Here are the packages naming conventions:

	Sample configuration files
	All MMC related sample configuration files are available in the python-mmc-base package, in directory /usr/share/doc/python-mmc-base/contrib/. You will find there OpenLDAP, SAMBA and Postfix configuration files and also OpenLDAP schemas.

... because Mandriva RPM packages for the MDS and the MMC are available.

Packages for Mandriva 2010.0, 2010.2 and Cooker are available on Mandriva official repositories. You will find an official mirror using the Mandriva mirror finder module. You can also add the repositories with the following command:

    urpmi.addmedia --distrib --mirrorlist '$MIRRORLIST'

To install the MDS base packages, just type:

    # urpmi mmc-agent mmc-web-base python-mmc-base

If you want to install all MDS packages (all plugins), run:

    # urpmi task-mds

For Debian Lenny, add this in your sources.list:

  deb http://mds.mandriva.org/pub/mds/debian lenny main

For Debian Squeeze:

  deb http://mds.mandriva.org/pub/mds/debian squeeze main

To install all the MDS related packages, just type:

  # apt-get update
  # apt-get install mmc-agent \
  mmc-web-base mmc-web-mail mmc-web-network mmc-web-proxy mmc-web-samba \
  mmc-web-sshlpk mmc-web-ppolicy mmc-web-userquota mmc-web-bulkimport \
  python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba \
  python-mmc-sshlpk python-mmc-ppolicy python-mmc-userquota python-mmc-bulkimport

The OpenLDAP configuration can be easily done using the openldap-mandriva-dit-package.

  # urpmi openldap-mandriva-dit
  ...
  # /usr/share/openldap/scripts/mandriva-dit-setup.sh
  Please enter your DNS domain name [localdomain]:
  mandriva.com

  Administrator account

  The administrator account for this directory is
  uid=LDAP Admin,ou=System Accounts,dc=mandriva,dc=com

  Please choose a password for this account:
  New password:[type password]
  Re-enter new password:[type password]


  Summary
  =======

  Domain:        mandriva.com
  LDAP suffix:   dc=mandriva,dc=com
  Administrator: uid=LDAP Admin,ou=System Accounts,dc=mandriva,dc=com

  Confirm? (Y/n)
  Y
  config file testing succeeded
  Stopping ldap service
  Finished, starting ldap service
  Running /usr/bin/db_recover on /var/lib/ldap
  remove /var/lib/ldap/alock
  Starting slapd (ldap + ldaps): [  OK  ]

And you're done, the LDAP directory has been populated and the LDAP service has been started.

Some tweaks needs to be done to the LDAP configuration so that the LDAP service suits to the MDS.

First, copy the MMC LDAP schema you need to the LDAP schemas directory.

  # cp /usr/share/doc/python-mmc-base/contrib/ldap/mmc.schema /etc/openldap/schema/

Then, add these line to the file /etc/openldap/schema/local.schema:

  include /etc/openldap/schema/mmc.schema

Then, to avoid LDAP schemas conflicts, comment or remove these lines at the beginning of the file /etc/openldap/slapd.conf:

  #include /usr/share/openldap/schema/misc.schema
  #include /usr/share/openldap/schema/kolab.schema
  #include /usr/share/openldap/schema/dnszone.schema
  #include /usr/share/openldap/schema/dhcp.schema

Last, comment or remove these lines at the end of the file /etc/openldap/mandriva-dit-access.conf:

  #access to dn.one="ou=People,dc=mandriva,dc=com"
  #        attrs=@inetLocalMailRecipient,mail
  #        by group.exact="cn=MTA Admins,ou=System Groups,dc=mandriva,dc=com" write
  #        by * read

To check that the LDAP service configuration is right, run slaptest:

  # slaptest
  config file testing succeeded

Now you can restart the LDAP service:

  # service ldap restart
  Checking config file /etc/openldap/slapd.conf: [  OK  ]
  Stopping slapd:                                [  OK  ]
  Starting slapd (ldap + ldaps):                 [  OK  ]

When installing the slapd package, debconf allows you to configure the root DN of your LDAP directory, set the LDAP manager password and populate the directory. By default debconf will not ask you to configure the root DN, you can run dpkg-reconfigure for this. If you choose "mandriva.com" as your domain, the LDAP DN suffix will be "dc=mandriva,dc=com".

