*** From dhcp-server -- To unsubscribe, see the end of this message. *** I just drafted this vaporware, figured it wasn't wholly inappropriate or overlong for this list. At any rate you might find my review of the 12 packages I know about for managing dhcpd.conf entertaining. This is saved and will be updated at http://www.brandeis.edu/~rcgraves/benormal.txt Let me know if you know of an existing solution that might work for us. Also let me know offline if you might be interested in contracting on this project for the ballpark figure mentioned. Brandeis most Excellent Network Object Registration, Management, And LARTing Tool. Or Network Object Registration & Management for short. Brandeis needs a system for IP, DHCP, and DNS management to replace the typo-strewn zone files and unscalable net_db scripts and DBM files. It must be secure and appropriate for our environment. It must be inexpensive and manageable by a very small staff. The scale is 1 full-time system administrator who mostly does other things, 1 full-time network guy, 0 full-time systems programmers, 0-2 qualified stuent programmers depending on the season (none seem to be available now), rather a lot of helpful and courteous but technically so-so Help Desk staff and about 6000 mostly nontechnical users with 4000 hosts. There is (or will soon be) an authoritative directory and authentication infrastructure. Here's one way we might do it. Biases: MIPS are cheap, technical staff time is not. Web is good, provided it's SSLed. We have zero competent C/C++ programmers on staff. Mistakes will be made and should be fixed. Customization and synergy with our existing and planned LDAP, SQL, and Linux infrastructure is a Good Thing. This suggests a high-level language such as perl, python, or php and maximizing the use of off-the-(net|shelf) software. Input: Initial parse of existing DNS tables and net_db registered hosts; web, including CSV import/export; direct SQL via web admin interface or from command line if needed. Output: dhcpd.conf; DNS zone files *and* DNS config file (manually adding slave zones is painful and error-prone); various reports on usage and suspected trouble. Code mostly exists. Due to biases above, we shall write config files and reload servers, *not* hack our changes into the servers themselves. Core database: MySQL, free, open source, 6 years old, developed primarily for the Swedish Twin Study (detailed demographic and survey data on *all* twins by the national health service). About 3 times faster than Oracle because it doesn't do things we don't need for this app, like transactions and triggers. Very stable, optional $200 commercial support. Web interface: PHP with PHPLIB, http://phplib.shonline.de/ Extensively used for E-Commerce around the world, source code has been open to peer review for over a year. Auth: Everyone authenticates to LDAP. Code exists to do this integrated with PHPLIB persistent session management, permissions, and database interface. I am *very* impressed with the security and flexibility of the PHPLIB core. Basic Privs: Everyone in LDAP has privs to register hosts with default hostname (d-129-64-143-212.dorm), similar to existing net_db script. Additionally, authed users may register a vanity hostname without our involvement if all of the following conditions are met: 1) The vanity hostname is for an existing node they own with an existing static address and default hostname. 2) The requested subdomain name is the default for the subnet. 3) The requested hostname is either their username/mail alias or at least 6 characters. This stops ww.* and wwww.* 3) The first and last 5 characters of the requested hostname are unique across all subdomains. This stops binahcc.* 4) The soundex of the requested hostname is unique across all subdomains. This stops beena.*. This will probably get false positives, so the UI will give them an easy way to email a request for review. 5) It's not on a naughty word list. 6) It's not someone else's username or mail alias. Extended Privs: uids may be entered into an admin table for extra rights like overriding each of points 1-4 above, setting and overriding ACLs, defining networks and subdomains, making DNS RRs other than single A/PTR pairs, and administrating admins. PHPLIB makes this pretty easy. Proactive Management: Based on info in SQL tables, we will write config files for mon or Big Brother. Reactive Management: ARP table, built by SNMP-polling routers, enables reports on duplicate, unregistered, and abandoned IPs. This was a promised but 0% implemented feature of net_db. Cf: 1) Stanford's NetDB 3, http://www.stanford.edu/group/itss-ccs/project/netdb3/ Unnecessarily complex, laden with legacy interfaces and administrative procedures we don't need, not open source. 