Author: Shawn Routhier Reference Number: AA-01284 Views: 1052Created: 2015-07-31 01:20 Last Updated: 2015-08-04 20:30

0 Rating/ Voters

GeneralIn 4.2.0 we started including some contributed code for storing and retrieving your DHCP configuration in LDAP. Thisis useful if you have a number of DHCP servers and update their configurations frequently. This code was written byBrian Masney and S. Kalyanasundraram and maintained by David Cantrell. Since then other people have beenmaintaining it and contributing patches.

Please note that this code is contributed by outside authors and while we distribute it with ISC_DHCP it was notdeveloped by nor is it officially supported by ISC. In the future we may choose to make it more official but until then wedo limited testing to verify that it compiles but do NOT do testing with an LDAP server. As always the code is "use atyour own risk".

As we still consider this code to be "contrib", in order to use it you must enable it via configuration switches. All ofthese default to "no".

--with-ldap

--with-ldapcrypto

--with-ldap-gssapi

--with-ldapcasa

Updates for 4.3.3Included in the ISC_DHCP 4.3.3 release, are a number of modifications to the contributed LDAP code. Thesemodifications are all based on patches submitted to us through tickets by contributors. In order to facilitate the effortof incorporating these changes, the work was performed under a single collection ticket, #39056.

Rather than try to describe all of the changes included in the release notes, we elected to do so by means of this article. The changes are listed by their corresponding ticket numbers.

ISC_BUGS #32217:

This ticket is a collection of twenty-six patches submitted to us by Marius Tomaschewski from SUSE. Of those twenty-six, we incorporated all but four which were either obsolete or otherwise not applicable. Of the patches included, thosewhich altered visible behavior are listed below:

0002-Typos-in-access-of-the-tempbv-value-in-ldap-debug-lo.patch

Fixed typos in access of the tempbv value in ldap debug log messages guarded by DEBUG_LDAP.

0003-Fix-for-object-order-related-parse-errors.patch

Fixes object-order related parsing errors, that occur when one object is parsed before an object itreferences. The original issue stems from the somewhat random order of objects as they are returnedby LDAP.

0004-Fix-to-support-dhcpServerDN-reference.patch

Added support for the dhcpServerDN reference to dhcpService object search filter

0005-Missed-host-brace-opening.patch

LDAP

Modified parsing to include the "host ... {" block opening brace even if no harware address is specifiedfor the host.

0006-Case-insensitive-hardware-address-search.patch

Changed dhcpHWAddress search logic to be case-insensitive when searching for a given MAC address.

0007-Support-for-dhcpFailOverPeer-objects.patch

Added support for dhcpFailOverPeer objects (failover peering definition)

0008-Meaningful-error-message-on-missed-dhcpServiceDN.patch

Fixed to provide a more meaningful error message in case of missed dhcpServiceDN attribute in adhcpServer object (bnc#392354).

0009-Disable-external-dhcpZoneDN-and-dhcpFailOverPeerDN.patch

Applied S Kalyanasundaram's patch which disables incorrect parsing of external dhcpZoneDN anddhcpFailOverPeerDN references.

0012-Allow-all-local-addresses-for-dhcpd-failover.patch

Fixed to allow all local addresses for dhcpd failover peering by name or address and show the name ofaffected failover peering in log/error messages.

0017-Added-with-ldapcasa-configure-switch-and-checks.patch

Added --with-ldapcasa configure switch and checks to enable support for CASA authentication.

0019-ldap-connect-retry-loop-while-initial-startup.patch

Implemented optional LDAP connect retry loop during the initial startup of the dhcp server for caseswhere the ldap server is not yet started. Set the ldap-init-retry <num> option in dhcpd.conf to retry toconnect <num> times with one second between each try (bnc#627617).

0020-Fixed-to-escape-values-used-in-ldap-filters.patch

Modified to use ldap_bv2escaped_filter_value to escape all values used in constructed LDAP filters, e.g."o=*Test" in DN.

0023-dhcp-ldap-reset-bufix-in-ldap_read_function.patch

Fixed ldap_read_function() to not (do not discard last character, usually \n). This was causing parsingerrors.

0024-Resize-ldap-buffer-to-not-truncate-bigger-objects.patch

Fixed parse buffer handling code to avoid truncating configurations of LDAP objects whose lengthexceeds the buffer size (i.e. larger than 8k).

0025-Fixed-subclass-class-name-and-data-quoting-escaping.patch

Fixed subclass name and data parsing to include quoted values.

Fixed subclass name and data parsing to include quoted values.

ISC_BUGS #33176:

Modified LDAP host searching to support multiple hosts for a given hardware address. The function,find_haddr_in_ldap(), was modified to return all of the hosts found for a given hardware address. Prior to this itreturned only the first matching entry. Thanks to Stéphane Gaubert for submitting this patch.

ISC_BUGS #29873

Modified searches for dhcpServer to only use the nodename when nodename and fqdn are the same value. Thanks toLestyn C. Elfick for submitting this patch.

ISC_BUGS #37876

Modified the dhcpd-conf-to-ldap script to place add all global options and option definitions to teh dhcpService object.Thanks to Alex Novak from Suse for this patch.

ISC_BUGS #36409

Modified the dhcpd-conf-to-ldap script to accept a subclass without a following "{}" block. Thanks to Alex Novak fromSuse for this patch.

ISC_BUGS #32240.

Added missing strdup failure checks and subsequent memory frees to ldap.c Thanks to Bill Parker for this submission.

ISC_BUGS #37721

Added support for GSSAPI authentication for accessing the LDAP server. This feature is enabled via a newconfiguration switch, --with-ldap-gssapi. Use of this feature requires values for two additionalconfiguration parameters, "ldap-gssapi-principal" and "ldap-gssapi-keytab".

ISC_BUGS #29787

Added support for DHCPv6 to LDAP parsing. Thanks to Jiri Popelka and Gémes Géza for this patch.

© 2001-2015 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by lettingus know below how we can improve this article. If you have a technical question or problem on which you'd likehelp, please don't submit it here as article feedback. For assistance with problems and questions for which youhave not been able to find an answer in our Knowledge Base, we recommend searching our community mailing listarchives and/or posting your question there (you will need to register there first for your posts to be accepted). Thebind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financialsupport of the community to fund the development of its open source software products. If you would like to supportfuture product evolution and maintenance as well having peace of mind knowing that our team of experts are poised toprovide you with individual technical assistance whenever you call upon them, then please consider our ProfessionalSubscription Support services - details can be found on our main website.