dhcp 4.3.2 with ldap backend

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Kristof Van Doorsselaere wrote:
> I’m trying to setup a new dual stack (ipv4/ipv6) dhcp server for my company.
>
> We are using an ldap backend (for fixed ip’s and mac address verification).
>
> Up till now we used a old 4.1.1 dhcp server, but for the new server I prefer to use the latest 4.3.2 source.

Did you also change the OS or its version or at least libldap?

> May  6 08:49:39 fulaga dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
> May  6 08:49:39 fulaga dhcpd: LDAPS session successfully enabled to ldaptest.example.com:636
> May  6 08:49:39 fulaga dhcpd: Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
> May  6 08:49:39 fulaga dhcpd: Configuration file errors encountered — exiting

This looks like a TLS misconfiguration to me.

Are you sure your local libldap installation works as is with LDAPS or StartTLS?

Sometimes OpenLDAP's libldap gets linked against GnuTLS (e.g. on Debian) or
libnss (on Red Hat) causing misconfiguration or even triggering serious bugs.

Ciao, Michael.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Thanks for your reply.

Our current dhcp server is a centos 5.5, the new server I’m setting up is a centos 7

On this centos 7:

- dhcp 4.2.8 with ldap backend = OK
- dhcp 4.3.2 with ldap backend = NOK

The installed openldap packages are:

Name        : openldap-devel
Arch        : x86_64
Version     : 2.4.39
Release     : 6.el7
Size        : 3.7 M
Repo        : installed
From repo   : base
Summary     : LDAP development libraries and header files
URL         : http://www.openldap.org/
License     : OpenLDAP
Description : The openldap-devel package includes the development libraries and
            : header files needed for compiling applications that use LDAP
            : (Lightweight Directory Access Protocol) internals. LDAP is a set of
            : protocols for enabling directory services over the Internet. Install
            : this package only if you plan to develop or will need to compile
            : customized LDAP clients.

Kristof





On 08/05/15 11:12, "Michael Ströder" <[hidden email]> wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Kristof Van Doorsselaere wrote:
> Thanks for your reply.
>
> Our current dhcp server is a centos 5.5, the new server I’m setting up is a centos 7
>
> On this centos 7:
>
> - dhcp 4.2.8 with ldap backend = OK
> - dhcp 4.3.2 with ldap backend = NOK

IIRC libldap was linked against OpenSSL in CentOS/RHEL 5. In more recent
versions it's linked against libnss because of Red Hat's
PKCS#11-everywhere-plans. This is a significant change regarding TLS
configuration.

=> first try to get your ldaps://ldaptest.example.com working with ldapsearch
command-line tool

Also note that libldap reads a system-wide LDAP client configuration file
which might falsely set additional TLS related parameters. See ldap.conf(5)
for details, especially env var LDAPNOINIT and sections TLS OPTIONS and FILES.

Ciao, Michael.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Michael,

After configuring: TLS_REQCERT allow in /etc/openldap/ldap.conf


I don’t have issues using ldapsearch on my new server:

[root@ new_server ~]# uname -a
Linux new_server.example.com 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


[root@new_server ~]# ldapsearch -LLL -b “dc=example,dc=com" -H ldaps://ldap1.example.com:636 -D “uid=admin,dc=example,dc=com" -W  "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet 0c:4d:e9:ab:64:a6))"
Enter LDAP Password:
dn: cn=0c4de9ab64a6,cn=admin,cn=DHCP Service Config,dc=example,dc=com
objectClass: top
objectClass: dhcpHost
dhcpStatements: fixed-address 10.100.172.240
dhcpHWAddress: ethernet 0c:4d:e9:ab:64:a6
cn: 0c4de9ab64a6

But still dhcp 4.3.2 refuses to start, because of Configuration file errors, while the same config work perfect with dhcp 4.2.8

May  8 13:55:44 fulaga systemd: Starting IPv4 DHCP server on ...
May  8 13:55:44 fulaga dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May  8 13:55:44 fulaga dhcpd: LDAPS session successfully enabled to ldaptest.example.com:636
May  8 13:55:44 fulaga dhcpd: Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
May  8 13:55:44 fulaga dhcpd: Configuration file errors encountered -- exiting




I also don’t see any any connection towards my ldap server, so it looks like a bug for me

Kristof





On 08/05/15 11:27, "Michael Ströder" <[hidden email]> wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Kristof Van Doorsselaere wrote:
> After configuring: TLS_REQCERT allow in /etc/openldap/ldap.conf

Hmm, you should really let libnss validate the server's cert by setting the
TLS_CACERT or TLS_CACERTDIR. Otherwise MITM attacks are possible.