  # dpkg-reconfigure slapd

After that you only need to include the mmc.schema in slapd configuration and you are done.

	Debian lenny
	Get the file mmc.schema from /usr/share/doc/python-mmc-base/contrib/ldap, and copy it to /etc/ldap/schema/. Include this schema in the OpenLDAP configuration, in /etc/ldap/slapd.conf: include /etc/openldap/schema/mmc.schema This schema must be included after the inetorgperson.schema file.

Debian Squeeze

Debian Squeeze's OpenLDAP uses its own database for storing its configuration. So there is no more slapd.conf. You can use the mmc-add-schema script to load new schema in the OpenLDAP configuration database: # apt-get install ldap-utils # mmc-add-schema /usr/share/doc/python-mmc-base/contrib/ldap/mmc.schema /etc/ldap/schema/ You can also write a regular slapd.conf file like before, and issue the followind commands to convert the file in the new format: # /etc/init.d/slapd stop # rm -rf /etc/ldap/slapd.d/* # slaptest -f /path/to/slapd.conf -F /etc/ldap/slapd.d # chown -R openldap.openldap /etc/ldap/slapd.d # /etc/init.d/slapd start

	OpenLDAP example configuration
	You will find an example of OpenLDAP configuration in the directory agent/contrib/ldap/ of the mmc-core tarball.

	Already existing directory
	If you already have an OpenLDAP directory, all you need to do is to include the mmc.schema file.

Get the file mmc.schema from the /usr/share/doc/python-mmc-base/contrib/ldap directory, and copy it to /etc/openldap/schema/ (or maybe /etc/ldap/schema/).

Include this schema in the OpenLDAP configuration, in /etc/ldap/slapd.conf (or maybe /etc/openldap/slapd.conf):

  include /etc/openldap/schema/mmc.schema

This schema must be included after the inetorgperson.schema file.

In the OpenLDAP configuration file, we also define the LDAP DN suffix, the LDAP manager (rootdn) and its password (rootpw):

  suffix          "dc=mandriva,dc=com"
  rootdn          "cn=admin,dc=mandriva,dc=com"
  rootpw          {SSHA}gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8

The SSHA password is computed using the slappasswd command:

  # slappasswd -s secret
  {SSHA}gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8

Once the OpenLDAP server is configured, the base LDAP directory architecture must be created. Create a file called /tmp/ldap-init.ldif containing:

  dn: dc=mandriva,dc=com
  objectClass: top
  objectClass: dcObject
  objectClass: organization
  dc: mandriva
  o: mandriva

  dn: cn=admin,dc=mandriva,dc=com
  objectClass: simpleSecurityObject
  objectClass: organizationalRole
  cn: admin
  description: LDAP Administrator
  userPassword: gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8

        

The userPassword field must be filled with the output of the slappasswd command. Now we inject the LDIF file into the directory:

  # /etc/init.d/ldap stop
  # slapadd -l /tmp/ldap-init.ldif
  # chown -R ldap.ldap /var/lib/ldap (use the openldap user for your distribution)
  # /etc/init.d/ldap start
        

	LDAP suffix
	In this example, the LDAP suffix is dc=mandriva,dc=com. Of course, you can choose another suffix.

	Changing the OpenLDAP manager password
	You can't change this password using the MMC interface. You must use this command line: $ ldappasswd -s NewPassword -D "cn=admin,dc=mandriva,dc=com" -w OldPassword -x cn=admin,dc=mandriva,dc=com

This part is written in Python, and use lots of third party tools.

