Bug 1150542
| Summary: | [RFE][PATCH] Add GSSAPI support for ldap authentication | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | William Brown <william> | ||||
| Component: | dhcp | Assignee: | Jiri Popelka <jpopelka> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 20 | CC: | jpopelka, thozza | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | dhcp-4.3.1-14.fc22 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-11-04 16:13:45 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I've applied your patch in rawhide (F22), I'd rather avoid applying it in F21 as the beta is already out. http://pkgs.fedoraproject.org/cgit/dhcp.git/tree/dhcp-ldapgssapi.patch Regarding upstream: I think it'll be better if you (as author) send it upstream (dhcp-bugs). I don't think my name (behind the submission) would make any difference. (In reply to Jiri Popelka from comment #1) > I think it'll be better if you (as author) send it upstream > (dhcp-bugs). Please CC me. (In reply to Jiri Popelka from comment #1) > I've applied your patch in rawhide (F22) But now I see I haven't enabled (--with-krb5) it during build :-( > Regarding upstream: > I think it'll be better if you (as author) send it upstream > (dhcp-bugs). Good news from ISC: "We are now finishing the work on adding some of the LDAP patches into our code base. We have tried our patch to verify that it builds but we don't have a set up to verify that the LDAP portion works correctly. (As this continues to be classified as contributed code we don't have the time to properly verify it.)" William, your ldap gssapi auth patch is there too and will most likely be included in 4.3.3. I've been asked by ISC to test the patch and I promised to ask someone as I don't know how to test it myself. I've created a testing RPMs with the upstream patch applied (and --with-krb5 this time). Would you mind testing them and provide a feedback to ISC (sar) ? 'dnf copr enable jpopelka/dhcp-ldap-auth' is all you need to do to enable the testing repo (https://copr.fedoraproject.org/coprs/jpopelka/dhcp-ldap-auth) Thanks |
Created attachment 944976 [details] Patch to enable ldapgssapi Description of problem: Ldap is one of the back-ends available for isc dhcpd. A common config is not to use a service account with username + password, but with AD or FreeIPA to have a krb keytab available. This patch allows the dhcpd config to specify a keytab, and for dhcpd to use this to enable ldap gssapi authentication. I have been running this in production for about 2 months solid now with no issue. ccache refresh has been no issue, nor has multiple threads or load. It's likely this patch is "99%" of the way there, and I think that with a tiny bit of guidance from one of the dhcpd maintainers in fedora it would be accepted upstream.