> May  8 13:55:44 fulaga systemd: Starting IPv4 DHCP server on ...
> May  8 13:55:44 fulaga dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server

I suspect there is something in your system-wide ldap.conf which tries to set
a TLS option related to CRLs which is unknown when using libnss.

Please read the man-page ldap.conf(5) again and eventually try to use env var
LDAPNOINIT=1 when starting dhcpd.

Ciao, Michael.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Michael,

I had a "plain" ldap.conf without any special ssl/tls related settings I modified,

[root@ new_server ~]# grep -v ^# /etc/openldap/ldap.conf | grep -v ^$
URI ldaps://ldaptest.example.com:636
SASL_NOCANON on

Then I added: (to get ldapsearch working)
TLS_REQCERT allow

—> same error during dhcp start

then I replaced TLS_REQCERT allow, by

[root@new_server ~]# grep -v ^# /etc/openldap/ldap.conf | grep -v ^$
URI ldaps://ldaptest.example.com:636
SASL_NOCANON on
TLS_CACERT "/etc/ssl/certs/ca/chain-new_server.example.com.pem"
TLS_CACERTDIR "/etc/ssl/certs/ca"
TLS_CERT "/etc/ssl/certs/new_server.example.com.pem"
[root@new_server ~]#




So now I’m using official certs, but still, all I got is:

May  8 14:41:40 new_server dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May  8 14:41:40 new_server dhcpd: LDAPS session successfully enabled to ldaptest.example.com:636
May  8 14:41:40 new_server dhcpd: Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
May  8 14:41:41 new_server dhcpd: Configuration file errors encountered -- exiting


I just tested ldapsearch on this new dhcp server, and so far, this seems to work for me,  example:

[root@ new_server ~]#  ldapsearch -Z -LLL -b “dc=example,dc=com" -H ldap://ldaptest.example.com -D “uid=admin,dc=example,dc=com" -W  "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet 00:02:b3:d0:2a:ca))"
Enter LDAP Password:
dn: cn=0002b3d02aca,cn=CA-NET,cn=DHCP Service Config,dc=example,dc=com
objectClass: top
objectClass: dhcpHost
dhcpHWAddress: ethernet 00:02:b3:d0:2a:ca
dhcpStatements: fixed-address 192.168.112.1
cn: 0002b3d02aca



Setting env variable LDAPNOINIT=1 does not change the dhcp startup behavior


[root@new_server ~]# env | grep LDAPNOINIT
LDAPNOINIT=1
[root@new_server ~]#


When using: "ldap-ssl start_tls” in my dhcp.config, I get:

May 11 08:34:14 new_server systemd: Starting IPv4 DHCP server on ...
May 11 08:34:14 new_server dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May 11 08:34:14 new_server dhcpd: Error: Cannot start TLS session to ldaptest.example.com:389: Can't contact LDAP server
May 11 08:34:14 new_server dhcpd: Configuration file errors encountered -- exiting


When using "ldap-ssl ldaps” I get:

May 11 08:37:58 new_server systemd: Starting IPv4 DHCP server on ...
May 11 08:37:58 new_server dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May 11 08:37:58 new_server dhcpd: LDAPS session successfully enabled to ldaptest.example.com:636
May 11 08:37:58 new_server dhcpd: Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
May 11 08:37:58 new_server dhcpd: Configuration file errors encountered -- exiting
May 11 08:37:58 new_server dhcpd:


Also when I disable ldap-ssl: —> ldap-ssl off , it refuses to start:

May 11 08:43:13 new_server systemd: Starting IPv4 DHCP server on ...
May 11 08:43:13 new_server dhcpd: Error: Cannot login into ldap server ldaptest.example.com:389: Can't contact LDAP server
May 11 08:43:13 new_server dhcpd: Configuration file errors encountered -- exiting



And in all cases, I don’t see any connections towards my ldap server.

