diff options
| author | Thomas Markwalder <tmark@isc.org> | 2015-07-29 13:32:16 -0400 |
|---|---|---|
| committer | Thomas Markwalder <tmark@isc.org> | 2015-07-29 13:32:16 -0400 |
| commit | 743d69375c0e46ebb343cb3c6fa768103b7080d0 (patch) | |
| tree | 4bea0683ffe2fb7c6428acc0740659f6ca4ae3b6 /contrib | |
| parent | 6a39bcf0be695fa2e0b62312ea8bdc830a08f7bc (diff) | |
| download | isc-dhcp-743d69375c0e46ebb343cb3c6fa768103b7080d0.tar.gz | |
[master] LDAP: Pathces, IPv6 support, GSSAPI support
Merges in 39056.
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/ldap/README.ldap | 41 | ||||
| -rw-r--r-- | contrib/ldap/dhcp.schema | 28 | ||||
| -rw-r--r-- | contrib/ldap/dhcpd-conf-to-ldap | 84 |
3 files changed, 130 insertions, 23 deletions
diff --git a/contrib/ldap/README.ldap b/contrib/ldap/README.ldap index c4137907..5e4691e8 100644 --- a/contrib/ldap/README.ldap +++ b/contrib/ldap/README.ldap @@ -83,6 +83,12 @@ options: ldap-tls-reqcert, ldap-tls-ca-file, ldap-tls-ca-dir, ldap-tls-cert ldap-tls-key, ldap-tls-crlcheck, ldap-tls-ciphers, ldap-tls-randfile +The ldap-init-retry <num> enables an optional ldap connect retry loop with +the specified number of retries with a one second sleep between each try +during the initial startup of the dhcp server. +It allows to catch the condition, that the (remote) ldap server is not yet +started at the start time of the dhcp server. + All of these parameters should be self explanatory except for the ldap-method. You can set this to static or dynamic. If you set it to static, the configuration is read once on startup, and LDAP isn't used anymore. But, if @@ -189,3 +195,38 @@ into problems reading the configuration, try running dhcpd with the -d flag. If you still have problems, edit the site.conf file in the DHCP source and add the line: COPTS= -DDEBUG_LDAP and recompile DHCP. (make sure you run make clean and rerun configure before you rebuild). + +DHCPv6 requires a separate instance of the dhcpd server from the +DHCPv4 server. + +It is convenient to use distinct LDAP login DNs for the two servers, +and setup LDAP access restrictions in the LDAP server, so that each +DHCP server only has access to its own data. + +You will need to create a separate configuration file, +call it /etc/dhcpd6.conf. For example: + +ldap-server "localhost"; +ldap-port 389; +ldap-username "cn=DHCPv6 User, dc=ntelos, dc=net"; +ldap-password "blahblah"; +ldap-base-dn "dc=ntelos, dc=net"; +ldap-method dynamic; +ldap-debug-file "/var/log/dhcp-ldap-startup.log"; + +And use these command line arguments to dhcpd: + +dhcpd eth... -6 -cf /etc/dhcpd6.conf -pf /var/run/dhcpd6.pid -lf /var/lib/dhcpd6/dhcpd.leases + +For DHCPv6, the client configuration is the same, but substitute the +Client ID for the Ethernet hardware address. Here is an example of a +host definition for a DHCPv6 client: + +dn: cn=examplehost,cn=XXXX:XXXX:XXXX:XXXX::/64,cn=Network-eth1,cn=DHCPv6,dc=example,dc=com +objectClass: top +objectClass: dhcpHost +cn: examplehost +dhcpClientId: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX +dhcpStatements: fixed-address6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX +option host-name "examplehost.ipv6.example.com" +option domain-name "ipv6.example.com" diff --git a/contrib/ldap/dhcp.schema b/contrib/ldap/dhcp.schema index c5ed6c72..0c24a7a2 100644 --- a/contrib/ldap/dhcp.schema +++ b/contrib/ldap/dhcp.schema @@ -334,6 +334,18 @@ attributetype ( 2.16.840.1.113719.1.203.4.56 DESC 'Generic attribute that allows coments within any DHCP object' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributetype ( 2.16.840.1.113719.1.203.4.57 + NAME 'dhcpClientId' + EQUALITY caseIgnoreIA5Match + DESC 'client Identifier.' