Bug 20222 – DHCP policy statements applied to wrong DHCP types

Bug 20222 - DHCP policy statements applied to wrong DHCP types


Summary:	DHCP policy statements applied to wrong DHCP types

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	DHCP
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-0-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:
Keywords:

Duplicates:	20578 23402 (view as bug list)
Depends on:	3595 7832
Blocks:	20226
	Show dependency tree / graph

Reported:	2010-10-01 14:21 CEST by Philipp Hahn
Modified:	2019-04-17 14:07 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.229
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018111921000247
Bug group (optional):	Cleanup
Max CVSS v3 score:

Flags:	hahn: Patch_Available+

Attachments
syslog2dhcpd.conf (141 bytes, text/plain) 2010-10-01 14:39 CEST, Philipp Hahn	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2010-10-01 14:21:46 CEST

DHCP-Policies kann man an verschiedenen DHCP-Objekte wie
 objectClass: dhcpServer
 objectClass: dhcpSharedNetwork
 objectClass: univentionDhcpHost
 objectClass: univentionDhcpService
 objectClass: univentionDhcpSharedSubnet
 objectClass: univentionDhcpSubnet
binden. Dies führt dazu, daß die von den Policies erzeugten Statement an Stellen in der live erzeugten Konfigurationsdatei erzeugt werden, wo diese nicht erlaubt sind.
Insbesondere die Erlauben/Verbieten-Policies dürfen nicht an univentionDhcpService gebunden werden. (Es gibt noch mehr Fälle, aber die fallen mir gerade nicht mehr ein)

Beim erzeugen den live-Konfigurationsdatei sollten nach Möglichkeit die Statements nur dann erzeugt werden, wenn diese auch an der Stelle gültig sind, da sonst das verknüpfen von Policies an univentionDhcpService sehr schnell zu fehlerhaften Konfigurationen führen und der DHCPd nicht mehr startet.
Leere Werte führen dabei teilweise auch dazu, daß innerhalb der Statements dann ein Wert fehlt, was den Parser verwirrt:
 filename "pxelinux.0";
 option domain-name "multiselektivrep.test";
 option domain-name-servers ;
                            ^ ERROR

Zum Debuggen solcher falschen Konfigurationsdateien ist es hilfreich, die generierten Zeilen aus der /var/log/syslog zu extrahieren und darin die Fehler zu suchen; insbesondere sind dann auch die im Syslog angegebenen Zeilennummern wieder sinnreich:
sed -ne "s/.*dhcpd: Sending config line '\(.*\)'/\1/" -e T -e 's/#DHCP Service /\n/' -e 's/\([;{]\) /\1\n/g' -e 's/\n*' -e p /var/log/syslog

Comment 1 Sönke Schwardt-Krummrich

2010-10-01 14:28:31 CEST

Aus dem Patch 50_dhcp_policy.patch für dhcp3:

Funktion univention_parse_policy(...):
+       case STATEMENT_NORMAL:
+       /* Add comma separated list of attribute values after statement name */
+         strncat(buf, dhcp_name, bufsize);
+         strncat(buf, " ", bufsize);
+         for (i=0; presult->values[i] != NULL; i++) {
+           if (i > 0)
+             strncat(buf, ", ", bufsize);
+           if (quotes)
+             strncat(buf, "\"", bufsize);
+           strncat(buf, presult->values[i], bufsize);
+           if (quotes)
+             strncat(buf, "\"", bufsize);
+         }
+         strncat(buf, ";\n", bufsize);
+         break;

Hier wird immer dhcp_name (==> "option domain-name-servers") eingefügt und mit ";\n" abgeschlossen, auch wenn presult->values[0] == NULL (==> Liste leer) ist.
Das führt dann zu falschen Configeinträgen.
Auch STATEMENT_REVERSE sollte geprüft werden. Das sieht auf den ersten Blick nicht richtiger aus.