Kristof




On 08/05/15 14:17, "Michael Ströder" <[hidden email]> wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On Mon, 2015-05-11 at 06:46 +0000, Kristof Van Doorsselaere wrote:
> I just tested ldapsearch on this new dhcp server, and so far, this
> seems to work for me,  example:
>
> [root@ new_server ~]#  ldapsearch -Z -LLL -b “dc=example,dc=com" \
>   -H ldap://ldaptest.example.com -D “uid=admin,dc=example,dc=com" \
>   -W  "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet 00:02:b3:d0:2a:ca))"
> Enter LDAP Password:
> dn: cn=0002b3d02aca,cn=CA-NET,cn=DHCP Service Config,dc=example,dc=com
...

Does this also work if you use "-H ldaps://..."?

> Also when I disable ldap-ssl: —> ldap-ssl off , it refuses to start:
>
> May 11 08:43:13 new_server systemd: Starting IPv4 DHCP server on ...
> May 11 08:43:13 new_server dhcpd: Error: Cannot login into ldap server \
>   ldaptest.example.com:389: Can't contact LDAP server
> May 11 08:43:13 new_server dhcpd: Configuration file errors encountered \
>   -- exiting
>  
> And in all cases, I don’t see any connections towards my ldap server.

Just a shot in the dark, but could it be related to SELinux? Does it
give you the same errors if you try "setenforce 0" first?

--
Peter

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

>> Does this also work if you use "-H ldaps://..."?

Yes, but only if I remove the -Z option, else I get:

 additional info: TLS already started

Kristof








On 11/05/15 10:53, "Peter Rathlev" <[hidden email]> wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

>> Just a shot in the dark, but could it be related to SELinux? Does it
give you the same errors if you try "setenforce 0" first?


Selinux was already disabled, so:

setenforce 0
setenforce: SELinux is disabled
[root@new°_server dhcp-4.3.2]# /usr/sbin/dhcpd -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcpd4.conf -lf /var/db/dhcpd/dhcpd4.leases
Internet Systems Consortium DHCP Server 4.3.2
Copyright 2004-2015 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Cannot set LDAP TLS crl check option: Can't contact LDAP server
LDAPS session successfully enabled to ldaptest.example.com:636
Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
Configuration file errors encountered -- exiting


The fact I’m always getting: configuration file errors encountered, make me think this is a new bug, isn’t it?


Kristof



On 11/05/15 10:53, "Peter Rathlev" <[hidden email]> wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi,

> The installed openldap packages are:
>
> Name        : openldap-devel

hmm, I'm sure you need more than that installed - that package just gives you stuff allowing you to compile
applications so they can use openldap . do you have eg openldap and compat-openldap packages installed?

alan
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

These are installed:

[root@new_server dhcp-4.3.2]# yum list installed | grep ldap
openldap.x86_64                 2.4.39-6.el7                           @base    
openldap-clients.x86_64         2.4.39-6.el7                           @base    
openldap-devel.x86_64           2.4.39-6.el7                           @base    
[root@ new_server dhcp-4.3.2]#


I suppose I don’t need: openldap-servers.x86_64 if my ldap runs on another machine?

