summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.in1
-rw-r--r--RELNOTES20
-rw-r--r--client/Makefile.in1
-rw-r--r--client/tests/Makefile.in1
-rw-r--r--common/Makefile.in1
-rw-r--r--common/conflex.c24
-rw-r--r--common/tests/Makefile.in1
-rwxr-xr-xconfigure165
-rw-r--r--configure.ac53
-rw-r--r--contrib/ldap/README.ldap41
-rw-r--r--contrib/ldap/dhcp.schema28
-rw-r--r--contrib/ldap/dhcpd-conf-to-ldap84
-rw-r--r--dhcpctl/Makefile.in1
-rw-r--r--includes/Makefile.am1
-rw-r--r--includes/Makefile.in2
-rw-r--r--includes/config.h.in12
-rw-r--r--includes/dhcpd.h7
-rw-r--r--includes/ldap_casa.h2
-rw-r--r--includes/ldap_krb_helper.h48
-rw-r--r--omapip/Makefile.in1
-rw-r--r--relay/Makefile.in1
-rw-r--r--server/Makefile.am5
-rw-r--r--server/Makefile.in27
-rw-r--r--server/ldap.c1679
-rw-r--r--server/ldap_casa.c4
-rw-r--r--server/ldap_krb_helper.c216
-rw-r--r--server/mdb.c5
-rw-r--r--server/stables.c5
-rw-r--r--server/tests/Makefile.in1
-rw-r--r--tests/Makefile.in1
30 files changed, 2121 insertions, 317 deletions
diff --git a/Makefile.in b/Makefile.in
index 8ce8974c..e5abacec 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -253,6 +253,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/RELNOTES b/RELNOTES
index e670384a..ed310ae9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -179,6 +179,26 @@ by Eric Young (eay@cryptsoft.com).
class has been deleted.
[ISC-Bugs #39978]
+- LDAP Patches - Numerous small patches submitted by contributors have
+ been applied to the contributed code which supplies LDAP support.
+ In addition, two larger submissions have also been included. The
+ first adds support for IPv6 configuration adn the second provides
+ GSSAPI authentication.
+ [ISC-Bugs #39056]
+ [ISC-Bugs #22742]
+ [ISC-Bugs #24449]
+ [ISC-Bugs #28545]
+ [ISC-Bugs #29873]
+ [ISC-Bugs #30183]
+ [ISC-Bugs #30402]
+ [ISC-Bugs #32217]
+ [ISC-Bugs #32240]
+ [ISC-Bugs #33176]
+ [ISC-Bugs #33178]
+ [ISC-Bugs #36409]
+ [ISC-Bugs #36774]
+ [ISC-Bugs #37876]
+
Changes since 4.3.2rc2
- None
diff --git a/client/Makefile.in b/client/Makefile.in
index 72fce7c8..a5311be2 100644
--- a/client/Makefile.in
+++ b/client/Makefile.in
@@ -260,6 +260,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/client/tests/Makefile.in b/client/tests/Makefile.in
index 303eb130..f1ebbf11 100644
--- a/client/tests/Makefile.in
+++ b/client/tests/Makefile.in
@@ -233,6 +233,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/common/Makefile.in b/common/Makefile.in
index ade60f17..8f1f432d 100644
--- a/common/Makefile.in
+++ b/common/Makefile.in
@@ -267,6 +267,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/common/conflex.c b/common/conflex.c
index 39110160..f23a8c78 100644
--- a/common/conflex.c
+++ b/common/conflex.c
@@ -147,13 +147,21 @@ save_parse_state(struct parse *cfile) {
/*
* Return the parser to the previous saved state.
*
- * You must call save_parse_state() before calling
- * restore_parse_state(), but you can call restore_parse_state() any
- * number of times after that.
+ * You must call save_parse_state() every time before calling
+ * restore_parse_state().
+ *
+ * Note: When the read function callback is in use in ldap mode,
+ * a call to get_char() may reallocate the buffer and will append
+ * config data to the buffer until a state restore.
+ * Do not restore to the (freed) pointer and size, but use new one.
*/
isc_result_t
restore_parse_state(struct parse *cfile) {
struct parse *saved_state;
+#if defined(LDAP_CONFIGURATION)
+ char *inbuf = cfile->inbuf;
+ size_t size = cfile->bufsiz;
+#endif
if (cfile->saved_state == NULL) {
return DHCP_R_NOTYET;
@@ -161,7 +169,13 @@ restore_parse_state(struct parse *cfile) {
saved_state = cfile->saved_state;
memcpy(cfile, saved_state, sizeof(*cfile));
- cfile->saved_state = saved_state;
+ dfree(saved_state, MDL);
+ cfile->saved_state = NULL;
+
+#if defined(LDAP_CONFIGURATION)
+ cfile->inbuf = inbuf;
+ cfile->bufsiz = size;
+#endif
return ISC_R_SUCCESS;
}
@@ -476,6 +490,8 @@ read_whitespace(int c, struct parse *cfile) {
}
cfile->tokbuf[ofs++] = c;
c = get_char(cfile);
+ if (c == EOF)
+ return END_OF_FILE;
} while (!((c == '\n') && cfile->eol_token) &&
isascii(c) && isspace(c));
diff --git a/common/tests/Makefile.in b/common/tests/Makefile.in
index 8fdddf63..1d174d12 100644
--- a/common/tests/Makefile.in
+++ b/common/tests/Makefile.in
@@ -271,6 +271,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/configure b/configure
index f92edba5..ce2362ff 100755
--- a/configure
+++ b/configure
@@ -626,6 +626,7 @@ am__EXEEXT_TRUE
LTLIBOBJS
LIBOBJS
LDAP_CFLAGS
+LDAP_LIBS
ac_prefix_program
HAVE_ATF_FALSE
HAVE_ATF_TRUE
@@ -766,6 +767,8 @@ with_relay6_pid_file
with_libbind
with_ldap
with_ldapcrypto
+with_ldap_gssapi
+with_ldapcasa
'
ac_precious_vars='build_alias
host_alias
@@ -1463,6 +1466,10 @@ Optional Packages:
--with-ldap enable OpenLDAP support in dhcpd (default is no)
--with-ldapcrypto enable OpenLDAP crypto support in dhcpd (default is
no)
+ --with-ldap-gssapi enable krb5/gssapi authentication for OpenLDAP in
+ dhcpd (default is no)
+ --with-ldapcasa enable LDAP CASA auth support in dhcpd (default is
+ no)
Some influential environment variables:
CC C compiler command
@@ -6674,10 +6681,34 @@ else
fi
+# Gssapi to allow LDAP to authenticate with a keytab
+
+# Check whether --with-ldap-gssapi was given.
+if test "${with_ldap_gssapi+set}" = set; then :
+ withval=$with_ldap_gssapi; ldap_gssapi=$withval
+else
+ ldap_gssapi=no
+fi
+
+
+
+# LDAP CASA auth support.
+
+# Check whether --with-ldapcasa was given.
+if test "${with_ldapcasa+set}" = set; then :
+ withval=$with_ldapcasa; ldapcasa=$withval
+else
+ ldapcasa=no
+fi
+
+
# OpenLDAP support is disabled by default, if enabled then SSL support is an
# extra optional that is also disabled by default. Enabling LDAP SSL support
-# implies enabling LDAP support.
-if test x$ldap = xyes || test x$ldapcrypto = xyes ; then
+# implies enabling LDAP support. Similarly, KRB5 support implies LDAP support,
+# but doesn't include SSL. The two are not dependant.
+if test x$ldap = xyes || test x$ldapcrypto = xyes || test x$ldap_gssapi = xyes; then
+ saved_LIBS="$LIBS"
+ LIBS=""
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing ldap_initialize" >&5
$as_echo_n "checking for library containing ldap_initialize... " >&6; }
if ${ac_cv_search_ldap_initialize+:} false; then :
@@ -6800,14 +6831,136 @@ as_fn_error $? "*** Cannot find ber_pvt_opt_on with -llber - do you need to inst
See \`config.log' for more details" "$LINENO" 5; }
fi
+ if test x$ldap_gssapi = xyes ; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing krb5_init_context" >&5
+$as_echo_n "checking for library containing krb5_init_context... " >&6; }
+if ${ac_cv_search_krb5_init_context+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char krb5_init_context ();
+int
+main ()
+{
+return krb5_init_context ();
+ ;
+ return 0;
+}
+_ACEOF
+for ac_lib in '' krb5; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_search_krb5_init_context=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext
+ if ${ac_cv_search_krb5_init_context+:} false; then :
+ break
+fi
+done
+if ${ac_cv_search_krb5_init_context+:} false; then :
+
+else
+ ac_cv_search_krb5_init_context=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_krb5_init_context" >&5
+$as_echo "$ac_cv_search_krb5_init_context" >&6; }
+ac_res=$ac_cv_search_krb5_init_context
+if test "$ac_res" != no; then :
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "*** Cannot find krb5_init_context with -lkrb5 - do you need to install a Kerberos Devel package?
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+
+ fi
+
+ # Create LDAP_LIBS which we specify them explicitly rather than lumping them in with LIBS
+ LDAP_LIBS=$LIBS
+
+ LIBS="$saved_LIBS"
+
+
+ for ac_header in ldap.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "ldap.h" "ac_cv_header_ldap_h" "$ac_includes_default"
+if test "x$ac_cv_header_ldap_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LDAP_H 1
+_ACEOF
+
+fi
+
+done
+
+ for ac_func in inet_pton inet_ntop
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
- if test x$ldapcrypto = xyes ; then
- LDAP_CFLAGS="-DLDAP_CONFIGURATION -DLDAP_USE_SSL"
- else
- LDAP_CFLAGS="-DLDAP_CONFIGURATION"
+ LDAP_CFLAGS="-DLDAP_CONFIGURATION"
+
+ if test x$ldapcasa = xyes ; then
+ for ac_header in micasa_mgmd.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "micasa_mgmd.h" "ac_cv_header_micasa_mgmd_h" "$ac_includes_default"
+if test "x$ac_cv_header_micasa_mgmd_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_MICASA_MGMD_H 1
+_ACEOF
+
+ LDAP_CFLAGS="$LDAP_CFLAGS -DLDAP_CASA_AUTH"
+
+else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "*** Cannot find micasa_mgmd.h for ldap casa auth support
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+
+done
+
+ fi
+
+ if test x$ldapcrypto = xyes ; then
+ LDAP_CFLAGS="$LDAP_CFLAGS -DLDAP_USE_SSL"
+ fi
+
+ if test x$ldap_gssapi = xyes; then
+ LDAP_CFLAGS="$LDAP_CFLAGS -DLDAP_USE_GSSAPI"
fi
+
+ LDAP_CFLAGS=$LDAP_CFLAGS
+
fi
# Append selected warning levels to CFLAGS before substitution (but after
diff --git a/configure.ac b/configure.ac
index 6200d812..a9c3b8f4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -636,20 +636,63 @@ AC_ARG_WITH(ldapcrypto,
[ldapcrypto=$withval],
[ldapcrypto=no])
+# Gssapi to allow LDAP to authenticate with a keytab
+AC_ARG_WITH(ldap-gssapi,
+ AC_HELP_STRING([--with-ldap-gssapi],
+ [enable krb5/gssapi authentication for OpenLDAP in dhcpd (default is no)]),
+ [ldap_gssapi=$withval],
+ [ldap_gssapi=no])
+
+
+# LDAP CASA auth support.
+AC_ARG_WITH(ldapcasa,
+ AC_HELP_STRING([--with-ldapcasa],
+ [enable LDAP CASA auth support in dhcpd (default is no)]),
+ [ldapcasa=$withval],
+ [ldapcasa=no])
+
# OpenLDAP support is disabled by default, if enabled then SSL support is an
# extra optional that is also disabled by default. Enabling LDAP SSL support
-# implies enabling LDAP support.
-if test x$ldap = xyes || test x$ldapcrypto = xyes ; then
+# implies enabling LDAP support. Similarly, KRB5 support implies LDAP support,
+# but doesn't include SSL. The two are not dependant.
+if test x$ldap = xyes || test x$ldapcrypto = xyes || test x$ldap_gssapi = xyes; then
+ saved_LIBS="$LIBS"
+ LIBS=""
AC_SEARCH_LIBS(ldap_initialize, [ldap], ,
AC_MSG_FAILURE([*** Cannot find ldap_initialize with -lldap - do you need to install an OpenLDAP2 Devel package?]))
AC_SEARCH_LIBS(ber_pvt_opt_on, [lber], ,
AC_MSG_FAILURE([*** Cannot find ber_pvt_opt_on with -llber - do you need to install an OpenLDAP2 Devel package?]))
+ if test x$ldap_gssapi = xyes ; then
+ AC_SEARCH_LIBS(krb5_init_context, [krb5], ,
+ AC_MSG_FAILURE([*** Cannot find krb5_init_context with -lkrb5 - do you need to install a Kerberos Devel package?]))
+ fi
+
+ # Create LDAP_LIBS which we specify them explicitly rather than lumping them in with LIBS
+ AC_SUBST(LDAP_LIBS, [$LIBS])
+ LIBS="$saved_LIBS"
+
+
+ AC_CHECK_HEADERS([ldap.h])
+ AC_CHECK_FUNCS([inet_pton inet_ntop])
+
+
+ LDAP_CFLAGS="-DLDAP_CONFIGURATION"
+
+ if test x$ldapcasa = xyes ; then
+ AC_CHECK_HEADERS([micasa_mgmd.h],[
+ LDAP_CFLAGS="$LDAP_CFLAGS -DLDAP_CASA_AUTH"
+ ], AC_MSG_FAILURE([*** Cannot find micasa_mgmd.h for ldap casa auth support]))
+ fi
if test x$ldapcrypto = xyes ; then
- AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION -DLDAP_USE_SSL"])
- else
- AC_SUBST(LDAP_CFLAGS, ["-DLDAP_CONFIGURATION"])
+ LDAP_CFLAGS="$LDAP_CFLAGS -DLDAP_USE_SSL"
fi
+
+ if test x$ldap_gssapi = xyes; then
+ LDAP_CFLAGS="$LDAP_CFLAGS -DLDAP_USE_GSSAPI"
+ fi
+
+ AC_SUBST(LDAP_CFLAGS, [$LDAP_CFLAGS])
fi
# Append selected warning levels to CFLAGS before substitution (but after
diff --git a/contrib/ldap/README.ldap b/contrib/ldap/README.ldap
index c4137907..5e4691e8 100644
--- a/contrib/ldap/README.ldap
+++ b/contrib/ldap/README.ldap
@@ -83,6 +83,12 @@ options:
ldap-tls-reqcert, ldap-tls-ca-file, ldap-tls-ca-dir, ldap-tls-cert
ldap-tls-key, ldap-tls-crlcheck, ldap-tls-ciphers, ldap-tls-randfile
+The ldap-init-retry <num> enables an optional ldap connect retry loop with
+the specified number of retries with a one second sleep between each try
+during the initial startup of the dhcp server.
+It allows to catch the condition, that the (remote) ldap server is not yet
+started at the start time of the dhcp server.
+
All of these parameters should be self explanatory except for the ldap-method.