Comment 2 Philipp Hahn

2010-10-01 14:39:27 CEST

Created attachment 2729 [details]
syslog2dhcpd.conf

sed-Skript zum extrahieren der dhcpd.conf aus /var/log/syslog

Comment 3 Sönke Schwardt-Krummrich

2010-11-02 20:52:30 CET

*** Bug 20578 has been marked as a duplicate of this bug. ***

Comment 4 Philipp Hahn

2011-12-09 23:23:12 CET

Innerhalb eines Pool{}-Statment sind u.a. folgende Statement illegal:
  deny client-updates;
  ddns-hostname

Comment 5 Philipp Hahn

2012-09-12 15:55:15 CEST

Für univentionDhcpAuthoritative ist nur folgendes sinnvoll:
  if (context & (CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_SERVICE))

Comment 6 Stefan Gohmann

2016-04-25 07:52:08 CEST

This issue has been filed against UCS 2.4.

UCS 2.4 is out of maintenance and many UCS components have vastly changed in
later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug".
In this case please provide detailed information on how this issue is affecting
you.

Comment 7 Philipp Hahn

2016-10-31 14:03:05 CET

*** Bug 23402 has been marked as a duplicate of this bug. ***

Comment 8 Philipp Hahn

2018-11-20 09:30:51 CET

DHCP policy "policies/dhcp_scope" cannot be applied to dhcp/pool, but its values fo "unknownClients" is still affecting it.

ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/policies/dhcp_scope.py:65
> policy_apply_to = ["dhcp/service", "dhcp/subnet", "dhcp/host", "dhcp/sharedsubnet", "dhcp/shared"]

From a950995fd047f273ca2b729b2b3e921acefba0ba Mon Sep 17 00:00:00 2001
Message-Id: <a950995fd047f273ca2b729b2b3e921acefba0ba.1542702578.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Tue, 20 Nov 2018 09:28:29 +0100
Subject: [PATCH] Bug #20222: remove univentionDhcpUnknownClients for pools

---
 server/ldap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/ldap.c b/server/ldap.c
index c6c1ce3b..e71d68fa 100644
--- a/server/ldap.c
+++ b/server/ldap.c
@@ -645,7 +645,7 @@ univention_parse_policies (enum CONTEXT context, LDAPMessage * ent, struct parse
   univention_parse_policy(phandle, "univentionDhcpLeaseTimeMax", "max-lease-time", NULL, 0, STATEMENT_NORMAL, cfile);
   if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_POOL | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222
   univention_parse_policy(phandle, "univentionDhcpLeaseTimeDefault", "default-lease-time", NULL, 0, STATEMENT_NORMAL, cfile);
-  if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_POOL | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222
+  if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222
   univention_parse_policy(phandle, "univentionDhcpUnknownClients", "unknown-clients", NULL, 0, STATEMENT_REVERSE, cfile);
   if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222
   univention_parse_policy(phandle, "univentionDhcpBootp", "bootp", NULL, 0, STATEMENT_REVERSE, cfile);
-- 
2.11.0

Comment 9 Philipp Hahn

2019-03-26 12:57:38 CET

r18525 | Bug #20222 dhcp: unknownClients @ -POOL

Package: isc-dhcp
Version: 4.3.5-3+deb9u1A~4.4.0.201903251533
Branch: ucs_4.4-0
Scope: errata4.4-0

[4.4-0] 3a9e33d784 Bug #20222: isc-dhcp 4.3.5-3+deb9u1A~4.4.0.201903251533
 doc/errata/staging/isc-dhcp.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

QA: ~/BUG/20222-dhcp-policy.sh

Comment 10 Felix Botner

2019-04-05 11:53:55 CEST

@arvid, sorry i couldn't make it, please find somebody else for qa if this is important

Comment 11 Arvid Requate

2019-04-11 20:15:07 CEST

Ok, works. Once activated the log file /var/log/dhcp-ldap-startup.log shows that the pool config now has "deny known clients;" instead of "deny unknown clients;" after using UMC to configure the pool as described in the ticket.

Advisory: Ok.

Note: It's a bit ugly that the 30_policy.quilt file still contains 27 comments referencing this bug. But apparently there are still things to be improved, so we better keep the "pointer" to this bug there.

Comment 12 Erik Damrose

2019-04-17 14:07:11 CEST

<http://errata.software-univention.de/ucs/4.4/48.html>