Kristof





On 11/05/15 15:55, "[hidden email]" <[hidden email]> wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi,

> These are installed:
>
> [root@new_server dhcp-4.3.2]# yum list installed | grep ldap
> openldap.x86_64                 2.4.39-6.el7                           @base    
> openldap-clients.x86_64         2.4.39-6.el7                           @base    
> openldap-devel.x86_64           2.4.39-6.el7                           @base    
> [root@ new_server dhcp-4.3.2]#

in your previous email you said only openldap-devel was present

> I suppose I don’t need: openldap-servers.x86_64 if my ldap runs on another machine?

correct.


try running dhcpd with more debugging on an run eg tcpdump to see if the server
is even talking to the remote server -  I've got a feeling its either system ldap.conf
missing a setting or having an incorrect setting - as already stated  OR its that 4.3.x
has new options/config for this - cant recall off top of head.   you running the
older 4.2.x version on the same server for side-by-side testing/validation of
the system/OS and config?

alan
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Sorry, I thought only the openldap_devel pkg was relevant for my question

>> I suppose I don’t need: openldap-servers.x86_64 if my ldap runs on another machine?
>
> correct.
>
>
> try running dhcpd with more debugging on an run eg tcpdump to see if the server
> is even talking to the remote server

I have run tcpdump on the ldap server, but never see inbound from my dhcp when testing 4.3.2, while with 4.2.8 I do see the ldapsearch requests

>  I've got a feeling its either system ldap.conf
> missing a setting or having an incorrect setting - as already stated  

I can't believe since 4.2.8 runs fine on this server

> OR its that 4.3.x
> has new options/config for this - cant recall off top of head.

Can' find any special ldap relatief docs for dhcpd 4.3.2 :-(
>   you running the
> older 4.2.x version on the same server for side-by-side testing/validation of
> the system/OS and config?

Yes

>
> alan
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users

It would be nice if someone else can validate 4.3.2 with ldap enabled on centos 7 or another Linux flavor

Kristof
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On Mon, 2015-05-11 at 13:07 +0000, Kristof Van Doorsselaere wrote:
> The fact I’m always getting: configuration file errors encountered, make me think this is a new bug, isn’t it?

It sure does sound something like that. A few other possible ideas:

You mentioned that tcpdump on the LDAP server shows nothing. What about
a local tcpdump on the DHCP server, using the "any" interface?

Does the daemon start and release the PTY, just logging the errors to
syslog? Or does it not release the PTY and dump the syntax error to
STDERR? I would expect the latter for an actual configuration syntax
error. I'm not sure how systemd's systemctl starts a daemon and if you
would actually see the STDERR output.

You could also try starting the daemon in the foreground (-f) in an
"strace" session and look at what actually happens. Like if the daemon
actually creates a socket ("socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)")
and what the "connect" returns.

I'm afraid we don't use the LDAP backend and I try to avoid Windows RHEL
2007 like the plague. Not a fan of systemd on servers. :-)

--
Peter


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Peter

On 12/05/15 09:08, "Peter Rathlev" <[hidden email]> wrote:

>On Mon, 2015-05-11 at 13:07 +0000, Kristof Van Doorsselaere wrote:
>> The fact I’m always getting: configuration file errors encountered, make me think this is a new bug, isn’t it?
>
>It sure does sound something like that. A few other possible ideas:
>
>You mentioned that tcpdump on the LDAP server shows nothing. What about
>a local tcpdump on the DHCP server, using the "any" interface?

I ran tcpdump locally today on the dhcp server, and again I do don’t see any outgoing data during dhcpd startup attempt

>
>Does the daemon start and release the PTY, just logging the errors to
>syslog? Or does it not release the PTY and dump the syntax error to
>STDERR? I would expect the latter for an actual configuration syntax
>error. I'm not sure how systemd's systemctl starts a daemon and if you
>would actually see the STDERR output.

I’m currently testing manually (so avoiding systemd), and output looks like this:

[root@new_server dhcp-4.3.2]# dhcpd  -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcp_test.conf -lf /var/db/dhcpd/dhcpd4.leases -d -tf /tmp/debug
Internet Systems Consortium DHCP Server 4.3.2
Copyright 2004-2015 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
WARNING: Overwriting trace file "/tmp/debug"
Cannot set LDAP TLS crl check option: Can't contact LDAP server
Cannot init ldap session to ldap://ldaptest.example.com:389
Configuration file errors encountered -- exiting


If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug.  These pages explain the proper
process and the information we find helpful for debugging..


