dhcp 4.3.2 with ldap backend

Michael Ströder michael at stroeder.com
Fri May 8 12:17:15 UTC 2015

Kristof Van Doorsselaere wrote:
> After configuring: TLS_REQCERT allow in /etc/openldap/ldap.conf

Hmm, you should really let libnss validate the server's cert by setting the 
TLS_CACERT or TLS_CACERTDIR. Otherwise MITM attacks are possible.

> May  8 13:55:44 fulaga systemd: Starting IPv4 DHCP server on ...
> May  8 13:55:44 fulaga dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server

I suspect there is something in your system-wide ldap.conf which tries to set 
a TLS option related to CRLs which is unknown when using libnss.

Please read the man-page ldap.conf(5) again and eventually try to use env var 
LDAPNOINIT=1 when starting dhcpd.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20150508/60d0e71d/attachment.bin>

More information about the dhcp-users mailing list