In this table, we give the needed packages for each distribution and each MMC components.

If you have informations for other distributions, you're welcome :)

	CentOS DAG repository
	For some package, you will need to add the DAG repository to yum. Create a file named /etc/yum.repos.d/DAG.repo containing: # DAG Repository for RedHat Enterprise 4 / CentOS 4 [dag] name=DAG Repository baseurl = http://apt.sw.be/redhat/el$releasever/en/$basearch/dag gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt gpgcheck=1 enabled=0

Get the current tarballs at this URLs: ftp://mds.mandriva.org/pub/mmc-core/sources/current/, ftp://mds.mandriva.org/pub/mds/sources/current/

  # tar xzvf mmc-core-x.y.z.tar.gz
  # cd mmc-core-x.y.z
  # ./configure --sysconfdir=/etc --localstatedir=/var
  # make
  # make install
  # tar xzvf mds-x.y.z.tar.gz
  # cd mds-x.y.z
  # ./configure --sysconfdir=/etc --localstatedir=/var
  # make
  # make install

The default $PREFIX for installation is /usr/local. You can change it on the ./configure line by adding the option --prefix=/usr for example. Here are how the files are installed:

When the MMC agent starts, it looks for all the installed plugins, and tries to activate them. Each plugin has a self-test function to check if it can be activated or not. For example, if the « base » plugin can't contact the LDAP, it won't be activated. It the SAMBA schema is not available in the LDAP, the « samba » plugin won't start.

The MMC agent always tries to enable the plugin « base » first. The MMC agent won't start if the plugin « base » can't be activated.

You can find a full description of the MMC agent configuration file there.

With the default configuration file we provide (/etc/mmc/agent/config.ini), the MMC agent listen locally to incoming XMLRPC over HTTPS connections on port 7080.

You can find a full description of the MMC base plugin configuration file there.

The main part of the configuration (/etc/mmc/plugins/base.ini) is to set the LDAP server to connect to, and the credentials to use to write into the LDAP.

The « defaultUserGroup » option must be set to an existing group in the LDAP. You will have to create it using the MMC web interface if this group does not exist.

To configure the MMC audit framework, see the section Section 6, “MMC audit framework configuration”.

You can find a full description of the MMC ppolicy plugin configuration file there.

The only thing you'll have to modify in the configuration file is the "ppolicyDN" option. The OU parent must be an existing DN. If the OU or the default password policy object doesn't exist, the MMC agent will create them when it starts.

See the section Section 7, “MMC Password Policy configuration” to know how you must configure your LDAP directory for password policy support.

You can find a full description of the MMC SAMBA plugin configuration file there.

You shouldn't need to edit the configuration file (/etc/mmc/plugins/samba.ini). This plugin won't be activated if your LDAP directory does not include the SAMBA schema, and well-known RIDs. See the section Section 8, “MDS SAMBA configuration”.

ACLs must be enabled on your filesystem. The SAMBA plugin needs them to set the ACLs when creating shares, and SAMBA will be able to map NTFS ACLs to the POSIX ACLs.

If you use XFS, ACLs are enabled by default. For ext3, you need to enable ACLs in /etc/fstab.

You can find a full description of the MMC mail plugin configuration file there.

This plugin won't be activated if your LDAP directory does not include a special mail schema. See the section Section 9, “MDS mail service configuration”.

You can find a full description of the MMC network plugin configuration file there.

This plugin won't be activated if your LDAP directory does not include special schemas. See the section Section 10, “MDS network plugin configuration for integrated DNS/DHCP”.

To start and stop the MMC agent, use the /etc/init.d/mmc-agent script:

  # /etc/init.d/mmc-agent stop
  # /etc/init.d/mmc-agent start
      

The MMC agent must be started to use the MMC web interface.

When the MMC agent is started, all startup log messages are written to stderr and /var/log/mmc/mmc-agent.log.