exiting.
[root@new_server dhcp-4.3.2]# echo $?
1
[root@new_server dhcp-4.3.2]# ps aux | grep dhcp | grep -v grep
[root@new_server dhcp-4.3.2]#
[root@new_server dhcp-4.3.2]#

In the dhcp_test.conf I have: log-facility local4;

Rsyslog redirects local4 to:


local4.*                                                /var/log/dhcpd4.log

During startup nothing is logged to this file (while trying to start 4.3.2), so I think its not releasing the PTY and dumping the syntax error to
STDERR



>
>You could also try starting the daemon in the foreground (-f) in an
>"strace" session and look at what actually happens. Like if the daemon
>actually creates a socket ("socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)")
>and what the "connect" returns.

I tried but I don’t see a different behavior while using -f to run in foreground

[root@new_server dhcp-4.3.2]# dhcpd  -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcp_test.conf -lf /var/db/dhcpd/dhcpd4.leases -f
Internet Systems Consortium DHCP Server 4.3.2
Copyright 2004-2015 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Cannot set LDAP TLS crl check option: Can't contact LDAP server
Cannot init ldap session to ldap://ldaptest.example.com:389
Configuration file errors encountered -- exiting


If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug.  These pages explain the proper
process and the information we find helpful for debugging..


exiting.
[root@new_server dhcp-4.3.2]#


For extra debugging, I started with strace, output is attached as file: strace_output.txt

I also tried to start with gdb, to see some more debug output, but it’s hard for me to tell where it goes wrong as I’m not a developer

Gdb output is attached as gdb_output.txt

Kristof



_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Below some extra debugging info, maybe it helps someone to further analyse this issue:

1. Break on ldap_read_config

[root@new_server dhcp-4.3.2]# gdb --args dhcpd  -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcp_test.conf -lf /var/db/dhcpd/dhcpd4.leases -f -d
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-64.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/dhcpd...done.
(gdb)  break ldap_read_config
Breakpoint 1 at 0x45cbf3: file ldap.c, line 1356.
(gdb) run
Starting program: /usr/sbin/dhcpd -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcp_test.conf -lf /var/db/dhcpd/dhcpd4.leases -f -d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Internet Systems Consortium DHCP Server 4.3.2
Copyright 2004-2015 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/


Breakpoint 1, ldap_read_config () at ldap.c:1356
1356  ldap_dn_node *curr = NULL;
(gdb) n
1362  struct berval **tempbv = NULL;
(gdb) n
1364  if (ld == NULL)
(gdb) n
1365    ldap_start ();
(gdb) n
Cannot set LDAP TLS crl check option: Can't contact LDAP server
Cannot init ldap session to ldap://ldaptest.example.com:389
1366  if (ld == NULL)
(gdb) n
1367    return (ldap_server == NULL ? ISC_R_SUCCESS : ISC_R_FAILURE);
(gdb) n
1580 }
(gdb) n
readconf () at confpars.c:70
70 }
(gdb) n
main (argc=10, argv=0x7fffffffe458) at dhcpd.c:614
614 log_fatal ("Configuration file errors encountered -- exiting");
(gdb) n
Configuration file errors encountered -- exiting


If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug.  These pages explain the proper
process and the information we find helpful for debugging..


exiting.
[Inferior 1 (process 4893) exited with code 01]
(gdb) n
The program is not being run.
(gdb) q
[root@new_server dhcp-4.3.2]#




2: break on ldap_start

[root@new_server dhcp-4.3.2]# gdb --args dhcpd  -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcp_test.conf -lf /var/db/dhcpd/dhcpd4.leases -f -d
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-64.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/dhcpd...done.
(gdb) break ldap_start
Breakpoint 1 at 0x45b320: file ldap.c, line 620.
(gdb) run
Starting program: /usr/sbin/dhcpd -4 -pf /run/dhcpd4.pid -cf /etc/dhcp/dhcp_test.conf -lf /var/db/dhcpd/dhcpd4.leases -f -d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Internet Systems Consortium DHCP Server 4.3.2
Copyright 2004-2015 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/