You can set this to static or dynamic. If you set it to static, the
configuration is read once on startup, and LDAP isn't used anymore. But, if
@@ -189,3 +195,38 @@ into problems reading the configuration, try running dhcpd with the -d flag.
If you still have problems, edit the site.conf file in the DHCP source and
add the line: COPTS= -DDEBUG_LDAP and recompile DHCP. (make sure you run make
clean and rerun configure before you rebuild).
+
+DHCPv6 requires a separate instance of the dhcpd server from the
+DHCPv4 server.
+
+It is convenient to use distinct LDAP login DNs for the two servers,
+and setup LDAP access restrictions in the LDAP server, so that each
+DHCP server only has access to its own data.
+
+You will need to create a separate configuration file,
+call it /etc/dhcpd6.conf. For example:
+
+ldap-server "localhost";
+ldap-port 389;
+ldap-username "cn=DHCPv6 User, dc=ntelos, dc=net";
+ldap-password "blahblah";
+ldap-base-dn "dc=ntelos, dc=net";
+ldap-method dynamic;
+ldap-debug-file "/var/log/dhcp-ldap-startup.log";
+
+And use these command line arguments to dhcpd:
+
+dhcpd eth... -6 -cf /etc/dhcpd6.conf -pf /var/run/dhcpd6.pid -lf /var/lib/dhcpd6/dhcpd.leases
+
+For DHCPv6, the client configuration is the same, but substitute the
+Client ID for the Ethernet hardware address. Here is an example of a
+host definition for a DHCPv6 client:
+
+dn: cn=examplehost,cn=XXXX:XXXX:XXXX:XXXX::/64,cn=Network-eth1,cn=DHCPv6,dc=example,dc=com
+objectClass: top
+objectClass: dhcpHost
+cn: examplehost
+dhcpClientId: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
+dhcpStatements: fixed-address6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
+option host-name "examplehost.ipv6.example.com"
+option domain-name "ipv6.example.com"
diff --git a/contrib/ldap/dhcp.schema b/contrib/ldap/dhcp.schema
index c5ed6c72..0c24a7a2 100644
--- a/contrib/ldap/dhcp.schema
+++ b/contrib/ldap/dhcp.schema
@@ -334,6 +334,18 @@ attributetype ( 2.16.840.1.113719.1.203.4.56
DESC 'Generic attribute that allows coments within any DHCP object'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributetype ( 2.16.840.1.113719.1.203.4.57
+ NAME 'dhcpClientId'
+ EQUALITY caseIgnoreIA5Match
+ DESC 'client Identifier.'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 2.16.840.1.113719.1.203.4.58
+ NAME 'dhcpRange6'
+ EQUALITY caseIgnoreIA5Match
+ DESC 'The starting & ending IP Addresses in the range (inclusive), separated by a hyphen; if the range only contains one address, then just the address can be specified with no hyphen. Each range is defined as a separate value.'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
# Classes
objectclass ( 2.16.840.1.113719.1.203.6.1
@@ -378,7 +390,7 @@ objectclass ( 2.16.840.1.113719.1.203.6.6
DESC 'This represents information about a particular client'
SUP top
MUST cn
- MAY (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
+ MAY (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption $ dhcpClientId)
X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
objectclass ( 2.16.840.1.113719.1.203.6.7
@@ -459,4 +471,18 @@ objectclass ( 2.16.840.1.113719.1.203.6.16
MAY ( dhcpServiceDN $dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpKeyDN $ dhcpZoneDN $ dhcpFailOverPeerDN $ dhcpOption $ dhcpComments)
X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') )
+objectclass ( 2.16.840.1.113719.1.203.6.17
+ NAME 'dhcpSubnet6'
+ DESC 'This class defines an IPv6 subnet. This is a container object.'
+ SUP top
+ MUST ( cn )
+ MAY ( dhcpRange6 $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption $ dhcpPermitList ) X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork') )
+
+objectclass ( 2.16.840.1.113719.1.203.6.18
+ NAME 'dhcpPool6'
+ DESC 'This stores configuration information about an IPv6 pool.'
+ SUP top
+ MUST ( cn $ dhcpRange6 )
+ MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $dhcpKeyDN $ dhcpStatements $ dhcpComments $ dhcpOption )
+ X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpSharedNetwork') )
diff --git a/contrib/ldap/dhcpd-conf-to-ldap b/contrib/ldap/dhcpd-conf-to-ldap
index aee6c979..95064c6f 100644
--- a/contrib/ldap/dhcpd-conf-to-ldap
+++ b/contrib/ldap/dhcpd-conf-to-ldap
@@ -137,6 +137,7 @@ add_dn_to_stack
local ($dn) = @_;
$current_dn = "$dn, $current_dn";
+ $curentry{'current_dn'} = $current_dn;
}
@@ -154,6 +155,26 @@ parse_error
exit (1);
}
+sub
+new_entry
+{
+ if (%curentry) {
+ $curentry{'current_dn'} = $current_dn;
+ push(@entrystack, {%curentry});
+ undef(%curentry);
+ }
+}
+
+sub
+pop_entry
+{
+ if (%curentry) {
+ push(@outputlist, {%curentry});
+ }
+ $rentry = pop(@entrystack);
+ %curentry = %$rentry if $rentry;
+}
+
sub
print_entry
@@ -167,7 +188,7 @@ print_entry
print "cn: $server\n";
print "objectClass: top\n";
print "objectClass: dhcpServer\n";
- print "dhcpServiceDN: $current_dn\n";
+ print "dhcpServiceDN: $curentry{'current_dn'}\n";
if(grep(/FaIlOvEr/i, @use))
{
foreach my $fo_peer (keys %failover)
@@ -179,7 +200,7 @@ print_entry
}
print "\n";
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: $dhcpcn\n";
print "objectClass: top\n";
print "objectClass: dhcpService\n";
@@ -195,7 +216,7 @@ print_entry
}
elsif ($curentry{'type'} eq 'subnet')
{
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: " . $curentry{'ip'} . "\n";
print "objectClass: top\n";
print "objectClass: dhcpSubnet\n";
@@ -215,7 +236,7 @@ print_entry
}
elsif ($curentry{'type'} eq 'shared-network')
{
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: " . $curentry{'descr'} . "\n";
print "objectClass: top\n";
print "objectClass: dhcpSharedNetwork\n";
@@ -226,7 +247,7 @@ print_entry
}
elsif ($curentry{'type'} eq 'group')
{
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: group", $curentry{'idx'}, "\n";
print "objectClass: top\n";
print "objectClass: dhcpGroup\n";
@@ -237,7 +258,7 @@ print_entry
}
elsif ($curentry{'type'} eq 'host')
{
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: " . $curentry{'host'} . "\n";
print "objectClass: top\n";
print "objectClass: dhcpHost\n";
@@ -254,7 +275,7 @@ print_entry
}
elsif ($curentry{'type'} eq 'pool')
{
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: pool", $curentry{'idx'}, "\n";
print "objectClass: top\n";
print "objectClass: dhcpPool\n";
@@ -273,7 +294,7 @@ print_entry
}
elsif ($curentry{'type'} eq 'class')
{
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: " . $curentry{'class'} . "\n";
print "objectClass: top\n";
print "objectClass: dhcpClass\n";
@@ -284,7 +305,7 @@ print_entry
}
elsif ($curentry{'type'} eq 'subclass')
{
- print "dn: $current_dn\n";
+ print "dn: $curentry{'current_dn'}\n";
print "cn: " . $curentry{'subclass'} . "\n";
print "objectClass: top\n";
print "objectClass: dhcpSubClass\n";
@@ -344,7 +365,7 @@ sub parse_subnet
{
local ($ip, $tmp, $netmask);
- print_entry () if %curentry;
+ new_entry ();
$ip = next_token (0);
parse_error () if !defined ($ip);
@@ -374,7 +395,7 @@ sub parse_shared_network
{
local ($descr, $tmp);
- print_entry () if %curentry;
+ new_entry ();
$descr = next_token (0);
parse_error () if !defined ($descr);
@@ -393,7 +414,7 @@ sub parse_host
{
local ($descr, $tmp);
- print_entry () if %curentry;
+ new_entry ();
$host = next_token (0);
parse_error () if !defined ($host);
@@ -412,7 +433,7 @@ sub parse_group
{
local ($descr, $tmp);
- print_entry () if %curentry;
+ new_entry ();
$tmp = next_token (0);
parse_error () if !defined ($tmp);
@@ -435,7 +456,7 @@ sub parse_pool
{
local ($descr, $tmp);
- print_entry () if %curentry;
+ new_entry ();
$tmp = next_token (0);
parse_error () if !defined ($tmp);
@@ -458,7 +479,7 @@ sub parse_class
{
local ($descr, $tmp);
- print_entry () if %curentry;
+ new_entry ();
$class = next_token (0);
parse_error () if !defined ($class);
@@ -478,7 +499,7 @@ sub parse_subclass
{
local ($descr, $tmp);
- print_entry () if %curentry;
+ new_entry ();
$class = next_token (0);
parse_error () if !defined ($class);
@@ -486,14 +507,23 @@ sub parse_subclass
$subclass = next_token (0);
parse_error () if !defined ($subclass);
- $tmp = next_token (0);
- parse_error () if !defined ($tmp);
- parse_error () if !($tmp eq '{');
-
+ if (substr($subclass,-1) eq ';') {
+ $tmp = ";";
+ $subclass = substr($subclass,0,-1);
+ } else {
+ $tmp = next_token (0);
+ parse_error () if !defined ($tmp);
+ }
+ parse_error () if !($tmp eq '{' or $tmp eq ';');
add_dn_to_stack ("cn=$subclass");
$curentry{'type'} = 'subclass';
$curentry{'class'} = $class;
$curentry{'subclass'} = $subclass;
+
+ if ($tmp eq ';') {
+ pop_entry ();
+ remove_dn_from_stack ();
+ }
}
@@ -682,11 +712,11 @@ print STDERR "\n";
my $token;
my $token_number = 0;
my $line_number = 0;
-my %curentry;
my $cursubnet = '';
my %curcounter = ( '' => { pool => 0, group => 0 } );
$current_dn = "$dhcpdn";
+$curentry{'current_dn'} = $current_dn;
$curentry{'descr'} = $dhcpcn;
$line = '';
%failover = ();
@@ -695,7 +725,7 @@ while (($token = next_token (1)))
{
if ($token eq '}')
{
- print_entry () if %curentry;
+ pop_entry ();
if($current_dn =~ /.+?,\s*${dhcpdn}$/) {
# don't go below dhcpdn ...
remove_dn_from_stack ();
@@ -753,6 +783,16 @@ while (($token = next_token (1)))
}
}
+pop_entry ();
+
+while ($#outputlist >= 0) {
+ $rentry = pop(@outputlist);
+ if ($rentry) {
+ %curentry = %$rentry;
+ print_entry ();
+ }
+}
+
close(STDIN) if($i_conf);
close(STDOUT) if($o_ldif);
diff --git a/dhcpctl/Makefile.in b/dhcpctl/Makefile.in
index 0141b748..70f2d907 100644
--- a/dhcpctl/Makefile.in
+++ b/dhcpctl/Makefile.in
@@ -235,6 +235,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/includes/Makefile.am b/includes/Makefile.am
index 4a462d5b..185b397a 100644
--- a/includes/Makefile.am
+++ b/includes/Makefile.am
@@ -6,6 +6,7 @@ nobase_include_HEADERS = omapip/alloc.h omapip/buffer.h omapip/convert.h \
EXTRA_DIST = cdefs.h ctrace.h dhcp.h dhcp6.h dhcpd.h dhctoken.h failover.h \
heap.h inet.h minires.h osdep.h site.h statement.h tree.h \
t_api.h \
+ ldap_casa.h ldap_krb_helper.h \
arpa/nameser.h arpa/nameser_compat.h \
netinet/if_ether.h netinet/ip.h netinet/ip_icmp.h netinet/udp.h
diff --git a/includes/Makefile.in b/includes/Makefile.in
index 45c31889..4d8d4a5c 100644
--- a/includes/Makefile.in
+++ b/includes/Makefile.in
@@ -189,6 +189,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
@@ -270,6 +271,7 @@ nobase_include_HEADERS = omapip/alloc.h omapip/buffer.h omapip/convert.h \
EXTRA_DIST = cdefs.h ctrace.h dhcp.h dhcp6.h dhcpd.h dhctoken.h failover.h \
heap.h inet.h minires.h osdep.h site.h statement.h tree.h \
t_api.h \
+ ldap_casa.h ldap_krb_helper.h \
arpa/nameser.h arpa/nameser_compat.h \
netinet/if_ether.h netinet/ip.h netinet/ip_icmp.h netinet/udp.h
diff --git a/includes/config.h.in b/includes/config.h.in
index 4eaee831..1730b8ec 100644
--- a/includes/config.h.in
+++ b/includes/config.h.in
@@ -52,9 +52,18 @@
/* Define to 1 if you have the <ifaddrs.h> header file. */
#undef HAVE_IFADDRS_H
+/* Define to 1 if you have the `inet_ntop' function. */
+#undef HAVE_INET_NTOP
+
+/* Define to 1 if you have the `inet_pton' function. */
+#undef HAVE_INET_PTON
+
