ISC DHCP Users

dhcp 4.3.2 with ldap backend

classic Classic list List threaded Threaded
27 messages Options
12
Kristof Van Doorsselaere
Reply | Threaded
Open this post in threaded view
|

Re: dhcp 4.3.2 with ldap backend

Kristof Van Doorsselaere
Is this something easy to patch? I’m willing to validate a patch if someone can come up with a path, or should I fill a bug report?

Thanks in advance,

Kristof  




On 12/05/15 14:45, "Michael Ströder" <[hidden email]> wrote:

>Kristof Van Doorsselaere wrote:
>> 654          ldap_tls_crlcheck = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_CRLCHECK);
> > [..]
>> 765          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CRLCHECK,
>> 768              log_error ("Cannot set LDAP TLS crl check option: %s",
>> Cannot set LDAP TLS crl check option: Can't contact LDAP server
>
>I suspect that libldap does not provide setting option LDAP_OPT_X_TLS_CRLCHECK
>on your platform.
>
> From ldap_set_option(3):
>
>   LDAP_OPT_X_TLS_CRLCHECK
>     Sets/gets the CRL evaluation strategy, [..]
>     Requires OpenSSL.
>
>That's clearly a dhcpd bug because if libldap is linked against libnss (on
>RedHat systems) or GnuTLS (e.g. Debian) the option LDAP_OPT_X_TLS_CRLCHECK is
>not usable. dhcpd has to check that and at least ignore this error during startup.
>
>Ciao, Michael.
>
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Michael Ströder
Reply | Threaded
Open this post in threaded view
|

Re: dhcp 4.3.2 with ldap backend

Michael Ströder
Kristof Van Doorsselaere wrote:
> Is this something easy to patch?

You could just comment the lines 762-771 and compile yourself.
If it works my theory is right.

Note that CRL checking works completely differently with libnss.

Ciao, Michael.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

smime.p7s (5K) Download Attachment
Michael Ströder
Reply | Threaded
Open this post in threaded view
|

Re: dhcp 4.3.2 with ldap backend

Michael Ströder
Michael Ströder wrote:
> Kristof Van Doorsselaere wrote:
>> Is this something easy to patch?
>
> You could just comment the lines 762-771

...in file dhcp-4.3.2/server/ldap.c

Ciao, Michael.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
glenn.satchell
Reply | Threaded
Open this post in threaded view
|

Re: dhcp 4.3.2 with ldap backend

glenn.satchell
In reply to this post by Kristof Van Doorsselaere
On Tue, May 12, 2015 10:22 pm, Kristof Van Doorsselaere wrote:

>
> On 12/05/15 13:43, "Peter Rathlev" <[hidden email]> wrote:
>
>>On Tue, 2015-05-12 at 08:06 +0000, Kristof Van Doorsselaere wrote:
>>When googling for the error message I can see a hit related to GnuTLS
>>and OpenSSL:
>>
>>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723773
>
>
> Yes, that's the bug I was pointing to in my first message, but I'm
> confused about the last message in this bug:
>
>>> After all that it wasn't a bug.
>
>
> I already sent a mail to Mark, asking if and how his issue was solved, but
> so far no response, it would be nice if someone could share a working
> dhcpd 4.3.2 config (with ldap and start_tls enabled) + the corresponding
> ldap.conf
>

In the cipher list "my existing config SECURE256 became 256SECURE", ie the
setting:

# GnuTLS specific
#ldap-tls-crlfile "/etc/ssl/crl/ssl-cert-local-ca.crl";
ldap-tls-cert "/root/.pki/dhcpd.pem";
ldap-tls-key "/root/.pki/dhcpd.key";
ldap-tls-ciphers "TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH";
# GnuTLS specific
#ldap-tls-ciphers "256SECURE";

There was also a comment in that bug about openssl specific calls which
fail when dhcpd is linked against libnss (the gnutls library).

As mentioned by others in this email thread it looks like dhcpd needs to
be smarter about which functions are available in the shared library. So
that's a dhcpd bug, but not a straight forward one to fix.

regards,
-glenn


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Michael Ströder
Reply | Threaded
Open this post in threaded view
|

Re: dhcp 4.3.2 with ldap backend

Michael Ströder
Glenn Satchell wrote:
> There was also a comment in that bug about openssl specific calls which
> fail when dhcpd is linked against libnss (the gnutls library).

Just to be clear:

libnss != GnuTLS

But in this case it's the same problem with LDAP_OPT_X_TLS_CRLCHECK only
available in libldap when linked against OpenSSL.

Ciao, Michael.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

smime.p7s (5K) Download Attachment
Kristof Van Doorsselaere
Reply | Threaded
Open this post in threaded view
|

Re: dhcp 4.3.2 with ldap backend

Kristof Van Doorsselaere
In reply to this post by Michael Ströder
I can confirm that only commenting lines 762-771 does not solve my problem, The CRL error message is gone, but  I still get Configuration file errors encountered

Starting program: /usr/sbin/dhcpd -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcp_test.conf -lf /var/db/dhcpd/dhcpd4.leases -d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Internet Systems Consortium DHCP Server 4.3.2
Copyright 2004-2015 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Error: Cannot start TLS session to ldaptest.example.com:389: Can't contact LDAP server
Configuration file errors encountered -- exiting


Kristof





On 12/05/15 15:11, "Michael Ströder" <[hidden email]> wrote:

>Kristof Van Doorsselaere wrote:
>> Is this something easy to patch?
>
>You could just comment the lines 762-771 and compile yourself.
>If it works my theory is right.
>
>Note that CRL checking works completely differently with libnss.
>
>Ciao, Michael.
>
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Kristof Van Doorsselaere
Reply | Threaded
Open this post in threaded view
|

Re: dhcp 4.3.2 with ldap backend

Kristof Van Doorsselaere
In reply to this post by Michael Ströder
Can someone tell me if below issue is/should be resolved in 4.3.3 ?


Kristof Van Doorsselaere
hoofdmedewerker server- en netwerkbeheer
----------------------------------


Hogeschool Gent
Directie Financiën en ICT
Valentin Vaerwijckweg 1
BE-9000 Gent
T +32 9 243 35 20
HoGent.be






On 12/05/15 14:45, "[hidden email] on behalf of Michael Ströder" <[hidden email] on behalf of [hidden email]> wrote:

>Kristof Van Doorsselaere wrote:
>> 654          ldap_tls_crlcheck = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_CRLCHECK);
> > [..]
>> 765          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CRLCHECK,
>> 768              log_error ("Cannot set LDAP TLS crl check option: %s",
>> Cannot set LDAP TLS crl check option: Can't contact LDAP server
>
>I suspect that libldap does not provide setting option LDAP_OPT_X_TLS_CRLCHECK
>on your platform.
>
> From ldap_set_option(3):
>
>   LDAP_OPT_X_TLS_CRLCHECK
>     Sets/gets the CRL evaluation strategy, [..]
>     Requires OpenSSL.
>
>That's clearly a dhcpd bug because if libldap is linked against libnss (on
>RedHat systems) or GnuTLS (e.g. Debian) the option LDAP_OPT_X_TLS_CRLCHECK is
>not usable. dhcpd has to check that and at least ignore this error during startup.
>
>Ciao, Michael.
>
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

smime.p7s (5K) Download Attachment
12
Free forum by Nabble Edit this page