diff --git a/README.ldap b/README.ldap
index 2a5ce9b..2263050 100644
--- a/README.ldap
+++ b/README.ldap
@@ -1,51 +1,61 @@
 LDAP Support in DHCP
 Brian Masney <masneyb@ntelos.net>
-Last updated 8/16/2002
+Last updated 3/23/2003
 
-This document describes setting up the DHCP server to read it's configuration 
-from LDAP. This work is based on the IETF document 
-draft-ietf-dhc-ldap-schema-01.txt included in the doc directory. For the latest
-version of this document, please see http://home.ntelos.net/~masneyb.
+This document describes setting up the DHCP server to read it's configuration
+from LDAP.  This work is based on the IETF document
+draft-ietf-dhc-ldap-schema-01.txt included in the doc directory.  For the
+latest version of this document, please see http://home.ntelos.net/~masneyb.
 
-First question on most people's mind is "Why do I want to store my 
-configuration in LDAP?" If you run a small DHCP server, and the configuration
+First question on most people's mind is "Why do I want to store my
+configuration in LDAP?"  If you run a small DHCP server, and the configuration
 on it rarely changes, then you won't need to store your configuration in LDAP.
-But, if you have several DHCP servers, and you want an easy way to manage your 
-configuration, this can be a solution. 
+But, if you have several DHCP servers, and you want an easy way to manage your
+configuration, this can be a solution.
 
-The first step will be to setup your LDAP server. I am using OpenLDAP from
-www.openldap.org. Building and installing OpenLDAP is beyond the scope of this 
-document. There is plenty of documentation out there about this. Once you have 
-OpenLDAP installed, you will have to edit your slapd.conf file. I added the 
-following 2 lines to my configuration file:
+The first step will be to setup your LDAP server.  I am using OpenLDAP from
+www.openldap.org.  Building and installing OpenLDAP is beyond the scope of
+this document.  There is plenty of documentation out there about this.  Once
+you have OpenLDAP installed, you will have to edit your slapd.conf file.  I
+added the following 2 lines to my configuration file:
 
 include         /etc/ldap/schema/dhcp.schema
-index           dhcpHWAddress 	eq
-index           dhcpClassData	eq
+index           dhcpHWAddress eq
+index           dhcpClassData eq
 
-The first line tells it to include the dhcp schema file. You will find this 
-file under the contrib directory in this distribution. You will need to copy 
+The first line tells it to include the dhcp schema file.  You will find this
+file under the contrib directory in this distribution.  You will need to copy
 this file to where your other schema files are (maybe
-/usr/local/openldap/etc/openldap/schema/). The second line sets up
-an index for the dhcpHWAddress parameter. The third parameter is for reading 
-subclasses from LDAP every time a DHCP request comes in. Make sure you run the 
-slapindex command and restart slapd to have these changes to into effect.
-
-Now that you have LDAP setup, you should be able to use gq (http://biot.com/gq/)
-to verify that the dhcp schema file is loaded into LDAP. Pull up gq, and click
-on the Schema tab. Go under objectClasses, and you should see at least the 
-following object classes listed: dhcpClass, dhcpGroup, dhcpHost, dhcpOptions, 
-dhcpPool, dhcpServer, dhcpService, dhcpSharedNetwork, dhcpSubClass, and 
-dhcpSubnet. If you do not see these, you need to check over your LDAP 
-configuration before you go any further.
-
-You should be ready to build DHCP. Edit the includes/site.h file and uncomment
-the #define LDAP_CONFIGURATION. Now run configure in the base source directory.
-Edit the work.os/server/Makefile and add -lldap to the LIBS= line. (replace os
-with your operating system, linux-2.2 on my machine). You should be able to 
-type make to build your DHCP server. 
-
-Once you have DHCP installed, you will need to setup your initial plaintext 
+/usr/local/openldap/etc/openldap/schema/).  The second line sets up an index
+for the dhcpHWAddress parameter.  The third parameter is for reading subclasses
+from LDAP every time a DHCP request comes in. Make sure you run the slapindex
+command and restart slapd to have these changes to into effect.
+
+Now that you have LDAP setup, you should be able to use gq
+(http://biot.com/gq/) to verify that the dhcp schema file is loaded into LDAP.
+Pull up gq, and click on the Schema tab.  Go under objectClasses, and you
+should see at least the following object classes listed: dhcpClass, dhcpGroup,
+dhcpHost, dhcpOptions, dhcpPool, dhcpServer, dhcpService, dhcpSharedNetwork,
+dhcpSubClass, and dhcpSubnet.  If you do not see these, you need to check over
+your LDAP configuration before you go any further.
+
+You should now be ready to build DHCP.  If you would like to enable LDAP over
+SSL, you will need to perform the following steps:
+
+  * Edit the includes/site.h file and uncomment the USE_SSL line
+    or specify "-DUSE_SSL" via CFLAGS.
+  * Edit the dst/Makefile.dist file and remove md5_dgst.c and md5_dgst.o
+    from the SRC= and OBJ= lines (around line 24)
+  * Now run configure in the base source directory. If you chose to enable
+    LDAP over SSL, you must append -lcrypto -lssl to the LIBS= line in the
+    file work.os/server/Makefile (replace os with your operating system,
+    linux-2.2 on my machine).  You should now be able to type make to build
+    your DHCP server.
+
+If you choose to not enable LDAP over SSL, then you only need to run configure
+and make in the toplevel source directory.
+
+Once you have DHCP installed, you will need to setup your initial plaintext
 config file. In my /etc/dhcpd.conf file, I have:
 