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
+/* Define to 1 if you have the <ldap.h> header file. */
+#undef HAVE_LDAP_H
+
/* Define to 1 if you have the <linux/types.h> header file. */
#undef HAVE_LINUX_TYPES_H
@@ -64,6 +73,9 @@
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
+/* Define to 1 if you have the <micasa_mgmd.h> header file. */
+#undef HAVE_MICASA_MGMD_H
+
/* Define to 1 if you have the <net/if6.h> header file. */
#undef HAVE_NET_IF6_H
diff --git a/includes/dhcpd.h b/includes/dhcpd.h
index 20bf30e9..1fd12dbb 100644
--- a/includes/dhcpd.h
+++ b/includes/dhcpd.h
@@ -774,6 +774,11 @@ struct lease_state {
# define SV_LDAP_TLS_CIPHERS 76
# define SV_LDAP_TLS_RANDFILE 77
#endif
+# define SV_LDAP_INIT_RETRY 178
+#if defined (LDAP_USE_GSSAPI)
+# define SV_LDAP_GSSAPI_KEYTAB 179
+# define SV_LDAP_GSSAPI_PRINCIPAL 180
+#endif
#endif
#define SV_CACHE_THRESHOLD 78
#define SV_DONT_USE_FSYNC 79
@@ -3648,6 +3653,8 @@ int find_haddr_in_ldap (struct host_decl **, int, unsigned,
const unsigned char *, const char *, int);
int find_subclass_in_ldap (struct class *, struct class **,
struct data_string *);
+int find_client_in_ldap (struct host_decl **, struct packet*,
+ struct option_state *, const char *, int);
#endif
/* mdb6.c */
diff --git a/includes/ldap_casa.h b/includes/ldap_casa.h
index 1437e414..f17690f7 100644
--- a/includes/ldap_casa.h
+++ b/includes/ldap_casa.h
@@ -59,8 +59,6 @@
#define __LDAP_CASA_H__
#include <micasa_mgmd.h>
-#include <dlfcn.h>
-#include <string.h>
#define MICASA_LIB "libmicasa.so.1"
diff --git a/includes/ldap_krb_helper.h b/includes/ldap_krb_helper.h
new file mode 100644
index 00000000..879bc447
--- /dev/null
+++ b/includes/ldap_krb_helper.h
@@ -0,0 +1,48 @@
+/* ldap_krb_helper.h
+
+ Helper routings for allowing LDAP to read configuration with GSSAPI/krb auth */
+
+/*
+ * Copyright (c) 2014 William B.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of The Internet Software Consortium nor the names
+ * of its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
+ * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This helper was written by William Brown <william@adelaide.edu.au>,
+ * inspired by krb5_helper.c from bind-dyndb-ldap by Simo Sorce (Redhat)
+ */
+#ifndef LDAP_KRB5_HELPER
+#define LDAP_KRB5_HELPER
+
+#if defined(LDAP_USE_GSSAPI)
+#include <krb5.h>
+
+extern isc_result_t krb5_get_tgt(const char *, const char *);
+#endif
+
+#endif /* LDAP_KRB5_HELPER */
diff --git a/omapip/Makefile.in b/omapip/Makefile.in
index 6086e9f0..fb8d3a4f 100644
--- a/omapip/Makefile.in
+++ b/omapip/Makefile.in
@@ -232,6 +232,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/relay/Makefile.in b/relay/Makefile.in
index 5d9f9859..13c992f4 100644
--- a/relay/Makefile.in
+++ b/relay/Makefile.in
@@ -213,6 +213,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/server/Makefile.am b/server/Makefile.am
index 614b4082..2d7cba43 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -10,12 +10,13 @@ dist_sysconf_DATA = dhcpd.conf.example
sbin_PROGRAMS = dhcpd
dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c confpars.c db.c class.c failover.c \
omapi.c mdb.c stables.c salloc.c ddns.c dhcpleasequery.c \
- dhcpv6.c mdb6.c ldap.c ldap_casa.c leasechain.c
+ dhcpv6.c mdb6.c ldap.c ldap_casa.c leasechain.c ldap_krb_helper.c
dhcpd_CFLAGS = $(LDAP_CFLAGS)
dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \
../dhcpctl/libdhcpctl.a ../bind/lib/libirs.a \
- ../bind/lib/libdns.a ../bind/lib/libisccfg.a ../bind/lib/libisc.a
+ ../bind/lib/libdns.a ../bind/lib/libisccfg.a ../bind/lib/libisc.a \
+ $(LDAP_LIBS)
man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5
EXTRA_DIST = $(man_MANS)
diff --git a/server/Makefile.in b/server/Makefile.in
index ae1bee87..5507cfde 100644
--- a/server/Makefile.in
+++ b/server/Makefile.in
@@ -102,12 +102,14 @@ am_dhcpd_OBJECTS = dhcpd-dhcpd.$(OBJEXT) dhcpd-dhcp.$(OBJEXT) \
dhcpd-salloc.$(OBJEXT) dhcpd-ddns.$(OBJEXT) \
dhcpd-dhcpleasequery.$(OBJEXT) dhcpd-dhcpv6.$(OBJEXT) \
dhcpd-mdb6.$(OBJEXT) dhcpd-ldap.$(OBJEXT) \
- dhcpd-ldap_casa.$(OBJEXT) dhcpd-leasechain.$(OBJEXT)
+ dhcpd-ldap_casa.$(OBJEXT) dhcpd-leasechain.$(OBJEXT) \
+ dhcpd-ldap_krb_helper.$(OBJEXT)
dhcpd_OBJECTS = $(am_dhcpd_OBJECTS)
+am__DEPENDENCIES_1 =
dhcpd_DEPENDENCIES = ../common/libdhcp.a ../omapip/libomapi.a \
../dhcpctl/libdhcpctl.a ../bind/lib/libirs.a \
../bind/lib/libdns.a ../bind/lib/libisccfg.a \
- ../bind/lib/libisc.a
+ ../bind/lib/libisc.a $(am__DEPENDENCIES_1)
dhcpd_LINK = $(CCLD) $(dhcpd_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
$(LDFLAGS) -o $@
AM_V_P = $(am__v_P_@AM_V@)
@@ -274,6 +276,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
@@ -357,12 +360,13 @@ AM_CPPFLAGS = -I.. -DLOCALSTATEDIR='"@localstatedir@"'
dist_sysconf_DATA = dhcpd.conf.example
dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c confpars.c db.c class.c failover.c \
omapi.c mdb.c stables.c salloc.c ddns.c dhcpleasequery.c \
- dhcpv6.c mdb6.c ldap.c ldap_casa.c leasechain.c
+ dhcpv6.c mdb6.c ldap.c ldap_casa.c leasechain.c ldap_krb_helper.c
dhcpd_CFLAGS = $(LDAP_CFLAGS)
dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \
../dhcpctl/libdhcpctl.a ../bind/lib/libirs.a \
- ../bind/lib/libdns.a ../bind/lib/libisccfg.a ../bind/lib/libisc.a
+ ../bind/lib/libdns.a ../bind/lib/libisccfg.a ../bind/lib/libisc.a \
+ $(LDAP_LIBS)
man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5
EXTRA_DIST = $(man_MANS)
@@ -465,6 +469,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcpd-failover.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcpd-ldap.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcpd-ldap_casa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcpd-ldap_krb_helper.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcpd-leasechain.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcpd-mdb.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcpd-mdb6.Po@am__quote@
@@ -737,6 +742,20 @@ dhcpd-leasechain.obj: leasechain.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='leasechain.c' object='dhcpd-leasechain.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dhcpd_CFLAGS) $(CFLAGS) -c -o dhcpd-leasechain.obj `if test -f 'leasechain.c'; then $(CYGPATH_W) 'leasechain.c'; else $(CYGPATH_W) '$(srcdir)/leasechain.c'; fi`
+
+dhcpd-ldap_krb_helper.o: ldap_krb_helper.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dhcpd_CFLAGS) $(CFLAGS) -MT dhcpd-ldap_krb_helper.o -MD -MP -MF $(DEPDIR)/dhcpd-ldap_krb_helper.Tpo -c -o dhcpd-ldap_krb_helper.o `test -f 'ldap_krb_helper.c' || echo '$(srcdir)/'`ldap_krb_helper.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/dhcpd-ldap_krb_helper.Tpo $(DEPDIR)/dhcpd-ldap_krb_helper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ldap_krb_helper.c' object='dhcpd-ldap_krb_helper.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dhcpd_CFLAGS) $(CFLAGS) -c -o dhcpd-ldap_krb_helper.o `test -f 'ldap_krb_helper.c' || echo '$(srcdir)/'`ldap_krb_helper.c
+
+dhcpd-ldap_krb_helper.obj: ldap_krb_helper.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dhcpd_CFLAGS) $(CFLAGS) -MT dhcpd-ldap_krb_helper.obj -MD -MP -MF $(DEPDIR)/dhcpd-ldap_krb_helper.Tpo -c -o dhcpd-ldap_krb_helper.obj `if test -f 'ldap_krb_helper.c'; then $(CYGPATH_W) 'ldap_krb_helper.c'; else $(CYGPATH_W) '$(srcdir)/ldap_krb_helper.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/dhcpd-ldap_krb_helper.Tpo $(DEPDIR)/dhcpd-ldap_krb_helper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ldap_krb_helper.c' object='dhcpd-ldap_krb_helper.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dhcpd_CFLAGS) $(CFLAGS) -c -o dhcpd-ldap_krb_helper.obj `if test -f 'ldap_krb_helper.c'; then $(CYGPATH_W) 'ldap_krb_helper.c'; else $(CYGPATH_W) '$(srcdir)/ldap_krb_helper.c'; fi`
install-man5: $(man_MANS)
@$(NORMAL_INSTALL)
@list1=''; \
diff --git a/server/ldap.c b/server/ldap.c
index 2994106a..b5f0bc0d 100644
--- a/server/ldap.c
+++ b/server/ldap.c
@@ -40,6 +40,11 @@
#include "dhcpd.h"
#include <signal.h>
#include <errno.h>
+#include <ctype.h>
+#include <netdb.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <string.h>
#if defined(LDAP_CONFIGURATION)
@@ -47,6 +52,11 @@
#include "ldap_casa.h"
#endif
+#if defined(LDAP_USE_GSSAPI)
+#include <sasl/sasl.h>
+#include "ldap_krb_helper.h"
+#endif
+
static LDAP * ld = NULL;
static char *ldap_server = NULL,
*ldap_username = NULL,
@@ -57,7 +67,9 @@ static char *ldap_server = NULL,
static int ldap_port = LDAP_PORT,
ldap_method = LDAP_METHOD_DYNAMIC,
ldap_referrals = -1,
- ldap_debug_fd = -1;
+ ldap_debug_fd = -1,
+ ldap_enable_retry = -1,
+ ldap_init_retry = -1;
#if defined (LDAP_USE_SSL)
static int ldap_use_ssl = -1, /* try TLS if possible */
ldap_tls_reqcert = -1,
@@ -69,6 +81,25 @@ static char *ldap_tls_ca_file = NULL,
*ldap_tls_ciphers = NULL,
*ldap_tls_randfile = NULL;
#endif
+
+#if defined (LDAP_USE_GSSAPI)
+static char *ldap_gssapi_keytab = NULL,
+ *ldap_gssapi_principal = NULL;
+
+struct ldap_sasl_instance {
+ char *sasl_mech;
+ char *sasl_realm;
+ char *sasl_authz_id;
+ char *sasl_authc_id;
+ char *sasl_password;
+};
+
+static struct ldap_sasl_instance *ldap_sasl_inst = NULL;
+
+static int
+_ldap_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *sin) ;
+#endif
+
static struct ldap_config_stack *ldap_stack = NULL;
typedef struct ldap_dn_node {
@@ -80,12 +111,269 @@ typedef struct ldap_dn_node {
static ldap_dn_node *ldap_service_dn_head = NULL;
static ldap_dn_node *ldap_service_dn_tail = NULL;
+static int ldap_read_function (struct parse *cfile);
+
+static struct parse *
+x_parser_init(const char *name)
+{
+ struct parse *cfile;
+ isc_result_t res;
+ char *inbuf;
+
+ inbuf = dmalloc (LDAP_BUFFER_SIZE, MDL);
+ if (inbuf == NULL)
+ return NULL;
+
+ cfile = (struct parse *) NULL;
+ res = new_parse (&cfile, -1, inbuf, LDAP_BUFFER_SIZE, name, 0);
+ if (res != ISC_R_SUCCESS)
+ {
+ dfree(inbuf, MDL);
+ return NULL;
+ }
+ /* the buffer is still empty */
+ cfile->bufsiz = LDAP_BUFFER_SIZE;
+ cfile->buflen = cfile->bufix = 0;
+ /* attach ldap read function */
+ cfile->read_function = ldap_read_function;
+ return cfile;
+}
+
+static isc_result_t
+x_parser_free(struct parse **cfile)
+{
+ if (cfile && *cfile)
+ {
+ if ((*cfile)->inbuf)
+ dfree((*cfile)->inbuf, MDL);
+ (*cfile)->inbuf = NULL;
+ (*cfile)->bufsiz = 0;
+ return end_parse(cfile);
+ }
+ return ISC_R_SUCCESS;
+}
+
+static int
+x_parser_resize(struct parse *cfile, size_t len)
+{
+ size_t size;
+ char * temp;
+
+ /* grow by len rounded up at LDAP_BUFFER_SIZE */
+ size = cfile->bufsiz + (len | (LDAP_BUFFER_SIZE-1)) + 1;
+
+ /* realloc would be better, but there isn't any */
+ if ((temp = dmalloc (size, MDL)) != NULL)
+ {
+#if defined (DEBUG_LDAP)
+ log_info ("Reallocated %s buffer from %zu to %zu",
+ cfile->tlname, cfile->bufsiz, size);
+#endif
+ memcpy(temp, cfile->inbuf, cfile->bufsiz);
+ dfree(cfile->inbuf, MDL);
+ cfile->inbuf = temp;
+ cfile->bufsiz = size;
+ return 1;
+ }
+
+ /*
+ * Hmm... what is worser, consider it as fatal error and
+ * bail out completely or discard config data in hope it
+ * is "only" an option in dynamic host lookup?
