dhcp 4.3.2 with ldap backend

Kristof Van Doorsselaere kristof.vandoorsselaere at hogent.be
Fri May 8 12:01:48 UTC 2015 

Michael,

After configuring: TLS_REQCERT allow in /etc/openldap/ldap.conf


I don’t have issues using ldapsearch on my new server:

[root@ new_server ~]# uname -a
Linux new_server.example.com 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


[root at new_server ~]# ldapsearch -LLL -b “dc=example,dc=com" -H ldaps://ldap1.example.com:636 -D “uid=admin,dc=example,dc=com" -W  "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet 0c:4d:e9:ab:64:a6))"
Enter LDAP Password: 
dn: cn=0c4de9ab64a6,cn=admin,cn=DHCP Service Config,dc=example,dc=com
objectClass: top
objectClass: dhcpHost
dhcpStatements: fixed-address 10.100.172.240
dhcpHWAddress: ethernet 0c:4d:e9:ab:64:a6
cn: 0c4de9ab64a6

But still dhcp 4.3.2 refuses to start, because of Configuration file errors, while the same config work perfect with dhcp 4.2.8

May  8 13:55:44 fulaga systemd: Starting IPv4 DHCP server on ...
May  8 13:55:44 fulaga dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May  8 13:55:44 fulaga dhcpd: LDAPS session successfully enabled to ldaptest.example.com:636
May  8 13:55:44 fulaga dhcpd: Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
May  8 13:55:44 fulaga dhcpd: Configuration file errors encountered -- exiting




I also don’t see any any connection towards my ldap server, so it looks like a bug for me

Kristof





On 08/05/15 11:27, "Michael Ströder" <michael at stroeder.com> wrote:

>Kristof Van Doorsselaere wrote:
>> Thanks for your reply.
>>
>> Our current dhcp server is a centos 5.5, the new server I’m setting up is a centos 7
>>
>> On this centos 7:
>>
>> - dhcp 4.2.8 with ldap backend = OK
>> - dhcp 4.3.2 with ldap backend = NOK
>
>IIRC libldap was linked against OpenSSL in CentOS/RHEL 5. In more recent 
>versions it's linked against libnss because of Red Hat's 
>PKCS#11-everywhere-plans. This is a significant change regarding TLS 
>configuration.
>
>=> first try to get your ldaps://ldaptest.example.com working with ldapsearch 
>command-line tool
>
>Also note that libldap reads a system-wide LDAP client configuration file 
>which might falsely set additional TLS related parameters. See ldap.conf(5) 
>for details, especially env var LDAPNOINIT and sections TLS OPTIONS and FILES.
>
>Ciao, Michael.
>

More information about the dhcp-users mailing list