 ldap-server "localhost";
@@ -54,23 +64,48 @@ ldap-username "cn=DHCP User, dc=ntelos, dc=net";
 ldap-password "blah";
 ldap-base-dn "dc=ntelos, dc=net";
 ldap-method dynamic;
+ldap-debug-file "/var/log/dhcp-ldap-startup.log";
+
+If SSL has been enabled at compile time using the USE_SSL flag, the dhcp
+server trys to use TLS if possible, but continues without TLS if not.
+
+You can modify this behaviour using following option in /etc/dhcpd.conf:
+
+ldap-ssl <off | ldaps | start_tls | on>
+   off:       disables TLS/LDAPS.
+   ldaps:     enables LDAPS -- don't forget to set ldap-port to 636.
+   start_tls: enables TLS using START_TLS command
+   on:        enables LDAPS if ldap-port is set to 636 or TLS in 
+              other cases.
+
+See also "man 5 ldap.conf" for description the following TLS related 
+options:
+   ldap-tls-reqcert, ldap-tls-ca-file, ldap-tls-ca-dir, ldap-tls-cert
+   ldap-tls-key, ldap-tls-crlcheck, ldap-tls-ciphers, ldap-tls-randfile
 
 All of these parameters should be self explanatory except for the ldap-method.
-You can set this to static or dynamic. If you set it to static, the 
-configuration is read once on startup, and LDAP isn't used anymore. But, if you
-set this to dynamic, the configuration is read once on startup, and the 
-hosts that are stored in LDAP are looked up every time a DHCP request comes in.
+You can set this to static or dynamic.  If you set it to static, the
+configuration is read once on startup, and LDAP isn't used anymore.  But, if
+you set this to dynamic, the configuration is read once on startup, and the
+hosts that are stored in LDAP are looked up every time a DHCP request comes
+in.
+
+When the optional statement ldap-debug-file is specified, on startup the DHCP
+server will write out the configuration that it generated from LDAP.  If you
+are getting errors about your LDAP configuration, this is a good place to
+start looking.
 