Here is what is written (for example) if there is no error:

  # /etc/init.d/mmc-agent start
  Starting Mandriva Management Console XML-RPC Agent: mmc-agent starting...
  Plugin base loaded, API version: 4:0:0 build(82)
  Plugin mail loaded, API version: 3:0:1 build(78)
  Plugin samba loaded, API version: 3:0:2 build(78)
  Plugin proxy loaded, API version: 1:0:0 build(78)
  Daemon PID 13943
  done.
      

If there is an error:

  # /etc/init.d/mmc-agent start
  Starting Mandriva Management Console XML-RPC Agent: mmc-agent starting...
  Can't bind to LDAP: invalid credentials.
  Plugin base not loaded.
  MMC agent can't run without the base plugin. Exiting.
  failed.
      

The base plugin can't bind to LDAP, because the credentials we used to connect to the LDAP server are wrong. As the base plugin must be activated to use the MMC agent, the MMC agent exits.

  # /etc/init.d/mmc-agent start
  Starting Mandriva Management Console XML-RPC Agent: mmc-agent starting...
  Plugin base loaded, API version: 4:0:0 build(82)
  Plugin mail loaded, API version: 3:0:1 build(78)
  Samba schema are not included in LDAP directory
  Plugin samba not loaded.
  Plugin proxy loaded, API version: 1:0:0 build(78)
  Daemon PID 14010
  done.
      

In this example, the SAMBA schema has not been detected in the LDAP directory, so the SAMBA plugin is not started. But this plugin is not mandatory, so the MMC agent doesn't exit.

In the .ini file corresponding to the plugin, set « disable = 1 » in the main section.

The MMC web interface is written in PHP4. Basically, you just need to install an Apache2 server with PHP4 (or PHP5) support.

The XML-RPC module of PHP is needed too.

The mmc-web-base package contains:

The others MMC web modules available are:

All this modules depends on the mmc-web-base module. They won't work if the mmc-web-base module is not installed.

A MMC web modules won't show in the web interface if the corresponding Python plugin is not loaded by the contacted MMC agent.

For example, you installed the SAMBA web module, but the SAMBA Python plugin of the MMC agent the web interface is connected to has not been activated. This will be detected and automatically the SAMBA management module of the web interface won't be displayed.

You can find a full documentation of the /etc/mmc/mmc.ini file there.

What you need to change in this file is:

To connect to the MMC web interface using an URL like http://IP/mmc, we add an alias to Apache2:

  # cp /etc/mmc/apache/mmc.conf /etc/httpd/conf.d/mmc.conf
      

Then don't forget to reload the Apache service.

Now you should be able to see the MMC login screen at this URL: http://IP/mmc

	PHP configuration notes
	The directive magic_quotes_gpc must be enabled in Apache PHP configuration, either in the globap PHP configuration file, either in the mmc.conf file with this line: php_flag magic_quotes_gpc on The MMC web interface is not compatible with php-eaccelerator. Please uninstall it else you won't be able to connect to the MMC.

You can always login to the MMC web interface using the login « root » with the LDAP administrator password.

After you installed the MMC, this is the only user you can use to log in, because the LDAP directory entry is empty.

The MMC web interface communicate with the MMC agent using the TCP port 7080 (default configuration). Please check that your firewall configuration doesn't block this port.

The MMC web interface opens a socket to communicate with the MMC agent using XML-RPC.

On SE Linux enabled systems (e.g. Fedora Core 6), by default Apache can't open socket per policy.

So you need to fix or disable your SE linux configuration to make it works.

This module has only been built and tested on Mandriva and Debian. It is installed as /usr/lib/openldap/mmc-check-password.so.

If password quality checking is enabled on the password policy, OpenLDAP calls this module to check password quality when a user password is changed using the LDAP Password Modify Extended operation. MDS will change user passwords with this operation if you set "passwordscheme = passmod" in the base.ini configuration file.