+ */
+ log_error("Unable to reallocated %s buffer from %zu to %zu",
+ cfile->tlname, cfile->bufsiz, size);
+ return 0;
+}
static char *
-x_strncat(char *dst, const char *src, size_t dst_size)
+x_parser_strcat(struct parse *cfile, const char *str)
+{
+ size_t cur = strlen(cfile->inbuf);
+ size_t len = strlen(str);
+ size_t cnt;
+
+ if (cur + len >= cfile->bufsiz && !x_parser_resize(cfile, len))
+ return NULL;
+
+ cnt = cfile->bufsiz > cur ? cfile->bufsiz - cur - 1 : 0;
+ return strncat(cfile->inbuf, str, cnt);
+}
+
+static inline void
+x_parser_reset(struct parse *cfile)
+{
+ cfile->inbuf[0] = '\0';
+ cfile->bufix = cfile->buflen = 0;
+}
+
+static inline size_t
+x_parser_length(struct parse *cfile)
+{
+ cfile->buflen = strlen(cfile->inbuf);
+ return cfile->buflen;
+}
+
+static char *
+x_strxform(char *dst, const char *src, size_t dst_size,
+ int (*xform)(int))
+{
+ if(dst && src && dst_size)
+ {
+ size_t len, pos;
+
+ len = strlen(src);
+ for(pos=0; pos < len && pos + 1 < dst_size; pos++)
+ dst[pos] = xform((int)src[pos]);
+ dst[pos] = '\0';
+
+ return dst;
+ }
+ return NULL;
+}
+
+static int
+get_host_entry(char *fqdnname, size_t fqdnname_size,
+ char *hostaddr, size_t hostaddr_size)
+{
+#if defined(MAXHOSTNAMELEN)
+ char hname[MAXHOSTNAMELEN+1];
+#else
+ char hname[65];
+#endif
+ struct hostent *hp;
+
+ if (NULL == fqdnname || 1 >= fqdnname_size)
+ return -1;
+
+ memset(hname, 0, sizeof(hname));
+ if (gethostname(hname, sizeof(hname)-1))
+ return -1;
+
+ if (NULL == (hp = gethostbyname(hname)))
+ return -1;
+
+ strncpy(fqdnname, hp->h_name, fqdnname_size-1);
+ fqdnname[fqdnname_size-1] = '\0';
+
+ if (hostaddr != NULL)
+ {
+ if (hp->h_addr != NULL)
+ {
+ struct in_addr *aptr = (struct in_addr *)hp->h_addr;
+#if defined(HAVE_INET_NTOP)
+ if (hostaddr_size >= INET_ADDRSTRLEN &&
+ inet_ntop(AF_INET, aptr, hostaddr, hostaddr_size) != NULL)
+ {
+ return 0;
+ }
+#else
+ char *astr = inet_ntoa(*aptr);
+ size_t alen = strlen(astr);
+ if (astr && alen > 0 && hostaddr_size > alen)
+ {
+ strncpy(hostaddr, astr, hostaddr_size-1);
+ hostaddr[hostaddr_size-1] = '\0';
+ return 0;
+ }
+#endif
+ }
+ return -1;
+ }
+ return 0;
+}
+
+static int
+is_iface_address(struct ifaddrs *addrs, struct in_addr *addr)
{
- size_t len = strlen(dst);
- return strncat(dst, src, dst_size > len ? dst_size - len - 1: 0);
+ struct ifaddrs *ia;
+ struct sockaddr_in *sa;
+ int num = 0;
+
+ if(addrs == NULL || addr == NULL)
+ return -1;
+
+ for (ia = addrs; ia != NULL; ia = ia->ifa_next)
+ {
+ ++num;
+ if (ia->ifa_addr && (ia->ifa_flags & IFF_UP) &&
+ ia->ifa_addr->sa_family == AF_INET)
+ {
+ sa = (struct sockaddr_in *)(ia->ifa_addr);
+ if (addr->s_addr == sa->sin_addr.s_addr)
+ return num;
+ }
+ }
+ return 0;
+}
+
+static int
+get_host_address(const char *hostname, char *hostaddr, size_t hostaddr_size, struct ifaddrs *addrs)
+{
+ if (hostname && *hostname && hostaddr && hostaddr_size)
+ {
+ struct in_addr addr;
+
+#if defined(HAVE_INET_PTON)
+ if (inet_pton(AF_INET, hostname, &addr) == 1)
+#else
+ if (inet_aton(hostname, &addr) != 0)
+#endif
+ {
+ /* it is already IP address string */
+ if(strlen(hostname) < hostaddr_size)
+ {
+ strncpy(hostaddr, hostname, hostaddr_size-1);
+ hostaddr[hostaddr_size-1] = '\0';
+
+ if (addrs != NULL && is_iface_address (addrs, &addr) > 0)
+ return 1;
+ else
+ return 0;
+ }
+ }
+ else
+ {
+ struct hostent *hp;
+ if ((hp = gethostbyname(hostname)) != NULL && hp->h_addr != NULL)
+ {
+ struct in_addr *aptr = (struct in_addr *)hp->h_addr;
+ int mret = 0;
+
+ if (addrs != NULL)
+ {
+ char **h;
+ for (h=hp->h_addr_list; *h; h++)
+ {
+ struct in_addr *haddr = (struct in_addr *)*h;
+ if (is_iface_address (addrs, haddr) > 0)
+ {
+ aptr = haddr;
+ mret = 1;
+ }
+ }
+ }
+
+#if defined(HAVE_INET_NTOP)
+ if (hostaddr_size >= INET_ADDRSTRLEN &&
+ inet_ntop(AF_INET, aptr, hostaddr, hostaddr_size) != NULL)
+ {
+ return mret;
+ }
+#else
+ char *astr = inet_ntoa(*aptr);
+ size_t alen = strlen(astr);
+ if (astr && alen > 0 && alen < hostaddr_size)
+ {
+ strncpy(hostaddr, astr, hostaddr_size-1);
+ hostaddr[hostaddr_size-1] = '\0';
+ return mret;
+ }
+#endif
+ }
+ }
+ }
+ return -1;
}
static void
@@ -102,19 +390,52 @@ ldap_parse_class (struct ldap_config_stack *item, struct parse *cfile)
return;
}
- x_strncat (cfile->inbuf, "class \"", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, "\" {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "class \"");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, "\" {\n");
item->close_brace = 1;
ldap_value_free_len (tempbv);
}
+static int
+is_hex_string(const char *str)
+{
+ int colon = 1;
+ int xdigit = 0;
+ size_t i;
+
+ if (!str)
+ return 0;
+
+ if (*str == '-')
+ str++;
+
+ for (i=0; str[i]; ++i)
+ {
+ if (str[i] == ':')
+ {
+ xdigit = 0;
+ if(++colon > 1)
+ return 0;
+ }
+ else if(isxdigit((unsigned char)str[i]))
+ {
+ colon = 0;
+ if (++xdigit > 2)
+ return 0;
+ }
+ else
+ return 0;
+ }
+ return i > 0 && !colon;
+}
static void
ldap_parse_subclass (struct ldap_config_stack *item, struct parse *cfile)
{
struct berval **tempbv, **classdata;
+ char *tmp;
if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
tempbv[0] == NULL)
@@ -136,11 +457,22 @@ ldap_parse_subclass (struct ldap_config_stack *item, struct parse *cfile)
return;
}
- x_strncat (cfile->inbuf, "subclass ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, classdata[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "subclass \"");
+ x_parser_strcat (cfile, classdata[0]->bv_val);
+ if (is_hex_string(tempbv[0]->bv_val))
+ {
+ x_parser_strcat (cfile, "\" ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, " {\n");
+ }
+ else
+ {
+ tmp = quotify_string(tempbv[0]->bv_val, MDL);
+ x_parser_strcat (cfile, "\" \"");
+ x_parser_strcat (cfile, tmp);
+ x_parser_strcat (cfile, "\" {\n");
+ dfree(tmp, MDL);
+ }
item->close_brace = 1;
ldap_value_free_len (tempbv);
@@ -164,14 +496,18 @@ ldap_parse_host (struct ldap_config_stack *item, struct parse *cfile)
hwaddr = ldap_get_values_len (ld, item->ldent, "dhcpHWAddress");
- x_strncat (cfile->inbuf, "host ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "host ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, " {\n");
- if (hwaddr != NULL && hwaddr[0] != NULL)
+ if (hwaddr != NULL)
{
- x_strncat (cfile->inbuf, " {\nhardware ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, hwaddr[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ if (hwaddr[0] != NULL)
+ {
+ x_parser_strcat (cfile, "hardware ");
+ x_parser_strcat (cfile, hwaddr[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
ldap_value_free_len (hwaddr);
}
@@ -194,9 +530,9 @@ ldap_parse_shared_network (struct ldap_config_stack *item, struct parse *cfile)
return;
}
- x_strncat (cfile->inbuf, "shared-network \"", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, "\" {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "shared-network \"");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, "\" {\n");
item->close_brace = 1;
ldap_value_free_len (tempbv);
@@ -249,14 +585,14 @@ ldap_parse_subnet (struct ldap_config_stack *item, struct parse *cfile)
return;
}
- x_strncat (cfile->inbuf, "subnet ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "subnet ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
- x_strncat (cfile->inbuf, " netmask ", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, " netmask ");
parse_netmask (strtol (netmaskstr[0]->bv_val, NULL, 10), netmaskbuf);
- x_strncat (cfile->inbuf, netmaskbuf, LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, netmaskbuf);
- x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, " {\n");
ldap_value_free_len (tempbv);
ldap_value_free_len (netmaskstr);
@@ -265,16 +601,63 @@ ldap_parse_subnet (struct ldap_config_stack *item, struct parse *cfile)
{
for (i=0; tempbv[i] != NULL; i++)
{
- x_strncat (cfile->inbuf, "range", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[i]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "range");
+ x_parser_strcat (cfile, " ");
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
+ x_parser_strcat (cfile, ";\n");
}
+ ldap_value_free_len (tempbv);
}
item->close_brace = 1;
}
+static void
+ldap_parse_subnet6 (struct ldap_config_stack *item, struct parse *cfile)
+{
+ struct berval **tempbv;
+ int i;
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
+ tempbv[0] == NULL)
+ {
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ return;
+ }
+
+ x_parser_strcat (cfile, "subnet6 ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+
+ x_parser_strcat (cfile, " {\n");
+
+ ldap_value_free_len (tempbv);
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
+ {
+ for (i=0; tempbv[i] != NULL; i++)
+ {
+ x_parser_strcat (cfile, "range6");
+ x_parser_strcat (cfile, " ");
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ ldap_value_free_len (tempbv);
+ }
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpPermitList")) != NULL)
+ {
+ for (i=0; tempbv[i] != NULL; i++)
+ {
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ ldap_value_free_len (tempbv);
+ }
+
+ item->close_brace = 1;
+}
static void
ldap_parse_pool (struct ldap_config_stack *item, struct parse *cfile)
@@ -282,17 +665,17 @@ ldap_parse_pool (struct ldap_config_stack *item, struct parse *cfile)
struct berval **tempbv;
int i;
- x_strncat (cfile->inbuf, "pool {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "pool {\n");
if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
{
- x_strncat (cfile->inbuf, "range", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "range");
for (i=0; tempbv[i] != NULL; i++)
{
- x_strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[i]->bv_val, LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, " ");
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
}
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, ";\n");
ldap_value_free_len (tempbv);
}
@@ -300,8 +683,8 @@ ldap_parse_pool (struct ldap_config_stack *item, struct parse *cfile)
{
for (i=0; tempbv[i] != NULL; i++)
{
- x_strncat (cfile->inbuf, tempbv[i]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
+ x_parser_strcat (cfile, ";\n");
}
ldap_value_free_len (tempbv);
}
@@ -309,11 +692,43 @@ ldap_parse_pool (struct ldap_config_stack *item, struct parse *cfile)
item->close_brace = 1;
}
+static void
+ldap_parse_pool6 (struct ldap_config_stack *item, struct parse *cfile)
+{
+ struct berval **tempbv;
+ int i;
+
+ x_parser_strcat (cfile, "pool {\n");
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
+ {
+ x_parser_strcat (cfile, "range6");
+ for (i=0; tempbv[i] != NULL; i++)
+ {
+ x_parser_strcat (cfile, " ");
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
+ }
+ x_parser_strcat (cfile, ";\n");
+ ldap_value_free_len (tempbv);
+ }
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpPermitList")) != NULL)
+ {
+ for (i=0; tempbv[i] != NULL; i++)
+ {
+ x_parser_strcat(cfile, tempbv[i]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ ldap_value_free_len (tempbv);
+ }
+
+ item->close_brace = 1;
+}
static void
ldap_parse_group (struct ldap_config_stack *item, struct parse *cfile)
{
- x_strncat (cfile->inbuf, "group {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "group {\n");
item->close_brace = 1;
}
@@ -325,25 +740,25 @@ ldap_parse_key (struct ldap_config_stack *item, struct parse *cfile)
if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) != NULL)
{
- x_strncat (cfile->inbuf, "key ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "key ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, " {\n");
ldap_value_free_len (tempbv);
}
if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeyAlgorithm")) != NULL)
{
- x_strncat (cfile->inbuf, "algorithm ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "algorithm ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
ldap_value_free_len (tempbv);
}
if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeySecret")) != NULL)
{
- x_strncat (cfile->inbuf, "secret ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "secret ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
ldap_value_free_len (tempbv);
}
@@ -361,18 +776,18 @@ ldap_parse_zone (struct ldap_config_stack *item, struct parse *cfile)
if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) != NULL)
{
- x_strncat (cfile->inbuf, "zone ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "zone ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, " {\n");
ldap_value_free_len (tempbv);
}
if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpDnsZoneServer")) != NULL)
{
- x_strncat (cfile->inbuf, "primary ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "primary ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, ";\n");
ldap_value_free_len (tempbv);
}
@@ -400,9 +815,9 @@ ldap_parse_zone (struct ldap_config_stack *item, struct parse *cfile)
strncpy (keyCn, cnFindStart, len);
keyCn[len] = '\0';
- x_strncat (cfile->inbuf, "key ", LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, keyCn, LDAP_BUFFER_SIZE);
- x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "key ");
+ x_parser_strcat (cfile, keyCn);
+ x_parser_strcat (cfile, ";\n");
dfree (keyCn, MDL);
}
@@ -415,6 +830,227 @@ ldap_parse_zone (struct ldap_config_stack *item, struct parse *cfile)
static void
+ldap_parse_failover (struct ldap_config_stack *item, struct parse *cfile)
+{
+ struct berval **tempbv, **peername;
+ struct ifaddrs *addrs = NULL;
+ char srvaddr[2][64] = {"\0", "\0"};
+ int primary, split = 0, match;
+
+ if ((peername = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
+ peername[0] == NULL)
+ {
+ if (peername != NULL)
+ ldap_value_free_len (peername);
+
+ // ldap with disabled schema checks? fail to avoid syntax error.