 The next step is to set up your LDAP tree. Here is an example config that will
-give a 10.100.0.x address to machines that have a host entry in LDAP. 
-Otherwise, it will give a 10.200.0.x address to them. (NOTE: replace 
-dc=ntelos, dc=net with your base dn). If you would like to convert your 
-existing dhcpd.conf file to LDIF format, there is a script 
-contrib/dhcpd-conf-to-ldap.pl that will convert it for you.
+give a 10.100.0.x address to machines that have a host entry in LDAP.
+Otherwise, it will give a 10.200.0.x address to them.  (NOTE: replace
+dc=ntelos, dc=net with your base dn). If you would like to convert your
+existing dhcpd.conf file to LDIF format, there is a script
+contrib/dhcpd-conf-to-ldap.pl that will convert it for you.  Type
+dhcpd-conf-to-ldap.pl --help to see the usage information for this script.
 
 # You must specify the server's host name in LDAP that you are going to run
-# DHCP on and point it to which config tree you want to use. Whenever DHCP 
-# first starts up, it will do a search for this entry to find out which 
+# DHCP on and point it to which config tree you want to use.  Whenever DHCP
+# first starts up, it will do a search for this entry to find out which
 # config to use
 dn: cn=brian.ntelos.net, dc=ntelos, dc=net
 objectClass: top
@@ -78,13 +113,13 @@ objectClass: dhcpServer
 cn: brian.ntelos.net
 dhcpServiceDN: cn=DHCP Service Config, dc=ntelos, dc=net
 
-# Here is the config tree that brian.ntelos.net points to. 
+# Here is the config tree that brian.ntelos.net points to.
 dn: cn=DHCP Service Config, dc=ntelos, dc=net
 cn: DHCP Service Config
 objectClass: top
 objectClass: dhcpService
 dhcpPrimaryDN: dc=ntelos, dc=net
-dhcpStatements: ddns-update-style ad-hoc
+dhcpStatements: ddns-update-style none
 dhcpStatements: default-lease-time 600
 dhcpStatements: max-lease-time 7200
 
@@ -94,7 +129,7 @@ cn: WV
 objectClass: top
 objectClass: dhcpSharedNetwork
 
-# Set up a subnet declaration with a pool statement. Also note that we have
+# Set up a subnet declaration with a pool statement.  Also note that we have
 # a dhcpOptions object with this entry
 dn: cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
 cn: 10.100.0.0
@@ -107,7 +142,7 @@ dhcpOption: subnet-mask 255.255.255.0
 dhcpOption: broadcast-address 10.100.0.255
 dhcpNetMask: 24
 
