Bug 31650 - Improve DHCP documentation
Improve DHCP documentation
Status: CLOSED FIXED
Product: UCS manual
Classification: Unclassified
Component: IP and network management (DHCP, DNS, firewall, proxy)
unspecified
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Moritz Muehlenhoff
Philipp Hahn
:
: 16863 (view as bug list)
Depends on:
Blocks: 33317
  Show dependency treegraph
 
Reported: 2013-06-05 11:57 CEST by Janis Meybohm
Modified: 2015-04-01 13:49 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2013-06-05 11:57:18 CEST
We should improve the DHCP documentation in the following points:

* It should be made clear that (if that is true ;)) one DHCP server may only hold one DHCP Service (i.e. you need another DHCP server if you want to create a second DHCP service).

* There should be a description on how exactly the processing of DHCP policies works. That direct policy assignments (at DHCP service or DHCP host level) are prefered over the policies assigned to a DHCP subnet. (And that it is possible to assign DHCP policies to the subnet if there is no "direct" policy attached somewhere in the LDAP tree)


* It should be described how one can evaluate the DHCP policies for a DHCP host, e.g.
udm dhcp/host list --superordinate X,Y,Z --policies 1
Comment 1 Philipp Hahn univentionstaff 2013-11-09 00:06:26 CET
(In reply to Janis Meybohm from comment #0)
> * It should be made clear that (if that is true ;))
true.

> one DHCP server may only hold one DHCP Service 
In LDAP the serer and service is reversed: The top-level element is the service and therein is one or more servers providing that service.

> (i.e. you need another DHCP server if you want to create a second DHCP service).
yes.

> * There should be a description on how exactly the processing of DHCP
> policies works. That direct policy assignments (at DHCP service or DHCP host
> level) are prefered over the policies assigned to a DHCP subnet. (And that
> it is possible to assign DHCP policies to the subnet if there is no "direct"
> policy attached somewhere in the LDAP tree)

Also see Bug #32585: ISC-DHCP has a built-in inheritance mechanism, which clashes with the UDM policy mechanism. The LDAP configuration/tree looks like this:
Service
+-Server...
+-Shared-Network...
| +-Shared-Subnet...
|   +-Pool...
+-Subnet...
| +-Pool...
+-Host...
The ISC-DHCP-Server uses the following order (highest to lowest): host, pool, subnet, network, service.

But a UDM policy attached to the service also gets applied to all host entries, as they're children of that service container. So policies attached to the network/subnet/pool are more-or-less ignored, when a policy of that type is already referenced by the service container.

Adding "prohibitedObjectClasses: univentionDhcpHost" the policy used for the service prevents the policy from being applied to the host entries and restores the expected order.

> * It should be described how one can evaluate the DHCP policies for a DHCP
> host, e.g.
> udm dhcp/host list --superordinate X,Y,Z --policies 1

See Bug #21585 on why "--policies" does not work with UCS-3.2.
To get the right values "univention_policy_resut" must be called for the host, pool, subnet, network, service in that order by hand and the results be merged manually. The first set value wins. The right pool/subnet/network/service must be determined manually.
Comment 2 Philipp Hahn univentionstaff 2013-11-11 09:38:57 CET
(In reply to Philipp Hahn from comment #1)
> > * It should be described how one can evaluate the DHCP policies for a DHCP
> > host, e.g.
> > udm dhcp/host list --superordinate X,Y,Z --policies 1
> 
> See Bug #21585 on why "--policies" does not work with UCS-3.2.

UDM-CLI has some special handling for DHCP host, which evaluates the DHCP nesting to show the merged values. With Bug #21585 fixed it looks like this:

# python /home/phahn/ucs-3.2-0/management/univention-directory-manager-modules/modules/univention/admincli/admin.py.pmh dhcp/host list --superordinate cn=foo,cn=dhcp,dc=phahn,dc=dev --policies 0

DN: cn=xxx,cn=foo,cn=dhcp,dc=phahn,dc=dev
  hwaddress: ethernet 00:11:22:33:44:55
  host: xxx
  fixedaddress: 192.168.122.12
    univentionAdminMayOverrideSettings="0"
    univentionAdminListWebModules="modself"
    univentionAdminListWizards="None"
    univentionPWLength="8"
    univentionPWHistoryLen="3"
    univentionDhcpDomainName="phahn.dev"
    univentionDhcpDomainNameServers="192.168.122.11"

  Subnet-based Settings:
    univentionAdminMayOverrideSettings="0"
    univentionAdminListWebModules="modself"
    univentionAdminListWizards="None"
    univentionPWLength="8"
    univentionPWHistoryLen="3"
    univentionDhcpDomainName="phahn.dev"
    univentionDhcpDomainNameServers="192.168.122.11"

  Merged Settings:
    univentionAdminListWizards="None"
    univentionPWLength="8"
    univentionAdminMayOverrideSettings="0"
    univentionAdminListWebModules="modself"
    univentionPWHistoryLen="3"
    univentionDhcpDomainNameServers="192.168.122.11"
    univentionDhcpDomainName="phahn.dev"

That is better than nothing, but is still incomplete, as the settings from a DHCP pool and the DHCP service are not merged in, which are also applicable for DHCP hosts.
Comment 3 Moritz Muehlenhoff univentionstaff 2013-11-11 10:50:42 CET
(In reply to Janis Meybohm from comment #0)
> We should improve the DHCP documentation in the following points:
> 
> * It should be made clear that (if that is true ;)) one DHCP server may only
> hold one DHCP Service (i.e. you need another DHCP server if you want to
> create a second DHCP service).

This was documented in 45930

> * There should be a description on how exactly the processing of DHCP
> policies works. That direct policy assignments (at DHCP service or DHCP host
> level) are prefered over the policies assigned to a DHCP subnet. (And that
> it is possible to assign DHCP policies to the subnet if there is no "direct"
> policy attached somewhere in the LDAP tree)
> 
> * It should be described how one can evaluate the DHCP policies for a DHCP
> host, e.g.
> udm dhcp/host list --superordinate X,Y,Z --policies 1

These were cloned as Bug 33232 for the extended documentation.
Comment 5 Philipp Hahn univentionstaff 2013-11-12 10:59:37 CET
*** Bug 16863 has been marked as a duplicate of this bug. ***