To check a password, mmc-check-password.so will launch the command /usr/bin/mmc-password-helper. The password will pass the quality checks if it contains at least one number, one upper case character, one lower case character and one special character (like #, $, etc.). The password must not contains the same character twice. If python-cracklib is available, a cracklib check is also done.

This tool allows to check a password from the command line. For example:

  % echo foo | mmc-password-helper -c
  % echo $?
  1
  # Exit code is set to 1 if the password fails quality checks, else 0
  # Use -v for more
  # echo foo | mmc-password-helper -c -v
  the password must be 8 or longer
  % echo $?
  1

The tool also generates good passwords:

  % mmc-password-helper -n
  1NjY0MD:
  # Use -l to change the length (default is 8)
  % mmc-password-helper -n -l 12
  2ND=3OTcwMjY
  % mmc-password-helper -n | mmc-password-helper -c
  % echo $?
  0
  # Generated password will always succeed quality checks :)

If the samba module is installed you can benefit of the LDAP password policies when a user changes his password from any Windows machine in the domain or via the MMC web interface.

Since SAMBA can't handle multiple password policies the MMC won't set any SAMBA password policies in the SAMBA domain ldap entry. But when SAMBA will try to change the user password in the LDAP, standard LDAP password policies applies.

The OpenLDAP password policies applies when the user password is changed with the "passmod" LDAP operation and when the user running the "passmod" is not the OpenLDAP rootdn.

If the MMC is binded to OpenLDAP with the rootdn as the administrator you will be able to change passwords from the MMC interface without any password policy checks. However, password poclicy is applied on the "change user password page" for normal users.

Password synchronization

Usually the password synchronisation between the SAMBA password and the LDAP password is done by SAMBA itself. When a user changes his password SAMBA updates the sambaNTPassword attribute and run the "passmod" LDAP operation to change the userPassword attribute. This synchronization is done when ldap sync password = yes is set in SAMBA configuration. The problem with this method is that if the password does not pass the password policy check, the SAMBA password will be updated (as it is not changed by a "passmod" operation) but the userPassword attribute won't. The second method to synchronize the password is to set ldap sync password = only in SAMBA configuration. In this case, SAMBA will only run the "passmod" LDAP operation when the user changes his password and won't update the sambaNTPassword attribute of the user. To update this attribute the OpenLDAP overlay smbk5pwd must be used. This overlay will intercept "passmod" operations and update the SAMBA password automatically.

In conclusion, in order to use LDAP password policies with SAMBA you have to make sure that :

The configuration of the smbk5pwd overlay is pretty forward. In your slapd.conf just add :

  moduleload    smbk5pwd.la

  [ ... ]

  overlay smbk5pwd
  smbk5pwd-enable samba

  overlay ppolicy
  ppolicy_default "cn=default,ou=Password Policies,dc=mandriva,dc=com"

  [ ... ]

	The overlays order is important. Overlays will be called in the reverse order that they are defined.

You need to import the SAMBA schema into the LDAP directory. The schema file is provided into the mmc-core tarball: agent/contrib/ldap/samba.schema. But you can also use the schema provided by the SAMBA project.

Stop samba before modifying its configuration:

  # /etc/init.d/samba stop
  Or according to your distribution:
  # /etc/init.d/smb stop

In /etc/samba/smb.conf, you need to modify the « workgroup », « ldap admin dn » and « ldap suffix » to suit your configuration.

SAMBA also needs the credentials of the LDAP manager to write into the LDAP:

  # smbpasswd -w secret
  Setting stored password for "cn=admin,dc=mandriva,dc=com" in secrets.tdb
      

Now, SAMBA needs to create the SID for your workgroup:

  # net getlocalsid MANDRIVA
  SID for domain MANDRIVA is: S-1-5-21-128599351-419866736-2079179792
      

Use slapcat to check that the SID has really been recorded into the LDAP. You should find an entry like this:

  # slapcat | grep sambaDomainName
  dn: sambaDomainName=MANDRIVA,dc=mandriva,dc=com
  ...
      

Now you can start SAMBA:

  # /etc/init.d/samba start
      

The LDAP directory needs to be populated so that SAMBA can use it. We use the smbldap-populate command from smbldap-tools.

