LDAP

Author: Shawn Routhier Reference Number: AA-01284 Views: 1052

Created: 2015-07-31 01:20 Last Updated: 2015-08-04 20:30

0 Rating/ Voters

General
In 4.2.0 we started including some contributed code for storing and retrieving your DHCP configuration in LDAP. This
is useful if you have a number of DHCP servers and update their configurations frequently. This code was written by
Brian Masney and S. Kalyanasundraram and maintained by David Cantrell. Since then other people have been
maintaining it and contributing patches.
Please note that this code is contributed by outside authors and while we distribute it with ISC_DHCP it was not
developed by nor is it officially supported by ISC. In the future we may choose to make it more official but until then we
do limited testing to verify that it compiles but do NOT do testing with an LDAP server. As always the code is "use at
your own risk".
As we still consider this code to be "contrib", in order to use it you must enable it via configuration switches. All of
these default to "no".
--with-ldap
--with-ldapcrypto
--with-ldap-gssapi
--with-ldapcasa

Updates for 4.3.3

Included in the ISC_DHCP 4.3.3 release, are a number of modifications to the contributed LDAP code. These
modifications are all based on patches submitted to us through tickets by contributors. In order to facilitate the effort
of incorporating these changes, the work was performed under a single collection ticket, #39056.
Rather than try to describe all of the changes included in the release notes, we elected to do so by means of this article.
The changes are listed by their corresponding ticket numbers.

ISC_BUGS #32217:
This ticket is a collection of twenty-six patches submitted to us by Marius Tomaschewski from SUSE. Of those twentysix, we incorporated all but four which were either obsolete or otherwise not applicable. Of the patches included, those
which altered visible behavior are listed below:

0002-Typos-in-access-of-the-tempbv-value-in-ldap-debug-lo.patch
Fixed typos in access of the tempbv value in ldap debug log messages guarded by DEBUG_LDAP.

0003-Fix-for-object-order-related-parse-errors.patch
Fixes object-order related parsing errors, that occur when one object is parsed before an object it
references. The original issue stems from the somewhat random order of objects as they are returned
by LDAP.

0004-Fix-to-support-dhcpServerDN-reference.patch
Added support for the dhcpServerDN reference to dhcpService object search filter

0005-Missed-host-brace-opening.patch

Modified parsing to include the "host ... {" block opening brace even if no harware address is specified
for the host.

0006-Case-insensitive-hardware-address-search.patch
Changed dhcpHWAddress search logic to be case-insensitive when searching for a given MAC address.

0007-Support-for-dhcpFailOverPeer-objects.patch
Added support for dhcpFailOverPeer objects (failover peering definition)

0008-Meaningful-error-message-on-missed-dhcpServiceDN.patch
Fixed to provide a more meaningful error message in case of missed dhcpServiceDN attribute in a
dhcpServer object (bnc#392354).
0009-Disable-external-dhcpZoneDN-and-dhcpFailOverPeerDN.patch
Applied S Kalyanasundaram's patch which disables incorrect parsing of external dhcpZoneDN and
dhcpFailOverPeerDN references.
0012-Allow-all-local-addresses-for-dhcpd-failover.patch
Fixed to allow all local addresses for dhcpd failover peering by name or address and show the name of
affected failover peering in log/error messages.
0017-Added-with-ldapcasa-configure-switch-and-checks.patch
Added --with-ldapcasa configure switch and checks to enable support for CASA authentication.
0019-ldap-connect-retry-loop-while-initial-startup.patch
Implemented optional LDAP connect retry loop during the initial startup of the dhcp server for cases
where the ldap server is not yet started. Set the ldap-init-retry <num> option in dhcpd.conf to retry to
connect <num> times with one second between each try (bnc#627617).
0020-Fixed-to-escape-values-used-in-ldap-filters.patch
Modified to use ldap_bv2escaped_filter_value to escape all values used in constructed LDAP filters, e.g.
"o=*Test" in DN.
0023-dhcp-ldap-reset-bufix-in-ldap_read_function.patch
Fixed ldap_read_function() to not (do not discard last character, usually \n). This was causing parsing
errors.
0024-Resize-ldap-buffer-to-not-truncate-bigger-objects.patch
Fixed parse buffer handling code to avoid truncating configurations of LDAP objects whose length
exceeds the buffer size (i.e. larger than 8k).
0025-Fixed-subclass-class-name-and-data-quoting-escaping.patch
Fixed subclass name and data parsing to include quoted values.

Fixed subclass name and data parsing to include quoted values.

ISC_BUGS #33176:
Modified LDAP host searching to support multiple hosts for a given hardware address. The function,
find_haddr_in_ldap(), was modified to return all of the hosts found for a given hardware address. Prior to this it
returned only the first matching entry. Thanks to Stphane Gaubert for submitting this patch.

ISC_BUGS #29873
Modified searches for dhcpServer to only use the nodename when nodename and fqdn are the same value. Thanks to
Lestyn C. Elfick for submitting this patch.

ISC_BUGS #37876
Modified the dhcpd-conf-to-ldap script to place add all global options and option definitions to teh dhcpService object.
Thanks to Alex Novak from Suse for this patch.

ISC_BUGS #36409
Modified the dhcpd-conf-to-ldap script to accept a subclass without a following "{}" block. Thanks to Alex Novak from
Suse for this patch.

ISC_BUGS #32240.
Added missing strdup failure checks and subsequent memory frees to ldap.c Thanks to Bill Parker for this submission.

ISC_BUGS #37721
Added support for GSSAPI authentication for accessing the LDAP server. This feature is enabled via a new
configuration switch, --with-ldap-gssapi. Use of this feature requires values for two additional
configuration parameters, "ldap-gssapi-principal" and "ldap-gssapi-keytab".

ISC_BUGS #29787
Added support for DHCPv6 to LDAP parsing. Thanks to Jiri Popelka and Gmes Gza for this patch.

2001-2015 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting
us know below how we can improve this article. If you have a technical question or problem on which you'd like
help, please don't submit it here as article feedback. For assistance with problems and questions for which you
have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list
archives and/or posting your question there (you will need to register there first for your posts to be accepted). The
bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial
support of the community to fund the development of its open source software products. If you would like to support
future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to
provide you with individual technical assistance whenever you call upon them, then please consider our Professional
Subscription Support services - details can be found on our main website.