dhcp 4.3.2 with ldap backend

Kristof Van Doorsselaere kristof.vandoorsselaere at hogent.be
Mon May 11 06:46:31 UTC 2015


Michael,

I had a "plain" ldap.conf without any special ssl/tls related settings I modified, 

[root@ new_server ~]# grep -v ^# /etc/openldap/ldap.conf | grep -v ^$
URI	ldaps://ldaptest.example.com:636
SASL_NOCANON	on

Then I added: (to get ldapsearch working)
TLS_REQCERT allow

—> same error during dhcp start

then I replaced TLS_REQCERT allow, by 

[root at new_server ~]# grep -v ^# /etc/openldap/ldap.conf | grep -v ^$
URI	ldaps://ldaptest.example.com:636
SASL_NOCANON	on
TLS_CACERT "/etc/ssl/certs/ca/chain-new_server.example.com.pem"
TLS_CACERTDIR "/etc/ssl/certs/ca"
TLS_CERT "/etc/ssl/certs/new_server.example.com.pem"
[root at new_server ~]#




So now I’m using official certs, but still, all I got is:

May  8 14:41:40 new_server dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May  8 14:41:40 new_server dhcpd: LDAPS session successfully enabled to ldaptest.example.com:636
May  8 14:41:40 new_server dhcpd: Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
May  8 14:41:41 new_server dhcpd: Configuration file errors encountered -- exiting


I just tested ldapsearch on this new dhcp server, and so far, this seems to work for me,  example:

[root@ new_server ~]#  ldapsearch -Z -LLL -b “dc=example,dc=com" -H ldap://ldaptest.example.com -D “uid=admin,dc=example,dc=com" -W  "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet 00:02:b3:d0:2a:ca))"
Enter LDAP Password: 
dn: cn=0002b3d02aca,cn=CA-NET,cn=DHCP Service Config,dc=example,dc=com
objectClass: top
objectClass: dhcpHost
dhcpHWAddress: ethernet 00:02:b3:d0:2a:ca
dhcpStatements: fixed-address 192.168.112.1
cn: 0002b3d02aca



Setting env variable LDAPNOINIT=1 does not change the dhcp startup behavior


[root at new_server ~]# env | grep LDAPNOINIT
LDAPNOINIT=1
[root at new_server ~]#


When using: "ldap-ssl start_tls” in my dhcp.config, I get:

May 11 08:34:14 new_server systemd: Starting IPv4 DHCP server on ...
May 11 08:34:14 new_server dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May 11 08:34:14 new_server dhcpd: Error: Cannot start TLS session to ldaptest.example.com:389: Can't contact LDAP server
May 11 08:34:14 new_server dhcpd: Configuration file errors encountered -- exiting


When using "ldap-ssl ldaps” I get:

May 11 08:37:58 new_server systemd: Starting IPv4 DHCP server on ...
May 11 08:37:58 new_server dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
May 11 08:37:58 new_server dhcpd: LDAPS session successfully enabled to ldaptest.example.com:636
May 11 08:37:58 new_server dhcpd: Error: Cannot login into ldap server ldaptest.example.com:636: Can't contact LDAP server
May 11 08:37:58 new_server dhcpd: Configuration file errors encountered -- exiting
May 11 08:37:58 new_server dhcpd:


Also when I disable ldap-ssl: —> ldap-ssl off , it refuses to start:

May 11 08:43:13 new_server systemd: Starting IPv4 DHCP server on ...
May 11 08:43:13 new_server dhcpd: Error: Cannot login into ldap server ldaptest.example.com:389: Can't contact LDAP server
May 11 08:43:13 new_server dhcpd: Configuration file errors encountered -- exiting



And in all cases, I don’t see any connections towards my ldap server.

Kristof




On 08/05/15 14:17, "Michael Ströder" <michael at stroeder.com> wrote:

>Kristof Van Doorsselaere wrote:
>> After configuring: TLS_REQCERT allow in /etc/openldap/ldap.conf
>
>Hmm, you should really let libnss validate the server's cert by setting the 
>TLS_CACERT or TLS_CACERTDIR. Otherwise MITM attacks are possible.
>
>> May  8 13:55:44 fulaga systemd: Starting IPv4 DHCP server on ...
>> May  8 13:55:44 fulaga dhcpd: Cannot set LDAP TLS crl check option: Can't contact LDAP server
>
>I suspect there is something in your system-wide ldap.conf which tries to set 
>a TLS option related to CRLs which is unknown when using libnss.
>
>Please read the man-page ldap.conf(5) again and eventually try to use env var 
>LDAPNOINIT=1 when starting dhcpd.
>
>Ciao, Michael.
>


More information about the dhcp-users mailing list