+ log_error("Unable to find mandatory failover peering name attribute");
+ return;
+ }
+
+ /* Get all interface addresses */
+ getifaddrs(&addrs);
+
+ /*
+ ** when dhcpFailOverPrimaryServer or dhcpFailOverSecondaryServer
+ ** matches one of our IP address, the following valiables are set:
+ ** - primary is 1 when we are primary or 0 when we are secondary
+ ** - srvaddr[0] contains ip address of the primary
+ ** - srvaddr[1] contains ip address of the secondary
+ */
+ primary = -1;
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverPrimaryServer")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ match = get_host_address (tempbv[0]->bv_val, srvaddr[0], sizeof(srvaddr[0]), addrs);
+ if (match >= 0)
+ {
+ /* we are the primary */
+ if (match > 0)
+ primary = 1;
+ }
+ else
+ {
+ log_info("Can't resolve address of the primary failover '%s' server %s",
+ peername[0]->bv_val, tempbv[0]->bv_val);
+ ldap_value_free_len (tempbv);
+ ldap_value_free_len (peername);
+ if (addrs)
+ freeifaddrs(addrs);
+ return;
+ }
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverSecondaryServer")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ match = get_host_address (tempbv[0]->bv_val, srvaddr[1], sizeof(srvaddr[1]), addrs);
+ if (match >= 0)
+ {
+ if (match > 0)
+ {
+ if (primary == 1)
+ {
+ log_info("Both, primary and secondary failover '%s' server"
+ " attributes match our local address", peername[0]->bv_val);
+ ldap_value_free_len (tempbv);
+ ldap_value_free_len (peername);
+ if (addrs)
+ freeifaddrs(addrs);
+ return;
+ }
+
+ /* we are the secondary */
+ primary = 0;
+ }
+ }
+ else
+ {
+ log_info("Can't resolve address of the secondary failover '%s' server %s",
+ peername[0]->bv_val, tempbv[0]->bv_val);
+ ldap_value_free_len (tempbv);
+ ldap_value_free_len (peername);
+ if (addrs)
+ freeifaddrs(addrs);
+ return;
+ }
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+
+ if (primary == -1 || srvaddr[0] == '\0' || srvaddr[1] == '\0')
+ {
+ log_error("Could not decide if the server type is primary"
+ " or secondary for failover peering '%s'.", peername[0]->bv_val);
+ ldap_value_free_len (peername);
+ if (addrs)
+ freeifaddrs(addrs);
+ return;
+ }
+
+ x_parser_strcat (cfile, "failover peer \"");
+ x_parser_strcat (cfile, peername[0]->bv_val);
+ x_parser_strcat (cfile, "\" {\n");
+
+ if (primary)
+ x_parser_strcat (cfile, "primary;\n");
+ else
+ x_parser_strcat (cfile, "secondary;\n");
+
+ x_parser_strcat (cfile, "address ");
+ if (primary)
+ x_parser_strcat (cfile, srvaddr[0]);
+ else
+ x_parser_strcat (cfile, srvaddr[1]);
+ x_parser_strcat (cfile, ";\n");
+
+ x_parser_strcat (cfile, "peer address ");
+ if (primary)
+ x_parser_strcat (cfile, srvaddr[1]);
+ else
+ x_parser_strcat (cfile, srvaddr[0]);
+ x_parser_strcat (cfile, ";\n");
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverPrimaryPort")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ if (primary)
+ x_parser_strcat (cfile, "port ");
+ else
+ x_parser_strcat (cfile, "peer port ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverSecondaryPort")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ if (primary)
+ x_parser_strcat (cfile, "peer port ");
+ else
+ x_parser_strcat (cfile, "port ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverResponseDelay")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ x_parser_strcat (cfile, "max-response-delay ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverUnackedUpdates")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ x_parser_strcat (cfile, "max-unacked-updates ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverLoadBalanceTime")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ x_parser_strcat (cfile, "load balance max seconds ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ tempbv = NULL;
+ if (primary &&
+ (tempbv = ldap_get_values_len (ld, item->ldent, "dhcpMaxClientLeadTime")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ x_parser_strcat (cfile, "mclt ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ tempbv = NULL;
+ if (primary &&
+ (tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverSplit")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ x_parser_strcat (cfile, "split ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ split = 1;
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ tempbv = NULL;
+ if (primary && !split &&
+ (tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverHashBucketAssignment")) != NULL &&
+ tempbv[0] != NULL)
+ {
+ x_parser_strcat (cfile, "hba ");
+ x_parser_strcat (cfile, tempbv[0]->bv_val);
+ x_parser_strcat (cfile, ";\n");
+ }
+ if (tempbv != NULL)
+ ldap_value_free_len (tempbv);
+
+ item->close_brace = 1;
+}
+
+static void
add_to_config_stack (LDAPMessage * res, LDAPMessage * ent)
{
struct ldap_config_stack *ns;
@@ -428,7 +1064,6 @@ add_to_config_stack (LDAPMessage * res, LDAPMessage * ent)
ldap_stack = ns;
}
-
static void
ldap_stop()
{
@@ -570,6 +1205,7 @@ ldap_rebind_cb (LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msg
{
log_error ("Error: Cannot init LDAPS session to %s:%d: %s",
ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
+ ldap_free_urldesc(ldapurl);
return ret;
}
else
@@ -585,6 +1221,7 @@ ldap_rebind_cb (LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msg
{
log_error ("Error: Cannot start TLS session to %s:%d: %s",
ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
+ ldap_free_urldesc(ldapurl);
return ret;
}
else
@@ -595,21 +1232,80 @@ ldap_rebind_cb (LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msg
}
#endif
+#if defined(LDAP_USE_GSSAPI)
+ if (ldap_gssapi_principal != NULL) {
+ krb5_get_tgt(ldap_gssapi_principal, ldap_gssapi_keytab);
+ if ((ret = ldap_sasl_interactive_bind_s(ld, NULL, ldap_sasl_inst->sasl_mech,
+ NULL, NULL, LDAP_SASL_AUTOMATIC,
+ _ldap_sasl_interact, ldap_sasl_inst)
+ ) != LDAP_SUCCESS)
+ {
+ log_error ("Error: Cannot SASL bind to ldap server %s:%d: %s",
+ ldap_server, ldap_port, ldap_err2string (ret));
+ char *msg=NULL;
+ ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
+ log_error ("\tAdditional info: %s", msg);
+ ldap_memfree(msg);
+ ldap_stop();
+ }
- if (ldap_username != NULL || *ldap_username != '\0')
+ ldap_free_urldesc(ldapurl);
+ return ret;
+ }
+#endif
+
+ if (ldap_username != NULL && *ldap_username != '\0' && ldap_password != NULL)
{
who = ldap_username;
creds.bv_val = strdup(ldap_password);
+ if (creds.bv_val == NULL)
+ log_fatal ("Error: Unable to allocate memory to duplicate ldap_password");
+
creds.bv_len = strlen(ldap_password);
- }
- if ((ret = ldap_sasl_bind_s (ld, who, LDAP_SASL_SIMPLE, &creds,
- NULL, NULL, NULL)) != LDAP_SUCCESS)
+ if ((ret = ldap_sasl_bind_s (ld, who, LDAP_SASL_SIMPLE, &creds,
+ NULL, NULL, NULL)) != LDAP_SUCCESS)
+ {
+ log_error ("Error: Cannot login into ldap server %s:%d: %s",
+ ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
+ }
+
+ if (creds.bv_val)
+ free(creds.bv_val);
+ }
+
+ ldap_free_urldesc(ldapurl);
+ return ret;
+}
+
+static int
+_do_ldap_retry(int ret, const char *server, int port)
+{
+ static int inform = 1;
+
+ if (ldap_enable_retry > 0 && ret == LDAP_SERVER_DOWN && ldap_init_retry > 0)
{
- log_error ("Error: Cannot login into ldap server %s:%d: %s",
- ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
+ if (inform || (ldap_init_retry % 10) == 0)
+ {
+ inform = 0;
+ log_info ("Can't contact LDAP server %s:%d: retrying for %d sec",
+ server, port, ldap_init_retry);
+ }
+ sleep(1);
+ return ldap_init_retry--;
}
- return ret;
+ return 0;
+}
+
+static struct berval *
+_do_ldap_str2esc_filter_bv(const char *str, ber_len_t len, struct berval *bv_o)
+{
+ struct berval bv_i;
+
+ if (!str || !bv_o || (ber_str2bv(str, len, 0, &bv_i) == NULL) ||
+ (ldap_bv2escaped_filter_value(&bv_i, bv_o) != 0))
+ return NULL;
+ return bv_o;
}
static void
@@ -619,6 +1315,12 @@ ldap_start (void)
int ret, version;
char *uri = NULL;
struct berval creds;
+#if defined(LDAP_USE_GSSAPI)
+ char *gssapi_realm = NULL;
+ char *gssapi_user = NULL;
+ char *running = NULL;
+ const char *gssapi_delim = "@";
+#endif
if (ld != NULL)
return;
@@ -641,6 +1343,7 @@ ldap_start (void)
ldap_debug_file = _do_lookup_dhcp_string_option (options,
SV_LDAP_DEBUG_FILE);
ldap_referrals = _do_lookup_dhcp_enum_option (options, SV_LDAP_REFERRALS);
+ ldap_init_retry = _do_lookup_dhcp_int_option (options, SV_LDAP_INIT_RETRY);
#if defined (LDAP_USE_SSL)
ldap_use_ssl = _do_lookup_dhcp_enum_option (options, SV_LDAP_SSL);
@@ -657,6 +1360,56 @@ ldap_start (void)
}
#endif
+#if defined (LDAP_USE_GSSAPI)
+ ldap_gssapi_principal = _do_lookup_dhcp_string_option (options,
+ SV_LDAP_GSSAPI_PRINCIPAL);
+
+ if (ldap_gssapi_principal == NULL) {
+ log_error("ldap_gssapi_principal is not set,"
+ "GSSAPI Authentication for LDAP will not be used");
+ } else {
+ ldap_gssapi_keytab = _do_lookup_dhcp_string_option (options,
+ SV_LDAP_GSSAPI_KEYTAB);
+ if (ldap_gssapi_keytab == NULL) {
+ log_fatal("ldap_gssapi_keytab must be specified");
+ }
+
+ running = strdup(ldap_gssapi_principal);
+ if (running == NULL)
+ log_fatal("Could not allocate memory to duplicate gssapi principal");
+
+ gssapi_user = strtok(running, gssapi_delim);
+ if (!gssapi_user || strlen(gssapi_user) == 0) {
+ log_fatal ("GSSAPI principal must specify user: user@realm");
+ }
+
+ gssapi_realm = strtok(NULL, gssapi_delim);
+ if (!gssapi_realm || strlen(gssapi_realm) == 0) {
+ log_fatal ("GSSAPI principal must specify realm: user@realm");
+ }
+
+ ldap_sasl_inst = malloc(sizeof(struct ldap_sasl_instance));
+ if (ldap_sasl_inst == NULL)
+ log_fatal("Could not allocate memory for sasl instance! Can not run!");
+
+ ldap_sasl_inst->sasl_mech = ber_strdup("GSSAPI");
+ if (ldap_sasl_inst->sasl_mech == NULL)
+ log_fatal("Could not allocate memory to duplicate gssapi mechanism");
+
+ ldap_sasl_inst->sasl_realm = ber_strdup(gssapi_realm);
+ if (ldap_sasl_inst->sasl_realm == NULL)
+ log_fatal("Could not allocate memory to duplicate gssapi realm");
+
+ ldap_sasl_inst->sasl_authz_id = ber_strdup(gssapi_user);
+ if (ldap_sasl_inst->sasl_authz_id == NULL)
+ log_fatal("Could not allocate memory to duplicate gssapi user");
+
+ ldap_sasl_inst->sasl_authc_id = NULL;
+ ldap_sasl_inst->sasl_password = NULL; //"" before
+ free(running);
+ }
+#endif
+
#if defined (LDAP_CASA_AUTH)
if (!load_uname_pwd_from_miCASA(&ldap_username,&ldap_password))
{
@@ -853,7 +1606,13 @@ ldap_start (void)
}
else if (ldap_use_ssl != LDAP_SSL_OFF)
{
- if ((ret = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
+ do
+ {
+ ret = ldap_start_tls_s (ld, NULL, NULL);
+ }
+ while(_do_ldap_retry(ret, ldap_server, ldap_port) > 0);
+
+ if (ret != LDAP_SUCCESS)
{
log_error ("Error: Cannot start TLS session to %s:%d: %s",
ldap_server, ldap_port, ldap_err2string (ret));
@@ -868,13 +1627,43 @@ ldap_start (void)
}
#endif
- if (ldap_username != NULL && *ldap_username != '\0')
+#if defined(LDAP_USE_GSSAPI)
+ if (ldap_gssapi_principal != NULL) {
+ krb5_get_tgt(ldap_gssapi_principal, ldap_gssapi_keytab);
+ if ((ret = ldap_sasl_interactive_bind_s(ld, NULL, ldap_sasl_inst->sasl_mech,
+ NULL, NULL, LDAP_SASL_AUTOMATIC,
+ _ldap_sasl_interact, ldap_sasl_inst)
+ ) != LDAP_SUCCESS)
+ {
+ log_error ("Error: Cannot SASL bind to ldap server %s:%d: %s",
+ ldap_server, ldap_port, ldap_err2string (ret));
+ char *msg=NULL;
+ ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
+ log_error ("\tAdditional info: %s", msg);
+ ldap_memfree(msg);
+ ldap_stop();
+ return;
+ }
+ } else
+#endif
+
+ if (ldap_username != NULL && *ldap_username != '\0' && ldap_password != NULL)
{
creds.bv_val = strdup(ldap_password);
+ if (creds.bv_val == NULL)
+ log_fatal ("Error: Unable to allocate memory to duplicate ldap_password");
+
creds.bv_len = strlen(ldap_password);
- if ((ret = ldap_sasl_bind_s (ld, ldap_username, LDAP_SASL_SIMPLE,
- &creds, NULL, NULL, NULL)) != LDAP_SUCCESS)
+ do
+ {
+ ret = ldap_sasl_bind_s (ld, ldap_username, LDAP_SASL_SIMPLE,
+ &creds, NULL, NULL, NULL);
+ }
+ while(_do_ldap_retry(ret, ldap_server, ldap_port) > 0);
+ free(creds.bv_val);
+
+ if (ret != LDAP_SUCCESS)
{
log_error ("Error: Cannot login into ldap server %s:%d: %s",
ldap_server, ldap_port, ldap_err2string (ret));
@@ -894,7 +1683,15 @@ parse_external_dns (LDAPMessage * ent)
{
char *search[] = {"dhcpOptionsDN", "dhcpSharedNetworkDN", "dhcpSubnetDN",
"dhcpGroupDN", "dhcpHostDN", "dhcpClassesDN",
- "dhcpPoolDN", NULL};
+ "dhcpPoolDN", "dhcpZoneDN", "dhcpFailOverPeerDN", NULL};
+
+ /* TODO: dhcpKeyDN can't be added. It is referenced in dhcpDnsZone to
+ retrive the key name (cn). Adding keyDN will reflect adding a key
+ declaration inside the zone configuration.
+
+ dhcpSubClassesDN cant be added. It is also similar to the above.
+ Needs schema change.