2) UTX's Ganymede, http://www.arlut.utexas.edu/gash2/ Does far more than we need, looks far too complex, Java means recompiling bytecode for little changes and crashing Macs. An excellent engineering project for those with the necessary resources, but not us. 3) RIT's original DHCP autoreg. Very similar to our quick net_db hack, but done by a real programmer. Doesn't do enough -- poor DNS and extended privileges support. Looks harder to integrate with LDAP. Much is compiled C, harder for me to change and maintain. 4) NameSurfer, http://www.namesurfer.com/ Doesn't do nearly enough (DNS only), runs old version of BIND, too expensive for what you get. 5) MetaIP, http://www.metainfo.com/ Closest match to what we need of the available alternatives. Some LDAP integration, but I'd bet it makes some bad assumptions. But too expensive, not open source, requires custom version of BIND, arp functionality not there. Personally I see dynamic DNS as a bug not a feature given our bandwidth limitations. 6) QIP. Way too expensive, way too integrated. 7) Cisco (formerly American Internet) Registrar. Halfway between MetaIP and QIP in feature bloat and feature omissions. 8) UW and other small-scale hacks. None but the 7 above seem to be portable to our environment. 9) CMU NetBar, http://www.net.cmu.edu/design/netbar.html and similar VLAN-level fiddling, e.g. Stanford CS Department. Does not work for us unless every single port is VLANable. 10) UMich Project Plan, http://www.itcom.itd.umich.edu/address/address.pp.detail.html These people have it together and will do it right, but on a vast scale inappropriate for us. Doesn't exist yet. 11) SQLBIND, a project to let BIND get zones more directly. http://bind.linuxos.net/ Looks very cool, doesn't have many features but should probably be considered as a component of our system. If nothing else the code for SQL->BIND zone format may be stolen. 12) That guy who ranted on the ResNet list about redoing everything in Java because ISC sucks. All the problems of Ganymede, but fewer features and more attitude. I hope it works out for them. Here's what I said about that on the resnet list: > RIT has a competent programmer with the time to integrate his changes > into the server. (And someone else on this list did the same thing to > Microsoft's server by hacking an NDIS driver.) > > As a smaller, less technical school, we don't have that luxury, so it's > important that all the bits be off-the-shelf or human-readable. We use > three unmodified ISC 2.0 servers, one serving unregistered hosts and > two (redundant) serving registered hosts. Cron checks for changes to the > registration db (just dbm with sendmail-style @:@ locking; you'd want > something better on a larger scale, but it works for our 2500-some hosts) > every minute. A bunch of perl scripts handle the web interface, generate > the config files and pass them around through rsync-ssh. Took about 20 > man-hours to design and implement (though I already knew a lot about the > ISC server). > > The system would be an embarrassment to anyone with any formal CS > training who values elegance in programming. We don't have any of those, > so it suffices that it's stable, reasonably secure, and easy enough to > understand and maintain. > > wustl may have more ambitious goals for integrated network management > (similar to the amazing dynamic BootP stuff CMU built years ago) and > fiddling with VLANs. We decided those features wouldn't be worth the > trouble. For me, one of the lessons of all the work CMU did was that a > too-integrated system can too easily be rendered obsolete by factors > beyond your control, like Microsoft's decision not to support BootP in > Win95. > > Keep it simple. For example, given the early state of the standards and > uncertainty about precisely how Microsoft is going to pervert them, I > think any attempt to support dynamic DNS is a fool's errand. Let people > set a static vanity name in a