Breakpoint 1, ldap_start () at ldap.c:620
620  char *uri = NULL;
(gdb) n
623  if (ld != NULL)
(gdb) n
626  if (ldap_server == NULL)
(gdb) n
628      options = NULL;
(gdb) n
629      option_state_allocate (&options, MDL);
(gdb) n
631      execute_statements_in_scope (NULL, NULL, NULL, NULL, NULL,
(gdb) n
635      ldap_server = _do_lookup_dhcp_string_option (options, SV_LDAP_SERVER);
(gdb) n
636      ldap_dhcp_server_cn = _do_lookup_dhcp_string_option (options,
(gdb) n
638      ldap_port = _do_lookup_dhcp_int_option (options, SV_LDAP_PORT);
(gdb) n
639      ldap_base_dn = _do_lookup_dhcp_string_option (options, SV_LDAP_BASE_DN);
(gdb) n
640      ldap_method = _do_lookup_dhcp_enum_option (options, SV_LDAP_METHOD);
(gdb) n
641      ldap_debug_file = _do_lookup_dhcp_string_option (options,
(gdb) n
643      ldap_referrals = _do_lookup_dhcp_enum_option (options, SV_LDAP_REFERRALS);
(gdb) n
646      ldap_use_ssl = _do_lookup_dhcp_enum_option (options, SV_LDAP_SSL);
(gdb) n
647      if( ldap_use_ssl != LDAP_SSL_OFF)
(gdb) n
649          ldap_tls_reqcert = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_REQCERT);
(gdb) n
650          ldap_tls_ca_file = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CA_FILE);
(gdb) n
651          ldap_tls_ca_dir = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CA_DIR);
(gdb) n
652          ldap_tls_cert = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CERT);
(gdb) n
653          ldap_tls_key = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_KEY);
(gdb) n
654          ldap_tls_crlcheck = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_CRLCHECK);
(gdb) n
655          ldap_tls_ciphers = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CIPHERS);
(gdb) n
656          ldap_tls_randfile = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_RANDFILE);
(gdb) n
668      ldap_username = _do_lookup_dhcp_string_option (options, SV_LDAP_USERNAME);
(gdb) n
669      ldap_password = _do_lookup_dhcp_string_option (options, SV_LDAP_PASSWORD);
(gdb) n
675      option_state_dereference (&options, MDL);
(gdb) n
678  if (ldap_server == NULL || ldap_base_dn == NULL)
(gdb) n
685  if (ldap_debug_file != NULL && ldap_debug_fd == -1)
(gdb) n
687      if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY,
(gdb) n
698  if (ldap_use_ssl == -1)
(gdb) n
714  if (ldap_use_ssl != LDAP_SSL_OFF)
(gdb) n
716      if (ldap_tls_reqcert != -1)
(gdb) n
718          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
(gdb) n
726      if( ldap_tls_ca_file != NULL)
(gdb) n
735      if( ldap_tls_ca_dir != NULL)
(gdb) n
737          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
(gdb) n
744      if( ldap_tls_cert != NULL)
(gdb) n
746          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
(gdb) n
753      if( ldap_tls_key != NULL)
(gdb) n
755          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
(gdb) n
762      if( ldap_tls_crlcheck != -1)
(gdb) n
764          int opt = ldap_tls_crlcheck;
(gdb) n
765          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CRLCHECK,
(gdb) n
768              log_error ("Cannot set LDAP TLS crl check option: %s",
(gdb) n
Cannot set LDAP TLS crl check option: Can't contact LDAP server
772      if( ldap_tls_ciphers != NULL)
(gdb) n
774          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
(gdb) n
781      if( ldap_tls_randfile != NULL)
(gdb) n
794  uri = malloc(strlen(ldap_server) + 16);
(gdb) n
795  if (uri == NULL)
(gdb) n
801  sprintf(uri, "ldap://%s:%d", ldap_server, ldap_port);
(gdb) n
802  ldap_initialize(&ld, uri);
(gdb) n
804  if (ld == NULL)
(gdb) n
806      log_error ("Cannot init ldap session to %s:%d", ldap_server, ldap_port);
(gdb) n
Cannot init ldap session to ldap://ldaptest.example.com:389
807      return;
(gdb) n
889 }
(gdb) n
ldap_read_config () at ldap.c:1366
1366  if (ld == NULL)
(gdb) n
1367    return (ldap_server == NULL ? ISC_R_SUCCESS : ISC_R_FAILURE);
(gdb) n
1580 }
(gdb) n
readconf () at confpars.c:70
70 }
(gdb) n
main (argc=10, argv=0x7fffffffe458) at dhcpd.c:614
614 log_fatal ("Configuration file errors encountered -- exiting");
(gdb) n
Configuration file errors encountered -- exiting