+ */
LDAPMessage * newres, * newent;
struct berval **tempbv;
int i, j, ret;
@@ -934,7 +1731,7 @@ parse_external_dns (LDAPMessage * ent)
}
#if defined (DEBUG_LDAP)
- log_info ("Adding contents of subtree '%s' to config stack from '%s' reference", tempbv[j], search[i]);
+ log_info ("Adding contents of subtree '%s' to config stack from '%s' reference", tempbv[j]->bv_val, search[i]);
#endif
for (newent = ldap_first_entry (ld, newres);
newent != NULL;
@@ -989,17 +1786,17 @@ next_ldap_entry (struct parse *cfile)
if (ldap_stack != NULL && ldap_stack->close_brace)
{
- x_strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "}\n");
ldap_stack->close_brace = 0;
}
while (ldap_stack != NULL &&
- (ldap_stack->ldent == NULL ||
- (ldap_stack->ldent = ldap_next_entry (ld, ldap_stack->ldent)) == NULL))
+ (ldap_stack->ldent == NULL || ( ldap_stack->processed &&
+ (ldap_stack->ldent = ldap_next_entry (ld, ldap_stack->ldent)) == NULL)))
{
if (ldap_stack->close_brace)
{
- x_strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "}\n");
ldap_stack->close_brace = 0;
}
@@ -1010,7 +1807,7 @@ next_ldap_entry (struct parse *cfile)
if (ldap_stack != NULL && ldap_stack->close_brace)
{
- x_strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
+ x_parser_strcat (cfile, "}\n");
ldap_stack->close_brace = 0;
}
}
@@ -1066,13 +1863,13 @@ check_statement_end (const char *statement)
static isc_result_t
-ldap_parse_entry_options (LDAPMessage *ent, char *buffer, size_t size,
+ldap_parse_entry_options (LDAPMessage *ent, struct parse *cfile,
int *lease_limit)
{
struct berval **tempbv;
int i;
- if (ent == NULL || buffer == NULL || size == 0)
+ if (ent == NULL || cfile == NULL)
return (ISC_R_FAILURE);
if ((tempbv = ldap_get_values_len (ld, ent, "dhcpStatements")) != NULL)
@@ -1086,16 +1883,16 @@ ldap_parse_entry_options (LDAPMessage *ent, char *buffer, size_t size,
continue;
}
- x_strncat (buffer, tempbv[i]->bv_val, size);
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
switch((int) check_statement_end (tempbv[i]->bv_val))
{
case '}':
case ';':
- x_strncat (buffer, "\n", size);
+ x_parser_strcat (cfile, "\n");
break;
default:
- x_strncat (buffer, ";\n", size);
+ x_parser_strcat (cfile, ";\n");
break;
}
}
@@ -1106,15 +1903,15 @@ ldap_parse_entry_options (LDAPMessage *ent, char *buffer, size_t size,
{
for (i=0; tempbv[i] != NULL; i++)
{
- x_strncat (buffer, "option ", size);
- x_strncat (buffer, tempbv[i]->bv_val, size);
+ x_parser_strcat (cfile, "option ");
+ x_parser_strcat (cfile, tempbv[i]->bv_val);
switch ((int) check_statement_end (tempbv[i]->bv_val))
{
case ';':
- x_strncat (buffer, "\n", size);
+ x_parser_strcat (cfile, "\n");
break;
default:
- x_strncat (buffer, ";\n", size);
+ x_parser_strcat (cfile, ";\n");
break;
}
}
@@ -1131,9 +1928,10 @@ ldap_generate_config_string (struct parse *cfile)
struct berval **objectClass;
char *dn;
struct ldap_config_stack *entry;
- LDAPMessage * ent, * res;
+ LDAPMessage * ent, * res, *entfirst, *resfirst;
int i, ignore, found;
- int ret;
+ int ret, parsedn = 1;
+ size_t len = cfile->buflen;
if (ld == NULL)
ldap_start ();
@@ -1144,7 +1942,8 @@ ldap_generate_config_string (struct parse *cfile)
if ((objectClass = ldap_get_values_len (ld, entry->ldent,
"objectClass")) == NULL)
return;
-
+
+ entry->processed = 1;
ignore = 0;
found = 1;
for (i=0; objectClass[i] != NULL; i++)
@@ -1155,14 +1954,20 @@ ldap_generate_config_string (struct parse *cfile)
ldap_parse_class (entry, cfile);
else if (strcasecmp (objectClass[i]->bv_val, "dhcpSubnet") == 0)
ldap_parse_subnet (entry, cfile);
+ else if (strcasecmp (objectClass[i]->bv_val, "dhcpSubnet6") == 0)
+ ldap_parse_subnet6 (entry, cfile);
else if (strcasecmp (objectClass[i]->bv_val, "dhcpPool") == 0)
ldap_parse_pool (entry, cfile);
+ else if (strcasecmp (objectClass[i]->bv_val, "dhcpPool6") == 0)
+ ldap_parse_pool6 (entry, cfile);
else if (strcasecmp (objectClass[i]->bv_val, "dhcpGroup") == 0)
ldap_parse_group (entry, cfile);
else if (strcasecmp (objectClass[i]->bv_val, "dhcpTSigKey") == 0)
ldap_parse_key (entry, cfile);
else if (strcasecmp (objectClass[i]->bv_val, "dhcpDnsZone") == 0)
ldap_parse_zone (entry, cfile);
+ else if (strcasecmp (objectClass[i]->bv_val, "dhcpFailOverPeer") == 0)
+ ldap_parse_failover (entry, cfile);
else if (strcasecmp (objectClass[i]->bv_val, "dhcpHost") == 0)
{
if (ldap_method == LDAP_METHOD_STATIC)
@@ -1186,7 +1991,7 @@ ldap_generate_config_string (struct parse *cfile)
else
found = 0;
- if (found && cfile->inbuf[0] == '\0')
+ if (found && x_parser_length(cfile) <= len)
{
ignore = 1;
break;
@@ -1201,23 +2006,36 @@ ldap_generate_config_string (struct parse *cfile)
return;
}
- ldap_parse_entry_options(entry->ldent, cfile->inbuf,
- LDAP_BUFFER_SIZE-1, NULL);
+ ldap_parse_entry_options(entry->ldent, cfile, NULL);
dn = ldap_get_dn (ld, entry->ldent);
-
+ if (dn == NULL)
+ {
+ ldap_stop();
+ return;
+ }
#if defined(DEBUG_LDAP)
- if (dn != NULL)
- log_info ("Found LDAP entry '%s'", dn);
+ log_info ("Found LDAP entry '%s'", dn);
#endif
- if (dn == NULL ||
- (ret = ldap_search_ext_s (ld, dn, LDAP_SCOPE_ONELEVEL,
- "objectClass=*", NULL, 0, NULL, NULL,
+ if ((ret = ldap_search_ext_s (ld, dn, LDAP_SCOPE_ONELEVEL,
+ "(!(|(|(objectClass=dhcpTSigKey)(objectClass=dhcpClass)) (objectClass=dhcpFailOverPeer)))",
+ NULL, 0, NULL, NULL,
NULL, 0, &res)) != LDAP_SUCCESS)
{
- if (dn)
- ldap_memfree (dn);
+ ldap_memfree (dn);
+
+ ldap_stop();
+ return;
+ }
+
+ if ((ret = ldap_search_ext_s (ld, dn, LDAP_SCOPE_ONELEVEL,
+ "(|(|(objectClass=dhcpTSigKey)(objectClass=dhcpClass)) (objectClass=dhcpFailOverPeer))",
+ NULL, 0, NULL, NULL,
+ NULL, 0, &resfirst)) != LDAP_SUCCESS)
+ {
+ ldap_memfree (dn);
+ ldap_msgfree (res);
ldap_stop();
return;
@@ -1225,17 +2043,33 @@ ldap_generate_config_string (struct parse *cfile)
ldap_memfree (dn);
- if ((ent = ldap_first_entry (ld, res)) != NULL)
+ ent = ldap_first_entry(ld, res);
+ entfirst = ldap_first_entry(ld, resfirst);
+
+ if (ent == NULL && entfirst == NULL)
+ {
+ parse_external_dns (entry->ldent);
+ next_ldap_entry (cfile);
+ }
+
+ if (ent != NULL)
{
add_to_config_stack (res, ent);
parse_external_dns (entry->ldent);
+ parsedn = 0;
}
else
+ ldap_msgfree (res);
+
+ if (entfirst != NULL)
{
- ldap_msgfree (res);
- parse_external_dns (entry->ldent);
- next_ldap_entry (cfile);
+ add_to_config_stack (resfirst, entfirst);
+ if(parsedn)
+ parse_external_dns (entry->ldent);
+
}
+ else
+ ldap_msgfree (resfirst);
}
@@ -1268,25 +2102,30 @@ ldap_write_debug (const void *buff, size_t size)
static int
ldap_read_function (struct parse *cfile)
{
- cfile->inbuf[0] = '\0';
- cfile->buflen = 0;
-
- while (ldap_stack != NULL && *cfile->inbuf == '\0')
+ size_t len;
+
+ /* append when in saved state */
+ if (cfile->saved_state == NULL)
+ {
+ cfile->inbuf[0] = '\0';
+ cfile->bufix = 0;
+ cfile->buflen = 0;
+ }
+ len = cfile->buflen;
+
+ while (ldap_stack != NULL && x_parser_length(cfile) <= len)
ldap_generate_config_string (cfile);
- if (ldap_stack == NULL && *cfile->inbuf == '\0')
+ if (x_parser_length(cfile) <= len && ldap_stack == NULL)
return (EOF);
- cfile->bufix = 1;
- cfile->buflen = strlen (cfile->inbuf) - 1;
- if (cfile->buflen > 0)
- ldap_write_debug (cfile->inbuf, cfile->buflen);
-
+ if (cfile->buflen > len)
+ ldap_write_debug (cfile->inbuf + len, cfile->buflen - len);
#if defined (DEBUG_LDAP)
- log_info ("Sending config line '%s'", cfile->inbuf);
+ log_info ("Sending config portion '%s'", cfile->inbuf + len);
#endif
- return (cfile->inbuf[0]);
+ return (cfile->inbuf[cfile->bufix++]);
}
@@ -1321,38 +2160,12 @@ ldap_get_host_name (LDAPMessage * ent)
}
-static int
-getfqhostname(char *fqhost, size_t size)
-{
-#if defined(MAXHOSTNAMELEN)
- char hname[MAXHOSTNAMELEN];
-#else
- char hname[65];
-#endif
- struct hostent *hp;
-
- if(NULL == fqhost || 1 >= size)
- return -1;
-
- memset(hname, 0, sizeof(hname));
- if( gethostname(hname, sizeof(hname)-1))
- return -1;
-
- if(NULL == (hp = gethostbyname(hname)))
- return -1;
-
- strncpy(fqhost, hp->h_name, size-1);
- fqhost[size-1] = '\0';
- return 0;
-}
-
-
isc_result_t
ldap_read_config (void)
{
LDAPMessage * ldres, * hostres, * ent, * hostent;
char hfilter[1024], sfilter[1024], fqdn[257];
- char *buffer, *hostdn;
+ char *hostdn;
ldap_dn_node *curr = NULL;
struct parse *cfile;
struct utsname unme;
@@ -1360,52 +2173,97 @@ ldap_read_config (void)
size_t length;
int ret, cnt;
struct berval **tempbv = NULL;
+ struct berval bv_o[2];
+
+ cfile = x_parser_init("LDAP");
+ if (cfile == NULL)
+ return (ISC_R_NOMEMORY);
+ ldap_enable_retry = 1;
if (ld == NULL)
ldap_start ();
+ ldap_enable_retry = 0;
+
if (ld == NULL)
- return (ldap_server == NULL ? ISC_R_SUCCESS : ISC_R_FAILURE);
-
- buffer = dmalloc (LDAP_BUFFER_SIZE+1, MDL);
- if (buffer == NULL)
- return (ISC_R_FAILURE);
+ {
+ x_parser_free(&cfile);
+ return (ldap_server == NULL ? ISC_R_SUCCESS : ISC_R_FAILURE);
+ }
- cfile = (struct parse *) NULL;
- res = new_parse (&cfile, -1, buffer, LDAP_BUFFER_SIZE, "LDAP", 0);
- if (res != ISC_R_SUCCESS)
- return (res);
-
uname (&unme);
if (ldap_dhcp_server_cn != NULL)
{
+ if (_do_ldap_str2esc_filter_bv(ldap_dhcp_server_cn, 0, &bv_o[0]) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", ldap_dhcp_server_cn);
+ x_parser_free(&cfile);
+ return (ISC_R_FAILURE);
+ }
+
snprintf (hfilter, sizeof (hfilter),
- "(&(objectClass=dhcpServer)(cn=%s))", ldap_dhcp_server_cn);
+ "(&(objectClass=dhcpServer)(cn=%s))", bv_o[0].bv_val);
+
+ ber_memfree(bv_o[0].bv_val);
}
else
- {
- if(0 == getfqhostname(fqdn, sizeof(fqdn)))
{
- snprintf (hfilter, sizeof (hfilter),
- "(&(objectClass=dhcpServer)(|(cn=%s)(cn=%s)))",
- unme.nodename, fqdn);
+ if (_do_ldap_str2esc_filter_bv(unme.nodename, 0, &bv_o[0]) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", unme.nodename);
+ x_parser_free(&cfile);
+ return (ISC_R_FAILURE);
+ }
+
+ *fqdn ='\0';
+ if(0 == get_host_entry(fqdn, sizeof(fqdn), NULL, 0))
+ {
+ if (_do_ldap_str2esc_filter_bv(fqdn, 0, &bv_o[1]) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", fqdn);
+ ber_memfree(bv_o[0].bv_val);
+ x_parser_free(&cfile);
+ return (ISC_R_FAILURE);
+ }
+ }
+
+ // If we have fqdn and it isn't the same as nodename, use it in filter
+ // otherwise just use nodename
+ if ((*fqdn) && (strcmp(unme.nodename, fqdn))) {
+ snprintf (hfilter, sizeof (hfilter),
+ "(&(objectClass=dhcpServer)(|(cn=%s)(cn=%s)))",
+ bv_o[0].bv_val, bv_o[1].bv_val);
+
+ ber_memfree(bv_o[1].bv_val);
+ }
+ else
+ {
+ snprintf (hfilter, sizeof (hfilter),
+ "(&(objectClass=dhcpServer)(cn=%s))",
+ bv_o[0].bv_val);
+ }
+
+ ber_memfree(bv_o[0].bv_val);
}
- else
+
+ ldap_enable_retry = 1;
+ do
{
- snprintf (hfilter, sizeof (hfilter),
- "(&(objectClass=dhcpServer)(cn=%s))", unme.nodename);
+ hostres = NULL;
+ ret = ldap_search_ext_s (ld, ldap_base_dn, LDAP_SCOPE_SUBTREE,
+ hfilter, NULL, 0, NULL, NULL, NULL, 0,
+ &hostres);
}
+ while(_do_ldap_retry(ret, ldap_server, ldap_port) > 0);
+ ldap_enable_retry = 0;
- }
- hostres = NULL;
- if ((ret = ldap_search_ext_s (ld, ldap_base_dn, LDAP_SCOPE_SUBTREE,
- hfilter, NULL, 0, NULL, NULL, NULL, 0,
- &hostres)) != LDAP_SUCCESS)
+ if(ret != LDAP_SUCCESS)
{
log_error ("Cannot find host LDAP entry %s %s",
- ((ldap_dhcp_server_cn == NULL)?(unme.nodename):(ldap_dhcp_server_cn)), hfilter);
+ ((ldap_dhcp_server_cn == NULL)?(unme.nodename):(ldap_dhcp_server_cn)), hfilter);
if(NULL != hostres)
ldap_msgfree (hostres);
ldap_stop();
+ x_parser_free(&cfile);
return (ISC_R_FAILURE);
}
@@ -1414,6 +2272,7 @@ ldap_read_config (void)
log_error ("Error: Cannot find LDAP entry matching %s", hfilter);
ldap_msgfree (hostres);
ldap_stop();
+ x_parser_free(&cfile);
return (ISC_R_FAILURE);
}
@@ -1427,7 +2286,9 @@ ldap_read_config (void)
(tempbv = ldap_get_values_len (ld, hostent, "dhcpServiceDN")) == NULL ||
tempbv[0] == NULL)
{
- log_error ("Error: Cannot find LDAP entry matching %s", hfilter);
+ log_error ("Error: No dhcp service is associated with the server %s %s",
+ (hostdn ? "dn" : "name"), (hostdn ? hostdn :
+ (ldap_dhcp_server_cn ? ldap_dhcp_server_cn : unme.nodename)));
