LDAP in ISC DHCP

General

In DHCP 4.2.0 we started including some contributed code for storing and retrieving your DHCP configuration in LDAP. This is useful if you have a number of DHCP servers and update their configurations frequently. This code was written by Brian Masney and S. Kalyanasundraram and maintained by David Cantrell. Since then other people have been maintaining it and contributing patches.

Please note that this code is contributed by outside authors and while we distribute it with ISC_DHCP it was not developed by nor is it officially supported by ISC. It is unlikely this feature will ever be officially supported in ISC DHCP. It may be implemented and be supported in Kea. ISC conducted limited testing to verify that it compiles but did NOT do testing with an LDAP server. As always, the code is "use at your own risk."

As we still consider this code to be "contrib", in order to use it you must enable it via configuration switches.  All of these default to "no".

• --with-ldap
• --with-ldapcrypto
• --with-ldap-gssapi
• --with-ldapcasa

Updates for 4.3.3

Included in the ISC_DHCP 4.3.3 release, are a number of modifications to the contributed LDAP code. These modifications are all based on patches submitted to us through tickets by contributors. In order to facilitate the effort of incorporating these changes, the work was performed under a single collection ticket, #39056.  

Rather than try to describe all of the changes included in the release notes, we elected to do so by means of this article. The changes are listed by their corresponding ticket numbers.

ISC_BUGS #32217

This ticket is a collection of twenty-six patches submitted to us by Marius Tomaschewski from SUSE. Of those twenty-six, we incorporated all but four which were either obsolete or otherwise not applicable. Of the patches included, those which altered visible behavior are listed below:

• 0002-Typos-in-access-of-the-tempbv-value-in-ldap-debug-lo.patch

  • Fixed typos in access of the tempbv value in ldap debug log messages guarded by DEBUG_LDAP.

• 0003-Fix-for-object-order-related-parse-errors.patch

  • Fixes object-order related parsing errors, that occur when one object is parsed before an object it references. The original issue stems from the somewhat random order of objects as they are returned by LDAP.

• 0004-Fix-to-support-dhcpServerDN-reference.patch

  • Added support for the dhcpServerDN reference to dhcpService object search filter.

• 0005-Missed-host-brace-opening.patch

  • Modified parsing to include the "host ... {" block opening brace even if no hardware address is specified for the host.

• 0006-Case-insensitive-hardware-address-search.patch

  • Changed dhcpHWAddress search logic to be case-insensitive when searching for a given MAC address.

• 0007-Support-for-dhcpFailOverPeer-objects.patch

  • Added support for dhcpFailOverPeer objects (failover peering definition).

• 0008-Meaningful-error-message-on-missed-dhcpServiceDN.patch

  • Fixed to provide a more meaningful error message in case of missed dhcpServiceDN attribute in a dhcpServer object (bnc#392354).

• 0009-Disable-external-dhcpZoneDN-and-dhcpFailOverPeerDN.patch

  • Applied S Kalyanasundaram's patch which disables incorrect parsing of external dhcpZoneDN and dhcpFailOverPeerDN references.

• 0012-Allow-all-local-addresses-for-dhcpd-failover.patch

  • Fixed to allow all local addresses for dhcpd failover peering by name or address and show the name of affected failover peering in log/error messages.

• 0017-Added-with-ldapcasa-configure-switch-and-checks.patch

  • Added --with-ldapcasa configure switch and checks to enable support for CASA authentication.

• 0019-ldap-connect-retry-loop-while-initial-startup.patch

  • Implemented optional LDAP connect retry loop during the initial startup of the dhcp server for cases where the ldap server is not yet started. Set the ldap-init-retry option in dhcpd.conf to retry to connect  times with one second between each try (bnc#627617).

• 0020-Fixed-to-escape-values-used-in-ldap-filters.patch

  • Modified to use ldap_bv2escaped_filter_value to escape all values used in constructed LDAP filters, e.g. "o=*Test" in DN.

• 0023-dhcp-ldap-reset-bufix-in-ldap_read_function.patch

  • Fixed ldap_read_function() to not (do not discard last character,  usually \n). This was causing parsing errors.

• 0024-Resize-ldap-buffer-to-not-truncate-bigger-objects.patch

  • Fixed parse buffer handling code to avoid truncating configurations of LDAP objects whose length exceeds the buffer size (i.e. larger than 8k).

• 0025-Fixed-subclass-class-name-and-data-quoting-escaping.patch

  • Fixed subclass name and data parsing to include quoted values.

ISC_BUGS #33176

Modified LDAP host searching to support multiple hosts for a given hardware address. The function, find_haddr_in_ldap(), was modified to return all of the hosts found for a given hardware address. Prior to this, it returned only the first matching entry. Thanks to Stéphane Gaubert for submitting this patch. 

ISC_BUGS #29873

Modified searches for dhcpServer to only use the nodename when nodename and fqdn are the same value. Thanks to Lestyn C. Elfick for submitting this patch.

ISC_BUGS #37876

Modified the dhcpd-conf-to-ldap script to place add all global options and option definitions to the dhcpService object. Thanks to Alex Novak from Suse for this patch.

ISC_BUGS #36409

Modified the dhcpd-conf-to-ldap script to accept a subclass without a following "" block. Thanks to Alex Novak from Suse for this patch.

ISC_BUGS #32240

Added missing strdup failure checks and subsequent memory frees to ldap.c. Thanks to Bill Parker for this submission.

ISC_BUGS #37721

Added support for GSSAPI authentication for accessing the LDAP server. This feature is enabled via a new configuration switch, --with-ldap-gssapi. Use of this feature requires values for two additional configuration parameters, "ldap-gssapi-principal" and "ldap-gssapi-keytab".

ISC_BUGS #29787

Added support for DHCPv6 to LDAP parsing. Thanks to Jiri Popelka and Gémes Géza for this patch.