isc-dhcp-server-ldap (4.2.4-1ubuntu10.1) is not capable of ldap

Also found this in the debian mailing list:
http://web.archiveorange.com/archive/v/I5pCpew67IzOvQSEyeMg

Seems to be the same problem

I stumbled upon this problem as well.

The root cause is an error in the build process, more specifically the debian/rules Makefile.

First, the ldap flavour of the binary is built and moved to isc-dhcp-server-ldap/dhcpd. This works as expected, the resulting binary contains ldap symbols as expected.
Then, the normal flavour is built. The binary is left in server/dhcpd (like in a vanilla build).

Then, both of these steps are repeated again, and this is the actual problem. First, it's a useless step, second, it leads to the broken ldap binary as no make (dist)clean is invoked inbetween which makes "make" think that server/dhcpd is already the correct ldap binary (which it is not; it is a left-over from the first normal build); afterwards, the build process (debian/rules) overwrites the correct ldap binary in isc-dhcp-server-ldap/dhcpd with a vanilla binary. The normal flavour is "built" again as well, but this does not break anything.

The problem is complex and the patch is trivial, but I don't know if it is correct. Works for me, but YMMV. The patch fixes this problem and probably reduces build time, as the process runs only twice instead of 4 times.

The actual problem is that the "clean" target is invoked between builds, which also calls dh_clean, which in fact removes all the *stamp files, which usually avoid accidental duplicate builds. I've modified the build target to call "buildclean", which does the same thing as before, just without the dh_clean.

I would also consider this bug report really severe, as it renders the given package completely unusuable and breaks existing setups.

The attachment "isc-dhcp-4.2.4-fix-ldap-build.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Thanks for the patch. It'll be included in the next isc-dhcp upload which I hope to have fully tested and ready to do tomorrow.

Also marking this bug as affecting quantal (12.10), I'll prepare an SRU for it once it's confirmed that it's fixed in the development release.

So I ended up going with something slightly different but giving the same result: http://paste.ubuntu.com/1542053/

I think it's a bit easier to understand, makes the stamps work as expected and as far as I can tell, the distclean call cleans up everything properly and the binaries end up being different as is expected.

This bug was fixed in the package isc-dhcp - 4.2.4-4ubuntu1

---------------
isc-dhcp (4.2.4-4ubuntu1) raring; urgency=low

  * Merge from Debian, remaining changes:
    - Apparmor profiles for dhclient and dhcpd.
    - Upstart jobs for isc-dhcp-server, isc-dhcp-server6, isc-dhcp-relay and
      isc-dhcp-relay6. (LP: #944849)
    - Separate default file for isc-dhcp-relay6. (LP: #944849)
    - Apport hook for isc-dhcp-client and isc-dhcp-server.
    - dhclient.conf: Set for IPv6 (dhcp6.*) (LP: #770324)
    - If /etc/ltsp/dhcpd.conf exists, use that instead of /etc/dhcp/dhcpd.conf
    - Drop isc-dhcp-server/new_auth_behavior question from high to medium
    - Create user/group dhcpd (LP: #727837)
    - Create /etc/dhcp/ddns-keys/ for DDNS updates (LP: #341817)
    - Build with extra hardening and use --enable-paranoia to run dhcpd as user
      (LP: #727837)
    - Add IPv6 support to dhclient-script.linux.udeb
    - Wait for /etc/resolv.conf to be writable in dhclient-script.linux.
      (LP: #856984)
    - Sanitize environment in dhclient-script.linux. (LP: #1045986)
    - Don't call 'ip addr flush' as it breaks IPv6 networking. (LP: #1023174)
    - debian/apparmor-profile.dhclient: update to add the new paths used by
      NetworkManager for its conf and leases files; standardized under
      /var/lib/NetworkManager.
    - Remaining Ubuntu patches:
      + dhclient-fix-backoff
      + dhclient-more-debug (LP: #35265)
      + dhclient-safer-timeout (LP: #838968)
      + dhcpd.conf-subnet-examples (LP: #26661)
      + multi-ip-addr-per-if (LP: #717166)
      + onetry_retry_after_initial_success (LP: #974284)
      + revert-next-server
    - Dropped Ubuntu patches:
      + dhclient-onetry-call-clientscript (now in Debian)
  * Fix isc-dhcp-server-ldap not actually containing ldap support.
    Thanks to Christian Hoffmann for tracking down the issue. (LP: #1071928)
  * Don't set fqdn.fqdn in dhclient.conf as that seems to confuse some DHCP
    servers. An alternative would have been to only set fqdn.fqdn and not
    host-name, but that appears to confuse another set of servers.
    For now go with just host-name which is the most common and if becomes a
    big problem for IPv6 (where fqdn.fqdn is apparently required), then we'll
    need to have a separate dhclient6.conf file and change all the calls to
    dhclient -6 to use that file instead. (LP: #1088682)
  * Include patch from RedHat/Fedora to deal with hardware/xen/virtio offload
    of UDP checksums. (LP: #930962)

isc-dhcp (4.2.4-4) unstable; urgency=medium

  * Run exit hooks when "dhclient -1" fails (closes: #486520).
  * Add dhcp6.name-servers and dhcp6.domain-search to the default request
    options in dhclient.conf (closes: #693315).
 -- Stephane Graber <email address hidden> Thu, 17 Jan 2013 17:09:14 -0500

Well, now in

/etc/apparmor.d/usr.sbin.dhcpd

the lines

network inet raw,
network packet packet,

seem to be wrong, I guess they should be

network raw,
network packet,

instead

@Ivo

These are legitimate rules based on man apparmor.d:
network inet raw,
network packet packet,

Specifically:
NETWORK RULE = 'network' [ [ DOMAIN ] [ TYPE ] [ I <PROTOCOL> ] ] ','
DOMAIN = ( 'inet' | ... | 'packet' | ... )
TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' )

they also work fine here on Ubuntu 12.04 LTS and Ubuntu 12.10. Can you file a new bug using 'ubuntu-bug apparmor'?

@Jamie

Here on Ubuntu 12.10 (apparmor-2.8.0-0ubuntu5) I got

Open a socket for LPF: Permission denied

when starting dhcpd, quite strange.....
I got the hint in the #ubuntu-server irc channel to remove inet and one packet. After that it worked.

Hello Ivo, or anyone else affected,

Accepted isc-dhcp into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-1ubuntu10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I couldn't easily test this against an actual LDAP server, but I confirmed that the LDAP and non-LDAP binaries are no longer identical and that the LDAP version appears to look for the extra config options.

So even if it doesn't actually work, we're already infinitely better than where we were before (and I'm pretty confident that it'll actually work provided an LDAP server with the right schema).

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu10.2

---------------
isc-dhcp (4.2.4-1ubuntu10.2) quantal-proposed; urgency=low

  * Fix isc-dhcp-server-ldap not actually containing ldap support.
    Thanks to Christian Hoffmann for tracking down the issue. (LP: #1071928)
  * Don't set fqdn.fqdn in dhclient.conf as that seems to confuse some DHCP
    servers. An alternative would have been to only set fqdn.fqdn and not
    host-name, but that appears to confuse another set of servers.
    For now go with just host-name which is the most common and if becomes a
    big problem for IPv6 (where fqdn.fqdn is apparently required), then we'll
    need to have a separate dhclient6.conf file and change all the calls to
    dhclient -6 to use that file instead. (LP: #1088682)
  * Include patch from RedHat/Fedora to deal with hardware/xen/virtio offload
    of UDP checksums. (LP: #930962)
 -- Stephane Graber <email address hidden> Fri, 01 Mar 2013 16:07:49 -0500