if (tempbv != NULL)
ldap_value_free_len (tempbv);
@@ -1436,6 +2297,7 @@ ldap_read_config (void)
ldap_memfree (hostdn);
ldap_msgfree (hostres);
ldap_stop();
+ x_parser_free(&cfile);
return (ISC_R_FAILURE);
}
@@ -1443,37 +2305,51 @@ ldap_read_config (void)
log_info ("LDAP: Parsing dhcpServer options '%s' ...", hostdn);
#endif
- cfile->inbuf[0] = '\0';
- ldap_parse_entry_options(hostent, cfile->inbuf, LDAP_BUFFER_SIZE, NULL);
- cfile->buflen = strlen (cfile->inbuf);
- if(cfile->buflen > 0)
+ res = ldap_parse_entry_options(hostent, cfile, NULL);
+ if (res != ISC_R_SUCCESS)
{
- ldap_write_debug (cfile->inbuf, cfile->buflen);
+ ldap_value_free_len (tempbv);
+ ldap_msgfree (hostres);
+ ldap_memfree (hostdn);
+ ldap_stop();
+ x_parser_free(&cfile);
+ return res;
+ }
+ if (x_parser_length(cfile) > 0)
+ {
res = conf_file_subparse (cfile, root_group, ROOT_GROUP);
if (res != ISC_R_SUCCESS)
{
log_error ("LDAP: cannot parse dhcpServer entry '%s'", hostdn);
+ ldap_value_free_len (tempbv);
+ ldap_msgfree (hostres);
ldap_memfree (hostdn);
ldap_stop();
+ x_parser_free(&cfile);
return res;
}
- cfile->inbuf[0] = '\0';
+ x_parser_reset(cfile);
}
ldap_msgfree (hostres);
- /*
- ** attach ldap (tree) read function now
- */
- cfile->bufix = cfile->buflen = 0;
- cfile->read_function = ldap_read_function;
-
res = ISC_R_SUCCESS;
for (cnt=0; tempbv[cnt] != NULL; cnt++)
{
+
+ if (_do_ldap_str2esc_filter_bv(hostdn, 0, &bv_o[0]) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", hostdn);
+ res = ISC_R_FAILURE;
+ break;
+ }
+
snprintf(sfilter, sizeof(sfilter), "(&(objectClass=dhcpService)"
- "(|(dhcpPrimaryDN=%s)(dhcpSecondaryDN=%s)))",
- hostdn, hostdn);
+ "(|(|(dhcpPrimaryDN=%s)(dhcpSecondaryDN=%s))(dhcpServerDN=%s)))",
+ bv_o[0].bv_val, bv_o[0].bv_val, bv_o[0].bv_val);
+
+ ber_memfree(bv_o[0].bv_val);
+
ldres = NULL;
if ((ret = ldap_search_ext_s (ld, tempbv[cnt]->bv_val, LDAP_SCOPE_BASE,
sfilter, NULL, 0, NULL, NULL, NULL,
@@ -1489,7 +2365,7 @@ ldap_read_config (void)
if ((ent = ldap_first_entry (ld, ldres)) == NULL)
{
- log_error ("Error: Cannot find dhcpService DN '%s' with primary or secondary server reference. Please update the LDAP server entry '%s'",
+ log_error ("Error: Cannot find dhcpService DN '%s' with server reference. Please update the LDAP server entry '%s'",
tempbv[cnt]->bv_val, hostdn);
ldap_msgfree(ldres);
@@ -1533,7 +2409,7 @@ ldap_read_config (void)
log_fatal ("no memory to remember ldap service dn");
#if defined (DEBUG_LDAP)
- log_info ("LDAP: Parsing dhcpService DN '%s' ...", tempbv[cnt]);
+ log_info ("LDAP: Parsing dhcpService DN '%s' ...", tempbv[cnt]->bv_val);
#endif
add_to_config_stack (ldres, ent);
res = conf_file_subparse (cfile, root_group, ROOT_GROUP);
@@ -1544,7 +2420,7 @@ ldap_read_config (void)
}
}
- end_parse (&cfile);
+ x_parser_free(&cfile);
ldap_close_debug_fd();
ldap_memfree (hostdn);
@@ -1592,17 +2468,18 @@ ldap_parse_options (LDAPMessage * ent, struct group *group,
struct class **class)
{
int declaration, lease_limit;
- char option_buffer[8192];
enum dhcp_token token;
struct parse *cfile;
isc_result_t res;
const char *val;
lease_limit = 0;
- *option_buffer = '\0';
-
- /* This block of code will try to find the parent of the host, and
- if it is a group object, fetch the options and apply to the host. */
+ cfile = x_parser_init(type == HOST_DECL ? "LDAP-HOST" : "LDAP-SUBCLASS");
+ if (cfile == NULL)
+ return (lease_limit);
+
+ /* This block of code will try to find the parent of the host, and
+ if it is a group object, fetch the options and apply to the host. */
if (type == HOST_DECL)
{
char *hostdn, *basedn, *temp1, *temp2, filter[1024];
@@ -1624,16 +2501,29 @@ ldap_parse_options (LDAPMessage * ent, struct group *group,
if (temp2 != NULL)
{
- snprintf (filter, sizeof(filter),
- "(&(cn=%.*s)(objectClass=dhcpGroup))",
- (int)(temp2 - temp1), temp1);
+ struct berval bv_o;
+
+ if (_do_ldap_str2esc_filter_bv(temp1, (temp2 - temp1), &bv_o) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %.*s: %m",
+ (int)(temp2 - temp1), temp1);
+ filter[0] = '\0';
+ }
+ else
+ {
+ snprintf (filter, sizeof(filter),
+ "(&(cn=%s)(objectClass=dhcpGroup))",
+ bv_o.bv_val);
+
+ ber_memfree(bv_o.bv_val);
+ }
basedn = strchr (temp1, ',');
if (basedn != NULL)
++basedn;
}
- if (basedn != NULL && *basedn != '\0')
+ if (basedn != NULL && *basedn != '\0' && filter[0] != '\0')
{
ret = ldap_search_ext_s (ld, basedn, LDAP_SCOPE_SUBTREE, filter,
NULL, 0, NULL, NULL, NULL, 0, &groupdn);
@@ -1641,13 +2531,11 @@ ldap_parse_options (LDAPMessage * ent, struct group *group,
{
if ((entry = ldap_first_entry (ld, groupdn)) != NULL)
{
- res = ldap_parse_entry_options (entry, option_buffer,
- sizeof(option_buffer) - 1,
- &lease_limit);
+ res = ldap_parse_entry_options (entry, cfile, &lease_limit);
if (res != ISC_R_SUCCESS)
{
/* reset option buffer discarding any results */
- *option_buffer = '\0';
+ x_parser_reset(cfile);
lease_limit = 0;
}
}
@@ -1658,24 +2546,18 @@ ldap_parse_options (LDAPMessage * ent, struct group *group,
}
}
- res = ldap_parse_entry_options (ent, option_buffer, sizeof(option_buffer) - 1,
- &lease_limit);
- if (res != ISC_R_SUCCESS)
- return (lease_limit);
-
- option_buffer[sizeof(option_buffer) - 1] = '\0';
- if (*option_buffer == '\0')
- return (lease_limit);
-
- cfile = (struct parse *) NULL;
- res = new_parse (&cfile, -1, option_buffer, strlen (option_buffer),
- type == HOST_DECL ? "LDAP-HOST" : "LDAP-SUBCLASS", 0);
+ res = ldap_parse_entry_options (ent, cfile, &lease_limit);
if (res != ISC_R_SUCCESS)
- return (lease_limit);
+ {
+ x_parser_free(&cfile);
+ return (lease_limit);
+ }
-#if defined (DEBUG_LDAP)
- log_info ("Sending the following options: '%s'", option_buffer);
-#endif
+ if (x_parser_length(cfile) == 0)
+ {
+ x_parser_free(&cfile);
+ return (lease_limit);
+ }
declaration = 0;
do
@@ -1686,7 +2568,7 @@ ldap_parse_options (LDAPMessage * ent, struct group *group,
declaration = parse_statement (cfile, group, type, host, declaration);
} while (1);
- end_parse (&cfile);
+ x_parser_free(&cfile);
return (lease_limit);
}
@@ -1702,7 +2584,13 @@ find_haddr_in_ldap (struct host_decl **hp, int htype, unsigned hlen,
struct host_decl * host;
isc_result_t status;
ldap_dn_node *curr;
+ char up_hwaddr[20];
+ char lo_hwaddr[20];
int ret;
+ struct berval bv_o[2];
+
+ *hp = NULL;
+
if (ldap_method == LDAP_METHOD_STATIC)
return (0);
@@ -1732,9 +2620,28 @@ find_haddr_in_ldap (struct host_decl **hp, int htype, unsigned hlen,
** FIXME: It is not guaranteed, that the dhcpHWAddress attribute
** contains _exactly_ "type addr" with one space between!
*/
+ snprintf(lo_hwaddr, sizeof(lo_hwaddr), "%s",
+ print_hw_addr (htype, hlen, haddr));
+ x_strxform(up_hwaddr, lo_hwaddr, sizeof(up_hwaddr), toupper);
+
+ if (_do_ldap_str2esc_filter_bv(lo_hwaddr, 0, &bv_o[0]) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", lo_hwaddr);
+ return (0);
+ }
+ if (_do_ldap_str2esc_filter_bv(up_hwaddr, 0, &bv_o[1]) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", up_hwaddr);
+ ber_memfree(bv_o[0].bv_val);
+ return (0);
+ }
+
snprintf (buf, sizeof (buf),
- "(&(objectClass=dhcpHost)(dhcpHWAddress=%s %s))",
- type_str, print_hw_addr (htype, hlen, haddr));
+ "(&(objectClass=dhcpHost)(|(dhcpHWAddress=%s %s)(dhcpHWAddress=%s %s)))",
+ type_str, bv_o[0].bv_val, type_str, bv_o[1].bv_val);
+
+ ber_memfree(bv_o[0].bv_val);
+ ber_memfree(bv_o[1].bv_val);
res = ent = NULL;
for (curr = ldap_service_dn_head;
@@ -1765,18 +2672,61 @@ find_haddr_in_ldap (struct host_decl **hp, int htype, unsigned hlen,
if (ret == LDAP_SUCCESS)
{
- if( (ent = ldap_first_entry (ld, res)) != NULL)
- break; /* search OK and have entry */
-
+ ent = ldap_first_entry (ld, res);
#if defined (DEBUG_LDAP)
- log_info ("No host entry for %s in LDAP tree %s",
- buf, curr->dn);
+ if (ent == NULL) {
+ log_info ("No host entry for %s in LDAP tree %s",
+ buf, curr->dn);
+ }
+#endif
+ while (ent != NULL) {
+#if defined (DEBUG_LDAP)
+ char *dn = ldap_get_dn (ld, ent);
+ if (dn != NULL)
+ {
+ log_info ("Found dhcpHWAddress LDAP entry %s", dn);
+ ldap_memfree(dn);
+ }
#endif
+
+ host = (struct host_decl *)0;
+ status = host_allocate (&host, MDL);
+ if (status != ISC_R_SUCCESS)
+ {
+ log_fatal ("can't allocate host decl struct: %s",
+ isc_result_totext (status));
+ ldap_msgfree (res);
+ return (0);
+ }
+
+ host->name = ldap_get_host_name (ent);
+ if (host->name == NULL)
+ {
+ host_dereference (&host, MDL);
+ ldap_msgfree (res);
+ return (0);
+ }
+
+ if (!clone_group (&host->group, root_group, MDL))
+ {
+ log_fatal ("can't clone group for host %s", host->name);
+ host_dereference (&host, MDL);
+ ldap_msgfree (res);
+ return (0);
+ }
+
+ ldap_parse_options (ent, host->group, HOST_DECL, host, NULL);
+
+ host->n_ipaddr = *hp;
+ *hp = host;
+ ent = ldap_next_entry (ld, ent);
+ }
if(res)
{
ldap_msgfree (res);
res = NULL;
}
+ return (*hp != NULL);
}
else
{
@@ -1803,52 +2753,6 @@ find_haddr_in_ldap (struct host_decl **hp, int htype, unsigned hlen,
}
}
- if (res && ent)
- {
-#if defined (DEBUG_LDAP)
- char *dn = ldap_get_dn (ld, ent);
- if (dn != NULL)
- {
- log_info ("Found dhcpHWAddress LDAP entry %s", dn);
- ldap_memfree(dn);
- }
-#endif
-
- host = (struct host_decl *)0;
- status = host_allocate (&host, MDL);
- if (status != ISC_R_SUCCESS)
- {
- log_fatal ("can't allocate host decl struct: %s",
- isc_result_totext (status));
- ldap_msgfree (res);
- return (0);
- }
-
- host->name = ldap_get_host_name (ent);
- if (host->name == NULL)
- {
- host_dereference (&host, MDL);
- ldap_msgfree (res);
- return (0);
- }
-
- if (!clone_group (&host->group, root_group, MDL))
- {
- log_fatal ("can't clone group for host %s", host->name);
- host_dereference (&host, MDL);
- ldap_msgfree (res);
- return (0);
- }
-
- ldap_parse_options (ent, host->group, HOST_DECL, host, NULL);
-
- *hp = host;
- ldap_msgfree (res);
- return (1);
- }
-
-
- if(res) ldap_msgfree (res);
return (0);
}
@@ -1861,7 +2765,10 @@ find_subclass_in_ldap (struct class *class, struct class **newclass,
int ret, lease_limit;
isc_result_t status;
ldap_dn_node *curr;
- char buf[1024];
+ char buf[2048];
+ struct berval bv_class;
+ struct berval bv_cdata;
+ char *hex_1;
if (ldap_method == LDAP_METHOD_STATIC)
return (0);
@@ -1871,10 +2778,33 @@ find_subclass_in_ldap (struct class *class, struct class **newclass,
if (ld == NULL)
return (0);
+ hex_1 = print_hex_1 (data->len, data->data, 1024);
+ if (*hex_1 == '"')
+ {
+ /* result is a quotted not hex string: ldap escape the original string */
+ if (_do_ldap_str2esc_filter_bv((const char*)data->data, data->len, &bv_cdata) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", hex_1);
+ return (0);
+ }
+ hex_1 = NULL;
+ }
+ if (_do_ldap_str2esc_filter_bv(class->name, strlen (class->name), &bv_class) == NULL)
+ {
+ log_error ("Cannot escape ldap filter value %s: %m", class->name);
+ if (hex_1 == NULL)
+ ber_memfree(bv_cdata.bv_val);
+ return (0);
+ }
+
snprintf (buf, sizeof (buf),
"(&(objectClass=dhcpSubClass)(cn=%s)(dhcpClassData=%s))",
- print_hex_1 (data->len, data->data, 60),
- print_hex_2 (strlen (class->name), (u_int8_t *) class->name, 60));
+ (hex_1 == NULL ? bv_cdata.bv_val : hex_1), bv_class.bv_val);
+
+ if (hex_1 == NULL)
+ ber_memfree(bv_cdata.bv_val);
+ ber_memfree(bv_class.bv_val);
+
#if defined (DEBUG_LDAP)
log_info ("Searching LDAP for %s", buf);
#endif
@@ -2000,4 +2930,213 @@ find_subclass_in_ldap (struct class *class, struct class **newclass,
return (0);
}
+int find_client_in_ldap (struct host_decl **hp, struct packet *packet,
+ struct option_state *state, const char *file, int line)
+{
+ LDAPMessage * res, * ent;
+ ldap_dn_node *curr;
+ struct host_decl * host;
+ isc_result_t status;
+ struct data_string client_id;
+ char buf[1024], buf1[1024];
+ int ret;
+
+ if (ldap_method == LDAP_METHOD_STATIC)
+ return (0);
+
+ if (ld == NULL)
+ ldap_start ();
+ if (ld == NULL)
+ return (0);
+
+ memset(&client_id, 0, sizeof(client_id));
+ if (get_client_id(packet, &client_id) != ISC_R_SUCCESS)
+ return (0);
+ snprintf(buf, sizeof(buf),
+ "(&(objectClass=dhcpHost)(dhcpClientId=%s))",