This command populates the LDAP with the OUs (Organizational Unit), users and groups needed by SAMBA.

A RPM package of smbldap-tools is available there.

Now the smbldap-tools conf file need to be edited. Put this in /etc/smbldap-tools/smbldap_bind.conf:

  slaveDN="cn=admin,dc=mandriva,dc=com"
  slavePw="secret"
  masterDN="cn=admin,dc=mandriva,dc=com"
  masterPw="secret"
      

smbldap_bind.conf defines how to connect to and write to the LDAP server.

Then edit smbldap.conf and set those fields:

  SID="S-1-5-21-128599351-419866736-2079179792"
  sambaDomain="MANDRIVA"
  ldapTLS="0"
  suffix="dc=mandriva,dc=com"
  sambaUnixIdPooldn="sambaDomainName=MANDRIVA,${suffix}"
  #defaultMaxPasswordAge="45"
  userSmbHome=""
  userProfile=""
  userHomeDrive=""
      

Now the directory can be populated. Type:

  # smbldap-populate -m 512 -a administrator
      

A user called « administrator » will be created, and a prompt will ask you to give its password. Thanks to the « -m 512 » option, this user will belong to the « Domain Admins » group.

SAMBA needs that the OS use the LDAP directory to get user and group lists.

To do this, /etc/nsswitch.conf and /etc/ldap.conf (/etc/libnss-ldap.conf for Debian based distros) should be configured.

Your /etc/nsswitch.conf should look like this:

  passwd:     files ldap
  shadow:     files ldap
  group:      files ldap

  hosts:      files dns

  bootparams: files
  ethers:     files
  netmasks:   files
  networks:   files
  protocols:  files
  rpc:        files
  services:   files
  netgroup:   files
  publickey:  files
  automount:  files
  aliases:    files
      

Your /etc/ldap.conf:

  host 127.0.0.1
  base dc=mandriva,dc=com
      

By default, you want your new user to belong to the « Domain Users » group.

You just need to set the « defaultUserGroup » option to « Domain Users » in /etc/mmc/plugins/base.ini.

By default, the maximum password age of a SAMBA user is 42 days. Then the user will need to change his/her password.

If you don't want password to expire, type:

  # pdbedit -P "maximum password age" -C 0
      

If you want to check your current password expiration policy:

  # pdbedit -P "maximum password age"
      

If « enable privileges = yes » is set on your smb.conf, you can give privileges to SAMBA users and groups.

For example, to give to "Domain Admins" users the right to join a machine to the domain:

  # net -U administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
  Password:
  Successfully granted rights.
      

Notice that you must replace « DOMAIN » by your SAMBA domain name in the command line.

	Users that can give privileges
	Only users that belong to the "Domain Admins" group can use the net rpc rights grant command to assign privileges.

The default SE Linux configuration may not allow SAMBA to launch the script defined in "add machine script", and so you won't be able to join a machine to the SAMBA domain.

You need to import our mail schema into the LDAP directory. The schema file is provided into the mmc-core tarball: agent/contrib/ldap/mail.schema.

Once this schema is imported, you will be able to manage mail delivery attributes thanks to the MMC.

Example Postfix configuration files are included into the mds tarball: agent/contrib/postfix/.

We provide two kinds of configuration:

NSS LDAP configuration is needed to deliver mails with the right UIDs/GIDs.

See Section 8.4, “NSS LDAP configuration”.

This plugin allows to store in a LDAP directory:

The MMC web interface allows to easily manage the DNS and DHCP services.

The network plugin relies on patched version of ISC DHCP 3 and ISC BIND 9:

We provide Debian Lenny packages for the LDAP patched version of BIND. This packages work on Squeeze too.

