dhcp 4.3.2 with ldap backend
Michael Ströder
michael at stroeder.com
Fri May 8 12:17:15 UTC 2015
Kristof Van Doorsselaere wrote:
> After configuring: TLS_REQCERT allow in /etc/openldap/ldap.conf
Hmm, you should really let libnss validate the server's cert by setting the
TLS_CACERT or TLS_CACERTDIR. Otherwise MITM attacks are possible.
> May 8 13:55:44 fulaga systemd: Starting IPv4 DHCP server on ...
> May 8 13:55:44 fulaga dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
I suspect there is something in your system-wide ldap.conf which tries to set
a TLS option related to CRLs which is unknown when using libnss.
Please read the man-page ldap.conf(5) again and eventually try to use env var
LDAPNOINIT=1 when starting dhcpd.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20150508/60d0e71d/attachment.bin>
More information about the dhcp-users
mailing list