Bug 1150542 - [RFE][PATCH] Add GSSAPI support for ldap authentication
Summary: [RFE][PATCH] Add GSSAPI support for ldap authentication
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dhcp
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jiri Popelka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-08 12:13 UTC by William Brown
Modified: 2015-07-15 11:20 UTC (History)
2 users (show)

Fixed In Version: dhcp-4.3.1-14.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-04 16:13:45 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Patch to enable ldapgssapi (22.21 KB, patch)
2014-10-08 12:13 UTC, William Brown 		no flags Details | Diff
View All

Description William Brown 2014-10-08 12:13:58 UTC 
Created attachment 944976 [details]
Patch to enable ldapgssapi

Description of problem:
Ldap is one of the back-ends available for isc dhcpd. A common config is not to use a service account with username + password, but with AD or FreeIPA to have a krb keytab available. This patch allows the dhcpd config to specify a keytab, and for dhcpd to use this to enable ldap gssapi authentication.

I have been running this in production for about 2 months solid now with no issue. ccache refresh has been no issue, nor has multiple threads or load. 

It's likely this patch is "99%" of the way there, and I think that with a tiny bit of guidance from one of the dhcpd maintainers in fedora it would be accepted upstream.
Comment 1 Jiri Popelka 2014-11-04 16:13:45 UTC 
I've applied your patch in rawhide (F22), I'd rather avoid applying it in F21 as the beta is already out.
http://pkgs.fedoraproject.org/cgit/dhcp.git/tree/dhcp-ldapgssapi.patch

Regarding upstream:
I think it'll be better if you (as author) send it upstream (dhcp-bugs).
I don't think my name (behind the submission) would make any difference.
Comment 2 Jiri Popelka 2014-11-04 16:15:27 UTC 
(In reply to Jiri Popelka from comment #1)
> I think it'll be better if you (as author) send it upstream
> (dhcp-bugs).

Please CC me.
Comment 3 Jiri Popelka 2015-07-15 11:20:22 UTC 
(In reply to Jiri Popelka from comment #1)
> I've applied your patch in rawhide (F22)

But now I see I haven't enabled (--with-krb5) it during build :-(

> Regarding upstream:
> I think it'll be better if you (as author) send it upstream
> (dhcp-bugs).

Good news from ISC:

"We are now finishing the work on adding some of the LDAP patches
into our code base.  We have tried our patch to verify that it builds
but we don't have a set up to verify that the LDAP portion works
correctly.  (As this continues to be classified as contributed code
we don't have the time to properly verify it.)"

William,

your ldap gssapi auth patch is there too and will most likely be included in 4.3.3. I've been asked by ISC to test the patch and I promised to ask someone as I don't know how to test it myself. I've created a testing RPMs with the upstream patch applied (and --with-krb5 this time). Would you mind testing them and provide a feedback to ISC (sar) ?

'dnf copr enable jpopelka/dhcp-ldap-auth' is all you need to do to enable the testing repo (https://copr.fedoraproject.org/coprs/jpopelka/dhcp-ldap-auth)

Thanks
Note You need to log in before you can comment on or make changes to this bug.