secured session. That's enough. Who: I would suggest budgeting $2000 for a PHP consultant. With this detailed spec, open source, and our willingness to extend, that should be plenty. I could probably implement this but don't have the estimated three weeks to dedicate. Someone with more PHP/database integration experience could do it in much less time and probably less money, specifying open source and standard libraries means our investnment isn't wasted. License: Must be GPL because of legal requirements of some components, our need for support beyond ourselves, and because it's the right thing to do. Table Model: create table node ( ndid int unsigned auto_increment primary key, ndname varchar(64) not null, ndserial varchar(32), ndbuid varchar(16), ndos varchar(16), ndosdescr varchar(32), ndmodel varchar(16), ndmodelclass varchar(16), ndclass enum('host','reserved','avail','dyn','shost','router','other') not null, ndbldg varchar(32), ndroom varchar(16), ndcontact varchar(64), nduseruid varchar(16), uid varchar(16) not null, aclid varchar(32), last timestamp(14), first timestamp(14), moduid varchar(16) not null, index nodebyuid (uid), index nodebymoduid (moduid), unique (ndname), index nodebyndname (ndname) ); create table dhcpl ( dhcplid varchar(32) primary key, uid varchar(16) not null, aclname varchar(32), last timestamp(14), first timestamp(14), moduid varchar(16) not null ); create table dhcpi ( dhcplid varchar(32) not null, dhcpopt varchar(32) not null, dhcpvalue varchar(64) not null primary key (dhcplid,dhcpopt) ); create table acl ( aclname varchar(32) primary key, last timestamp(14), first timestamp(14), moduid varchar(16) not null ); create table aci ( aclname varchar(32) not null, uid varchar(16) not null, priv set ('r','l','i','d','w','a'), index (aclname,uid) ); create table admin ( uid varchar(16) primary key, ndclass set('host','reserved','avail','dyn','shost','router','other','admin') not null ); create table fqdn ( fqdnid int unsigned auto_increment primary key, hn varchar(64) not null, hnsoundex varchar(8) not null, dn varchar(64) not null, rtype enum('A','CNAME','TXT','HINFO','MX','NS','RP'), mx tinyint unsigned, rval varchar(64) not null, ttl mediumint unsigned, flags set('auto','primary_ptr','manual'), last timestamp(14), first timestamp(14), moduid varchar(16) not null, uid varchar(16) not null, index fqdnbyfqdn (hn,dn), index fqdnbyrval (rval), index fqdnbyhnsoundex (hnsoundex) ); create table iface ( ifid int unsigned auto_increment primary key, ifrm enum('roam','noroam','special'), ifdescr varchar(128), ndid int unsigned not null, hw char(12) not null, last timestamp(14), first timestamp(14), moduid varchar(16) not null, dhcpopts varchar(128), index ifacebyndid(ndid), unique(hw), index ifacebyhw(hw) ); create table ip ( ip int unsigned primary key, ifid int unsigned not null, aclname varchar(32), netmgt set('snmp','ping','notify','server','mail','donotpurgeautomaticallybasedonarp','dhcp','bootp'), ipavail enum('host','reserved','avail','dyn','recycled','shost','router','other') not null, snmpcomm varchar(16), dhcpopts varchar(128), last timestamp(14), moduid varchar(16) not null, index ipbyifid (ifid), index ipbyavail (ipavail) ); create table net ( ip int unsigned primary key, ddom varchar(32), mdom varchar(32), netopts set('ten','roam'), dhcpopts varchar(128), gwip int unsigned ); create table zone ( dn varchar(64) primary key, ttl mediumint unsigned, refresh smallint unsigned, retry smallint unsigned, last timestamp(14), moduid varchar(16) not null ); create table extrazone ( dn varchar(64) primary key, masters varchar(32) ); create table arp ( hw char(12) not null, ip int unsigned not null, last timestamp(14), first timestamp(14), seen smallint unsigned, index arpbyip(ip), primary key arpbyarp(hw,ip) ); -- Rich Graves <[EMAIL PROTECTED]> UNet Systems Administrator 781-736-4574 ------------------------------------------------------------------------------ To unsubscribe from this list, please visit: http://www.isc.org/dhcp-lists.html If you are without web access, or if you are having trouble with the web page, please send mail to [EMAIL PROTECTED] with the subject line of 'unsubscribe'. Archives for this mailing list are available at: http://www.webnology.com/list-archives/dhcp/dhcp-server ------------------------------------------------------------------------------