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 2.16.840.1.113719.1.203.4.58 + NAME 'dhcpRange6' + EQUALITY caseIgnoreIA5Match + DESC 'The starting & ending IP Addresses in the range (inclusive), separated by a hyphen; if the range only contains one address, then just the address can be specified with no hyphen. Each range is defined as a separate value.' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + # Classes objectclass ( 2.16.840.1.113719.1.203.6.1 @@ -378,7 +390,7 @@ objectclass ( 2.16.840.1.113719.1.203.6.6 DESC 'This represents information about a particular client' SUP top MUST cn - MAY (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) + MAY (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption $ dhcpClientId) X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') ) objectclass ( 2.16.840.1.113719.1.203.6.7 @@ -459,4 +471,18 @@ objectclass ( 2.16.840.1.113719.1.203.6.16 MAY ( dhcpServiceDN $dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpKeyDN $ dhcpZoneDN $ dhcpFailOverPeerDN $ dhcpOption $ dhcpComments) X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') ) +objectclass ( 2.16.840.1.113719.1.203.6.17 + NAME 'dhcpSubnet6' + DESC 'This class defines an IPv6 subnet. This is a container object.' + SUP top + MUST ( cn ) + MAY ( dhcpRange6 $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption $ dhcpPermitList ) X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork') ) + +objectclass ( 2.16.840.1.113719.1.203.6.18 + NAME 'dhcpPool6' + DESC 'This stores configuration information about an IPv6 pool.' + SUP top + MUST ( cn $ dhcpRange6 ) + MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $dhcpKeyDN $ dhcpStatements $ dhcpComments $ dhcpOption ) + X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpSharedNetwork') ) diff --git a/contrib/ldap/dhcpd-conf-to-ldap b/contrib/ldap/dhcpd-conf-to-ldap index aee6c979..95064c6f 100644 --- a/contrib/ldap/dhcpd-conf-to-ldap +++ b/contrib/ldap/dhcpd-conf-to-ldap @@ -137,6 +137,7 @@ add_dn_to_stack local ($dn) = @_; $current_dn = "$dn, $current_dn"; + $curentry{'current_dn'} = $current_dn; } @@ -154,6 +155,26 @@ parse_error exit (1); } +sub +new_entry +{ + if (%curentry) { + $curentry{'current_dn'} = $current_dn; + push(@entrystack, {%curentry}); + undef(%curentry); + } +} + +sub +pop_entry +{ + if (%curentry) { + push(@outputlist, {%curentry}); + } + $rentry = pop(@entrystack); + %curentry = %$rentry if $rentry; +} + sub print_entry @@ -167,7 +188,7 @@ print_entry print "cn: $server\n"; print "objectClass: top\n"; print "objectClass: dhcpServer\n"; - print "dhcpServiceDN: $current_dn\n"; + print "dhcpServiceDN: $curentry{'current_dn'}\n"; if(grep(/FaIlOvEr/i, @use)) { foreach my $fo_peer (keys %failover) @@ -179,7 +200,7 @@ print_entry } print "\n"; - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: $dhcpcn\n"; print "objectClass: top\n"; print "objectClass: dhcpService\n"; @@ -195,7 +216,7 @@ print_entry } elsif ($curentry{'type'} eq 'subnet') { - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: " . $curentry{'ip'} . "\n"; print "objectClass: top\n"; print "objectClass: dhcpSubnet\n"; @@ -215,7 +236,7 @@ print_entry } elsif ($curentry{'type'} eq 'shared-network') { - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: " . $curentry{'descr'} . "\n"; print "objectClass: top\n"; print "objectClass: dhcpSharedNetwork\n"; @@ -226,7 +247,7 @@ print_entry } elsif ($curentry{'type'} eq 'group') { - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: group", $curentry{'idx'}, "\n"; print "objectClass: top\n"; print "objectClass: dhcpGroup\n"; @@ -237,7 +258,7 @@ print_entry } elsif ($curentry{'type'} eq 'host') { - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: " . $curentry{'host'} . "\n"; print "objectClass: top\n"; print "objectClass: dhcpHost\n"; @@ -254,7 +275,7 @@ print_entry } elsif ($curentry{'type'} eq 'pool') { - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: pool", $curentry{'idx'}, "\n"; print "objectClass: top\n"; print "objectClass: dhcpPool\n"; @@ -273,7 +294,7 @@ print_entry } elsif ($curentry{'type'} eq 'class') { - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: " . $curentry{'class'} . "\n"; print "objectClass: top\n"; print "objectClass: dhcpClass\n"; @@ -284,7 +305,7 @@ print_entry } elsif ($curentry{'type'} eq 'subclass') { - print "dn: $current_dn\n"; + print "dn: $curentry{'current_dn'}\n"; print "cn: " . $curentry{'subclass'} . "\n"; print "objectClass: top\n"; print "objectClass: dhcpSubClass\n"; @@ -344,7 +365,7 @@ sub parse_subnet { local ($ip, $tmp, $netmask); - print_entry () if %curentry; + new_entry (); $ip = next_token (0); parse_error () if !defined ($ip); @@ -374,7 +395,7 @@ sub parse_shared_network { local ($descr, $tmp); - print_entry () if %curentry; + new_entry (); $descr = next_token (0); parse_error () if !defined ($descr); @@ -393,7 +414,7 @@ sub parse_host { local ($descr, $tmp); - print_entry () if %curentry; + new_entry (); $host = next_token (0); parse_error () if !defined ($host); @@ -412,7 +433,7 @@ sub parse_group { local ($descr, $tmp); - print_entry () if %curentry; + new_entry (); $tmp = next_token (0); parse_error () if !defined ($tmp); @@ -435,7 +456,7 @@ sub parse_pool { local ($descr, $tmp); - print_entry () if %curentry; + new_entry (); $tmp = next_token (0); parse_error () if !defined ($tmp); @@ -458,7 +479,7 @@ sub parse_class { local ($descr, $tmp); - print_entry () if %curentry; + new_entry (); $class = next_token (0); parse_error () if !defined ($class); @@ -478,7 +499,7 @@ sub parse_subclass { local ($descr, $tmp); - print_entry () if %curentry; + new_entry (); $class = next_token (0); parse_error () if !defined ($class); @@ -486,14 +507,23 @@ sub parse_subclass $subclass = next_token (0); parse_error () if !defined ($subclass); - $tmp = next_token (0); - parse_error () if !defined ($tmp); - parse_error () if !($tmp eq '{'); - + if (substr($subclass,-1) eq ';') { + $tmp = ";"; + $subclass = substr($subclass,0,-1); + } else { + $tmp = next_token (0); + parse_error () if !defined ($tmp); + } + parse_error () if !($tmp eq '{' or $tmp eq ';'); add_dn_to_stack ("cn=$subclass"); $curentry{'type'} = 'subclass'; $curentry{'class'} = $class; $curentry{'subclass'} = $subclass; + + if ($tmp eq ';') { + pop_entry (); + remove_dn_from_stack (); + } } @@ -682,11 +712,11 @@ print STDERR "\n"; my $token; my $token_number = 0; my $line_number = 0; -my %curentry; my $cursubnet = ''; my %curcounter = ( '' => { pool => 0, group => 0 } ); $current_dn = "$dhcpdn"; +$curentry{'current_dn'} = $current_dn; $curentry{'descr'} = $dhcpcn; $line = ''; %failover = (); @@ -695,7 +725,7 @@ while (($token = next_token (1))) { if ($token eq '}') { - print_entry () if %curentry; + pop_entry (); if($current_dn =~ /.+?,\s*${dhcpdn}$/) { # don't go below dhcpdn ... remove_dn_from_stack (); @@ -753,6 +783,16 @@ while (($token = next_token (1))) } } +pop_entry (); + +while ($#outputlist >= 0) { + $rentry = pop(@outputlist); + if ($rentry) { + %curentry = %$rentry; + print_entry (); + } +} + close(STDIN) if($i_conf); close(STDOUT) if($o_ldif); |