+ print_hw_addr(0, client_id.len, client_id.data));
+
+ /* log_info ("Searching LDAP for %s (%s)", buf, packet->interface->shared_network->name); */
+
+ res = ent = NULL;
+ for (curr = ldap_service_dn_head;
+ curr != NULL && *curr->dn != '\0';
+ curr = curr->next)
+ {
+ snprintf(buf1, sizeof(buf1), "cn=%s,%s", packet->interface->shared_network->name, curr->dn);
+#if defined (DEBUG_LDAP)
+ log_info ("Searching for %s in LDAP tree %s", buf, buf1);
+#endif
+ ret = ldap_search_ext_s (ld, buf1, LDAP_SCOPE_SUBTREE, buf, NULL, 0,
+ NULL, NULL, NULL, 0, &res);
+
+ if(ret == LDAP_SERVER_DOWN)
+ {
+ log_info ("LDAP server was down, trying to reconnect...");
+
+ ldap_stop();
+ ldap_start();
+
+ if(ld == NULL)
+ {
+ log_info ("LDAP reconnect failed - try again later...");
+ return (0);
+ }
+
+ ret = ldap_search_ext_s (ld, buf1, LDAP_SCOPE_SUBTREE, buf,
+ NULL, 0, NULL, NULL, NULL, 0, &res);
+ }
+
+ if (ret == LDAP_SUCCESS)
+ {
+ if( (ent = ldap_first_entry (ld, res)) != NULL) {
+ log_info ("found entry in search %s", buf1);
+ break; /* search OK and have entry */
+ }
+
+#if defined (DEBUG_LDAP)
+ log_info ("No subclass entry for %s in LDAP tree %s", buf, curr->dn);
+#endif
+ if(res)
+ {
+ ldap_msgfree (res);
+ res = NULL;
+ }
+ }
+ else
+ {
+ if(res)
+ {
+ ldap_msgfree (res);
+ res = NULL;
+ }
+
+ if (ret != LDAP_NO_SUCH_OBJECT && ret != LDAP_SUCCESS)
+ {
+ log_error ("Cannot search for %s in LDAP tree %s: %s", buf,
+ curr->dn, ldap_err2string (ret));
+ ldap_stop();
+ return (0);
+ }
+ else
+ {
+ log_info ("did not find: %s", buf);
+ }
+ }
+ }
+
+ if (res && ent)
+ {
+#if defined (DEBUG_LDAP)
+ log_info ("ldap_get_dn %s", curr->dn);
+ char *dn = ldap_get_dn (ld, ent);
+ if (dn != NULL)
+ {
+ log_info ("Found subclass LDAP entry %s", dn);
+ ldap_memfree(dn);
+ } else {
+ log_info ("DN is null %s", dn);
+ }
+#endif
+
+ host = (struct host_decl *)0;
+ status = host_allocate (&host, MDL);
+ if (status != ISC_R_SUCCESS)
+ {
+ log_fatal ("can't allocate host decl struct: %s",
+ isc_result_totext (status));
+ ldap_msgfree (res);
+ return (0);
+ }
+
+ host->name = ldap_get_host_name (ent);
+ if (host->name == NULL)
+ {
+ host_dereference (&host, MDL);
+ ldap_msgfree (res);
+ return (0);
+ }
+ /* log_info ("Host name %s", host->name); */
+
+ if (!clone_group (&host->group, root_group, MDL))
+ {
+ log_fatal ("can't clone group for host %s", host->name);
+ host_dereference (&host, MDL);
+ ldap_msgfree (res);
+ return (0);
+ }
+
+ ldap_parse_options (ent, host->group, HOST_DECL, host, NULL);
+
+ *hp = host;
+ ldap_msgfree (res);
+ return (1);
+ }
+ else
+ {
+ log_info ("did not find clientid: %s", buf);
+ }
+
+ if(res) ldap_msgfree (res);
+ return (0);
+
+}
+
+#if defined(LDAP_USE_GSSAPI)
+static int
+_ldap_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *sin)
+{
+ sasl_interact_t *in;
+ struct ldap_sasl_instance *ldap_inst = defaults;
+ int ret = LDAP_OTHER;
+ size_t size;
+
+ if (ld == NULL || sin == NULL)
+ return LDAP_PARAM_ERROR;
+
+ log_info("doing interactive bind");
+ for (in = sin; in != NULL && in->id != SASL_CB_LIST_END; in++) {
+ switch (in->id) {
+ case SASL_CB_USER:
+ log_info("got request for SASL_CB_USER %s", ldap_inst->sasl_authz_id);
+ size = strlen(ldap_inst->sasl_authz_id);
+ in->result = ldap_inst->sasl_authz_id;
+ in->len = size;
+ ret = LDAP_SUCCESS;
+ break;
+ case SASL_CB_GETREALM:
+ log_info("got request for SASL_CB_GETREALM %s", ldap_inst->sasl_realm);
+ size = strlen(ldap_inst->sasl_realm);
+ in->result = ldap_inst->sasl_realm;
+ in->len = size;
+ ret = LDAP_SUCCESS;
+ break;
+ case SASL_CB_AUTHNAME:
+ log_info("got request for SASL_CB_AUTHNAME %s", ldap_inst->sasl_authc_id);
+ size = strlen(ldap_inst->sasl_authc_id);
+ in->result = ldap_inst->sasl_authc_id;
+ in->len = size;
+ ret = LDAP_SUCCESS;
+ break;
+ case SASL_CB_PASS:
+ log_info("got request for SASL_CB_PASS %s", ldap_inst->sasl_password);
+ size = strlen(ldap_inst->sasl_password);
+ in->result = ldap_inst->sasl_password;
+ in->len = size;
+ ret = LDAP_SUCCESS;
+ break;
+ default:
+ goto cleanup;
+ }
+ }
+ return ret;
+
+cleanup:
+ in->result = NULL;
+ in->len = 0;
+ return LDAP_OTHER;
+}
+#endif /* LDAP_USE_GSSAPI */
+
+
#endif
diff --git a/server/ldap_casa.c b/server/ldap_casa.c
index 952d9b96..cd101570 100644
--- a/server/ldap_casa.c
+++ b/server/ldap_casa.c
@@ -55,8 +55,10 @@
*/
#if defined(LDAP_CASA_AUTH)
-#include "ldap_casa.h"
#include "dhcpd.h"
+#include "ldap_casa.h"
+#include <dlfcn.h>
+#include <string.h>
int
load_casa (void)
diff --git a/server/ldap_krb_helper.c b/server/ldap_krb_helper.c
new file mode 100644
index 00000000..1dcab802
--- /dev/null
+++ b/server/ldap_krb_helper.c
@@ -0,0 +1,216 @@
+/* ldap_krb_helper.c
+
+ Helper routings for allowing LDAP to read configuration with GSSAPI/krb auth */
+
+/*
+ * Copyright (c) 2014 William B.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of The Internet Software Consortium nor the names
+ * of its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
+ * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This helper was written by William Brown <william@adelaide.edu.au>,
+ * inspired by krb5_helper.c from bind-dyndb-ldap by Simo Sorce (Redhat)
+ */
+#if defined(LDAP_USE_GSSAPI)
+
+#include "dhcpd.h"
+#include "ldap_krb_helper.h"
+
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <time.h>
+
+#define KRB_DEFAULT_KEYTAB "FILE:/etc/dhcp/dhcp.keytab"
+#define KRB_MIN_TIME 300
+
+#define CHECK_KRB5(ctx, err, msg, ...) \
+ do { \
+ if (err) { \
+ const char * errmsg = krb5_get_error_message(ctx, err); \
+ log_error("Err: %s -> %s\n", msg, errmsg); \
+ result = ISC_R_FAILURE; \
+ goto cleanup; \
+ } \
+ } while (0)
+
+#define CHECK(ret_code, msg) \
+ if (ret_code != 0) { \
+ log_error("Error, %i %s\n", ret_code, msg); \
+ goto cleanup; \
+ }
+
+static isc_result_t
+check_credentials(krb5_context context, krb5_ccache ccache, krb5_principal service)
+{
+ char *realm = NULL;
+ krb5_creds creds;
+ krb5_creds mcreds;
+ krb5_error_code krberr;
+ krb5_timestamp now;
+ isc_result_t result = ISC_R_FAILURE;
+
+ memset(&mcreds, 0, sizeof(mcreds));
+ memset(&creds, 0, sizeof(creds));
+
+ krberr = krb5_get_default_realm(context, &realm);
+ CHECK_KRB5(context, krberr, "Failed to retrieve default realm");
+
+ krberr = krb5_build_principal(context, &mcreds.server,
+ strlen(realm), realm,
+ "krbtgt", realm, NULL);
+ CHECK_KRB5(context, krberr, "Failed to build 'krbtgt/REALM' principal");
+
+ mcreds.client = service;
+
+ krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
+
+ if (krberr) {
+ const char * errmsg = krb5_get_error_message(context, krberr);
+ log_error("Credentials are not present in cache (%s)\n", errmsg);
+ krb5_free_error_message(context, errmsg);
+ result = ISC_R_FAILURE;
+ goto cleanup;
+ }
+ CHECK_KRB5(context, krberr, "Credentials are not present in cache ");
+
+ krberr = krb5_timeofday(context, &now);
+ CHECK_KRB5(context, krberr, "Failed to get time of day");
+
+
+ if (now > (creds.times.endtime + KRB_MIN_TIME)) {
+ log_error("Credentials cache expired");
+ result = ISC_R_FAILURE;
+ goto cleanup;
+ } else {
+ char buf[255];
+ char fill = ' ';
+ krb5_timestamp_to_sfstring(creds.times.endtime, buf, 16, &fill);
+ log_info("Credentials valid til %s\n", buf);
+ }
+
+ result = ISC_R_SUCCESS;
+
+cleanup:
+ krb5_free_cred_contents(context, &creds);
+ if (mcreds.server) krb5_free_principal(context, mcreds.server);
+ if (realm) krb5_free_default_realm(context, realm);
+ return result;
+}
+
+isc_result_t
+krb5_get_tgt(const char *principal, const char *keyfile)
+{
+ isc_result_t result = ISC_R_FAILURE;
+ char *ccname = NULL;
+ krb5_context context = NULL;
+ krb5_error_code krberr;
+ krb5_ccache ccache = NULL;
+ krb5_principal kprincpw = NULL;
+ krb5_creds my_creds;
+ krb5_creds * my_creds_ptr = NULL;
+ krb5_get_init_creds_opt options;
+ krb5_keytab keytab = NULL;
+ int ret;
+
+ if (keyfile == NULL || keyfile[0] == '\0') {
+ keyfile = KRB_DEFAULT_KEYTAB;
+ log_info("Using default keytab %s\n", keyfile);
+ } else {
+ if (strncmp(keyfile, "FILE:", 5) != 0) {
+ log_error("Unknown keytab path format: Does it start with FILE:?\n");
+ return ISC_R_FAILURE;
+ }
+ }
+
+ krberr = krb5_init_context(&context);
+ CHECK_KRB5(NULL, krberr, "Kerberos context initialization failed");
+
+ result = ISC_R_SUCCESS;
+
+ ccname = "MEMORY:dhcp_ld_krb5_cc";
+ log_info("Using ccache %s\n" , ccname);
+
+ ret = setenv("KRB5CCNAME", ccname, 1);
+ if (ret == -1) {
+ log_error("Failed to setup environment\n");
+ result = ISC_R_FAILURE;
+ goto cleanup;
+ }
+
+ krberr = krb5_cc_resolve(context, ccname, &ccache);
+ CHECK_KRB5(context, krberr, "Couldnt resolve ccache '%s'", ccname);
+
+ krberr = krb5_parse_name(context, principal, &kprincpw);
+ CHECK_KRB5(context, krberr, "Failed to parse princ '%s'", princpal);
+
+ result = check_credentials(context, ccache, kprincpw);
+ if (result == ISC_R_SUCCESS) {
+ log_info("Found valid kerberos credentials\n");
+ goto cleanup;
+ } else {
+ log_error("No valid krb5 credentials\n");
+ }
+
+ krberr = krb5_kt_resolve(context, keyfile, &keytab);
+ CHECK_KRB5(context, krberr,
+ "Failed to resolve kt files '%s'\n", keyfile);
+
+ memset(&my_creds, 0, sizeof(my_creds));
+ memset(&options, 0, sizeof(options));
+
+ krb5_get_init_creds_opt_set_tkt_life(&options, KRB_MIN_TIME * 2);
+ krb5_get_init_creds_opt_set_address_list(&options, NULL);
+ krb5_get_init_creds_opt_set_forwardable(&options, 0);
+ krb5_get_init_creds_opt_set_proxiable(&options, 0);
+
+ krberr = krb5_get_init_creds_keytab(context, &my_creds, kprincpw,
+ keytab, 0, NULL, &options);
+ CHECK_KRB5(context, krberr, "Failed to get initial credentials TGT\n");
+
+ my_creds_ptr = &my_creds;
+
+ krberr = krb5_cc_initialize(context, ccache, kprincpw);
+ CHECK_KRB5(context, krberr, "Failed to init ccache\n");
+
+ krberr = krb5_cc_store_cred(context, ccache, &my_creds);
+ CHECK_KRB5(context, krberr, "Failed to store credentials\n");
+
+ result = ISC_R_SUCCESS;
+ log_info("Successfully init krb tgt %s", principal);
+
+cleanup:
+ if (ccache) krb5_cc_close(context, ccache);
+ if (keytab) krb5_kt_close(context, keytab);
+ if (kprincpw) krb5_free_principal(context, kprincpw);
+ if (my_creds_ptr) krb5_free_cred_contents(context, &my_creds);
+ if (context) krb5_free_context(context);
+ return result;
+}
+
+#endif /* defined(LDAP_USE_GSSAPI) */
diff --git a/server/mdb.c b/server/mdb.c
index 219db506..9a7da80b 100644
--- a/server/mdb.c
+++ b/server/mdb.c
@@ -645,6 +645,11 @@ find_hosts_by_option(struct host_decl **hp,
int found;
struct packet *relay_packet;
struct option_state *relay_state;
+
+#if defined(LDAP_CONFIGURATION)
+ if ((found = find_client_in_ldap (hp, packet, opt_state, file, line)))
+ return found;
+#endif
for (p = host_id_info; p != NULL; p = p->next) {
relay_packet = packet;
diff --git a/server/stables.c b/server/stables.c
index 4d53a834..963503e7 100644
--- a/server/stables.c
+++ b/server/stables.c
@@ -258,7 +258,12 @@ static struct option server_options[] = {
{ "ldap-tls-crlcheck", "Nldap-tls-crlcheck.", &server_universe, 75, 1 },
{ "ldap-tls-ciphers", "t", &server_universe, 76, 1 },
{ "ldap-tls-randfile", "t", &server_universe, 77, 1 },
+ { "ldap-init-retry", "d", &server_universe, SV_LDAP_INIT_RETRY, 1 },
#endif /* LDAP_USE_SSL */
+#if defined(LDAP_USE_GSSAPI)
+ { "ldap-gssapi-keytab", "t", &server_universe, SV_LDAP_GSSAPI_KEYTAB, 1},
+ { "ldap-gssapi-principal", "t", &server_universe, SV_LDAP_GSSAPI_PRINCIPAL, 1},
+#endif /* LDAP_USE_GSSAPI */
#endif /* LDAP_CONFIGURATION */
{ "dhcp-cache-threshold", "B", &server_universe, 78, 1 },
{ "dont-use-fsync", "f", &server_universe, 79, 1 },
diff --git a/server/tests/Makefile.in b/server/tests/Makefile.in
index d0da6aa4..0bd2e3bd 100644
--- a/server/tests/Makefile.in
+++ b/server/tests/Makefile.in
@@ -293,6 +293,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
diff --git a/tests/Makefile.in b/tests/Makefile.in
index 64297ae4..50c22fb2 100644
--- a/tests/Makefile.in
+++ b/tests/Makefile.in
@@ -184,6 +184,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@