Configure your APT repository as in Section 2.3, “Debian packages”. And add in /etc/apt/preferences :

  Package: *
  Pin: origin mds.mandriva.org
  Pin-Priority: 1001
      

Then install the packages :

  # apt-get update
  # apt-get install bind9
      

When managing the DNS zones, the MMC agent will create files into the BIND configuration directory (located in /etc/bind/). These files must be included in the main BIND configuration file so that the corresponding zones are loaded from the LDAP directory.

All the DNS zones are defined in the file named.conf.ldap. This file must be included in the main BIND configuration file named.conf. Adding this line at the end of BIND named.conf should be sufficient:

  include "/etc/bind/named.conf.ldap";
      

An example of named.conf filename for Debian based system is available in the directory agent/contrib/bind/ of the mds tarball.

	BIND and OpenLDAP services startup order
	On most distributions, BIND is started before OpenLDAP during the boot sequence. If BIND/LDAP is used, BIND won't be able to connect to the LDAP directory, and won't start. So you may need to tweak your system boot scripts to fix this. The following command line should work on Debian based systems: # update-rc.d -f slapd remove && update-rc.d slapd start 14 2 3 4 5 . stop 86 0 1 6 .

The DHCP server needs to know how to load its configuration from LDAP. Here is a typical /etc/dhcp3/dhcpd.conf (/etc/dhcp/dhcpd.conf in Debian Squeeze):

  ldap-server "localhost";
  ldap-port 389;
  ldap-username "cn=admin, dc=mandriva, dc=com";
  ldap-password "secret";
  ldap-base-dn "dc=mandriva, dc=com";
  ldap-method dynamic;
  ldap-debug-file "/var/log/dhcp-ldap-startup.log";

The dhcpd service will try to find an LDAP entry for the machine hostname. If the entry name is different, you can set in dhcpd.conf:

  ldap-dhcp-server-cn "DHCP_SERVER_NAME";
      

An example of dhcpd.conf filename is available in the directory contrib/dhcpd/ of the mds tarball.

Two new LDAP schemas must be imported into your LDAP directory: dnszone.schema and dhcp.schema.

Both are available in the directory /usr/share/doc/python-mmc-base/contrib/ldap. Using the sources you can find them in agent/contrib/ldap of the mmc-core tarball.

To speed up LDAP search, you can index these attributes: zoneName, relativeDomainName, dhcpHWAddress, dhcpClassData.

For OpenLDAP slapd.conf configuration file, you will add:

  index zoneName,relativeDomainName eq
  index dhcpHWAddress,dhcpClassData eq
      

For the DHCP service only, the MMC network plugin needs to create into the LDAP directory two objects:

The first start of the MMC network plugin should look like:

  ...
  Created OU ou=DHCP,dc=mandriva,dc=com
  Created DHCP config object
  The server 'your_server_hostname' has been set as the primary DHCP server
  Plugin network loaded ...
  ...
      

The DHCP failover can be done directly from the MMC interface on the page "Network -> Network services management".

The primary DHCP server name is by default the hostname of the server where the mmc-agent is running. You can override this by setting the "hostname" option in /etc/mmc/plugins/network.ini

To configure DHCP failover you need at least the name of your secondary DHCP server and the IP addresses of the two DHCP servers. In expert mode you can set any parameter of the failover configuration.

The secondary ISC dhcpd configuration is almost the same as the primary DHCP:

  ldap-server "LDAP_SERVER_IP";
  ldap-port 389;
  ldap-username "cn=admin, dc=mandriva, dc=com";
  ldap-password "secret";
  ldap-base-dn "dc=mandriva, dc=com";
  ldap-dhcp-server-cn "SECONDARY_DHCP_SERVER_NAME";
  ldap-method dynamic;
  ldap-debug-file "/var/log/dhcp-ldap-startup.log";