If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug.  These pages explain the proper
process and the information we find helpful for debugging..


exiting.
[Inferior 1 (process 7927) exited with code 01]
(gdb) q
[root@new_server dhcp-4.3.2]#


Kristof




On 12/05/15 10:06, "Kristof Van Doorsselaere" <[hidden email]> wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On Tue, 2015-05-12 at 08:06 +0000, Kristof Van Doorsselaere wrote:
> For extra debugging, I started with strace, output is attached as
> file: strace_output.txt

I took a look, and the process never tries to connect to any LDAP
server. It opens /etc/openldap/ldap.conf and then tries /root/ldaprc
and /root/.ldaprc (both of which do not exist, not an error) and then
fails. Maybe ltrace or more detailed gdb could point at the error, but
that's beyond my skill set. :-)

When googling for the error message I can see a hit related to GnuTLS
and OpenSSL:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723773

But since the error turned out to be something different (haven't read
the whole thread) it's maybe not the same. And it's against 4.2.2, where
you see something that looks like a regression error.

--
Peter

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 12/05/15 13:43, "Peter Rathlev" <[hidden email]> wrote:

>On Tue, 2015-05-12 at 08:06 +0000, Kristof Van Doorsselaere wrote:
>> For extra debugging, I started with strace, output is attached as
>> file: strace_output.txt
>
>I took a look, and the process never tries to connect to any LDAP
>server. It opens /etc/openldap/ldap.conf and then tries /root/ldaprc
>and /root/.ldaprc (both of which do not exist, not an error) and then
>fails. Maybe ltrace or more detailed gdb could point at the error, but
>that's beyond my skill set. :-)

Thanks for taking the time to have a look, advanced debugging via gdb is also beyond my skill set :-5

>
>When googling for the error message I can see a hit related to GnuTLS
>and OpenSSL:
>
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723773


Yes, that’s the bug I was pointing to in my first message, but I’m confused about the last message in this bug:

>> After all that it wasn't a bug.


I already sent a mail to Mark, asking if and how his issue was solved, but so far no response, it would be nice if someone could share a working dhcpd 4.3.2 config (with ldap and start_tls enabled) + the corresponding ldap.conf

>
>But since the error turned out to be something different (haven't read
>the whole thread) it's maybe not the same. And it's against 4.2.2, where
>you see something that looks like a regression error.

That’s exactly what I’m thinking too

>
>--
>Peter
>
>_______________________________________________
>dhcp-users mailing list
>[hidden email]
>https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Kristof Van Doorsselaere wrote:
> 654          ldap_tls_crlcheck = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_CRLCHECK);
 > [..]
> 765          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CRLCHECK,
> 768              log_error ("Cannot set LDAP TLS crl check option: %s",
> Cannot set LDAP TLS crl check option: Can't contact LDAP server

I suspect that libldap does not provide setting option LDAP_OPT_X_TLS_CRLCHECK
on your platform.

 From ldap_set_option(3):

   LDAP_OPT_X_TLS_CRLCHECK
     Sets/gets the CRL evaluation strategy, [..]
     Requires OpenSSL.

That's clearly a dhcpd bug because if libldap is linked against libnss (on
RedHat systems) or GnuTLS (e.g. Debian) the option LDAP_OPT_X_TLS_CRLCHECK is
not usable. dhcpd has to check that and at least ignore this error during startup.

Ciao, Michael.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users