Mac Authentication
Markus Schabel
markus.schabel at tgm.ac.at
Mon Sep 8 15:50:30 UTC 2003
Keith Patton wrote:
> All,
> I have a need to have a distributed database for dhcp mac addresses..
> The dhcp.conf file will have
> logistic problems keeping it in sync with 40+ servers with 20+ different
> people managing from all parts of the world and languages.. The reason
> for the sync is that many people travel between sites, and we have
> numerous visitors. This would permit dhcp to give out addresses to our
> employees since the mac would be registered, yet deny visitors whom have
> been know to possess viri and that freely distribute them to us by
> plugging in.
>
>
> I was thinking about having dhcp query our corp wide ldap database for
> valid mac addresses. The ldap would contain a branch that would be
> equivalent to the host statement in the dhcp.conf file.
That seems like a good solution. Take a look at the dhcp-ldap-patch:
http://home.ntelos.net/~masneyb/ - it is documented that it queries the
directory for each DHCP request, but here it doesn't seem to do this,
instead it is reading LDAP at startup and that was it. (You can
configure this, maybe I've just done wrong..) - Works fine (but the
patched dhcp version here is a few months old, so I'm not sure if it
applies on the actual release candidate)
> Now, Realizing that querring ldap for each dhcp request would be
> insanely slow...therefore
That depends on the number of requests... Since LDAP is optimized for
read/search access it should not be a great problem. If you really have
a high load you can replicate the dhcp-parts in the directory to another
ldap server which is only used by your dhcp's
> Ideally it hit the ldap every 15min and bulk load all the mac's into its
> internal db.
That should work with the patch specified above. Just do a cronjob that
reloads the dhcp every x minutes...
> My questions for all,
>
> first of all, coding this is not a problem for me, with that said..
Just take a look at the patch mentioned above. I'd really like to see it
in the mainstream-code... It works here for at least a year without
problems (in dhcp-reads-ldap-only-at-start-mode)
> My first choice...
>
> Can this be done with omapi interface? And Where is the best place for
> the most extensive docs on this?
>
> Else...
> If not, does anyone know where in the code this could be inserted the
> easiest?
regards, Markus
More information about the dhcp-hackers
mailing list