries in LDAP-based directories. The data items written include:

IP address
Client DNS name
Client host name, client ID
Client MAC address
Expiration date/time
Lease state (available, leased, expired, unavailable)
Date/time state changed

Using the ldap command, you can map these attributes to any LDAP attributes with compatible data types.

The Network Registrar DHCP server can also read data from LDAP to control the address-leasing process. For example, a directory could contain a list of authorized devices, identified by MAC addresses. The DHCP server could then either deny addresses to other devices, or grant an address from a special pool of provisional addresses. Or, the clients listed in the directory could be given some type of special handling, with other clients given default treatment.

For more information about using Network Registrar with LDAP directories, see the Network Registrar User's Guide.

Table of Contents

LDAP

LDAP

LDAP Attributes

Network Registrar Client Attributes

LDAP Directories