-# Set up a pool for this subnet. Only known hosts will get these IPs
+# Set up a pool for this subnet.  Only known hosts will get these IPs
 dn: cn=Known Pool, cn=10.100.0.0, cn=WV Test, cn=DHCP Service Config, dc=ntelos, dc=net
 cn: Known Pool
 objectClass: top
diff --git a/dhclient-script.8 b/dhclient-script.8
new file mode 100644
index 0000000..8c81393
--- /dev/null
+++ b/dhclient-script.8
@@ -0,0 +1,255 @@
+.\"	dhclient-script.8
+.\"
+.\" Copyright (c) 2004-2005 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1996-2003 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\"   Internet Systems Consortium, Inc.
+.\"   950 Charter Street
+.\"   Redwood City, CA 94063
+.\"   <info@isc.org>
+.\"   http://www.isc.org/
+.\"
+.\" This software has been written for Internet Systems Consortium
+.\" by Ted Lemon in cooperation with Vixie Enterprises and Nominum, Inc.
+.\" To learn more about Internet Systems Consortium, see
+.\" ``http://www.isc.org/''.  To learn more about Vixie Enterprises,
+.\" see ``http://www.vix.com''.   To learn more about Nominum, Inc., see
+.\" ``http://www.nominum.com''.
+.\"
+.\" $Id: dhclient-script.8,v 1.11 2006/02/24 23:16:27 dhankins Exp $
+.\"
+.TH dhclient-script 8
+.SH NAME
+dhclient-script - DHCP client network configuration script
+.SH DESCRIPTION
+The DHCP client network configuration script is invoked from time to
+time by \fBdhclient(8)\fR.  This script is used by the dhcp client to
+set each interface's initial configuration prior to requesting an
+address, to test the address once it has been offered, and to set the
+interface's final configuration once a lease has been acquired.  If no
+lease is acquired, the script is used to test predefined leases, if
+any, and also called once if no valid lease can be identified.
+.PP
+This script is not meant to be customized by the end user.  If local
+customizations are needed, they should be possible using the enter and
+exit hooks provided (see HOOKS for details).   These hooks will allow the
+user to override the default behaviour of the client in creating a
+.B /etc/resolv.conf
+file, and to handle DHCP options not handled by default.
+.PP
+No standard client script exists for some operating systems, even though
+the actual client may work, so a pioneering user may well need to create
+a new script or modify an existing one.  In general, customizations specific
+to a particular computer should be done in the
+.B ETCDIR/dhclient.conf
+file.   If you find that you can't make such a customization without
+customizing
+.B ETCDIR/dhclient.conf
+or using the enter and exit hooks, please submit a bug report.
+.SH HOOKS
+When it starts, the client script first defines a shell function,
+.B make_resolv_conf ,
+which is later used to create the
+.B /etc/resolv.conf
+file.   To override the default behaviour, redefine this function in
+the enter hook script.
+.PP
+On after defining the make_resolv_conf function, the client script checks
+for the presence of an executable
+.B ETCDIR/dhclient-enter-hooks
+script, and if present, it invokes the script inline, using the Bourne
+shell '.' command.   The entire environment documented under OPERATION
+is available to this script, which may modify the environment if needed
+to change the behaviour of the script.   If an error occurs during the
+execution of the script, it can set the exit_status variable to a nonzero
+value, and
+.B CLIENTBINDIR/dhclient-script
+will exit with that error code immediately after the client script exits.
+.PP
+After all processing has completed,
+.B CLIENTBINDIR/dhclient-script
+checks for the presence of an executable
+.B ETCDIR/dhclient-exit-hooks
+script, which if present is invoked using the '.' command.  The exit
+status of dhclient-script will be passed to dhclient-exit-hooks in the
+exit_status shell variable, and will always be zero if the script
+succeeded at the task for which it was invoked.   The rest of the
+environment as described previously for dhclient-enter-hooks is also
+present.   The
+.B ETCDIR/dhclient-exit-hooks
+script can modify the valid of exit_status to change the exit status
+of dhclient-script.
+.PP
+Immediately after dhclient brings an interface UP with a new IP address,
+subnet mask, and routes, in the REBOOT/BOUND states, it will check for the
+existence of an executable
+.B ETCDIR/dhclient-up-hooks
+script, and source it if found. This script can handle DHCP options in
+the environment that are not handled by default. A per-interface.
+.B ETCDIR/dhclient-${IF}-up-hooks
+script will override the generic script and be sourced when interface
+$IF has been brought up.
+.PP
+Immediately before dhclient brings an interface DOWN, removing its IP
+address, subnet mask, and routes, in the STOP/RELEASE  states, it will
+check for the existence of an executable
+.B ETCDIR/dhclient-down-hooks
+script, and source it if found. This script can handle DHCP options in
+the environment that are not handled by default. A per-interface
+.B ETCDIR/dhclient-${IF}-down-hooks
+script will override the generic script and be sourced when interface
+$IF is about to be brought down.
+
+.SH OPERATION
+When dhclient needs to invoke the client configuration script, it
+defines a set of variables in the environment, and then invokes
+.B CLIENTBINDIR/dhclient-script.
+In all cases, $reason is set to the name of the reason why the script
+has been invoked.   The following reasons are currently defined:
+MEDIUM, PREINIT, BOUND, RENEW, REBIND, REBOOT, EXPIRE, FAIL, STOP, RELEASE,
+NBI and TIMEOUT.
+.PP
+.SH MEDIUM
+The DHCP client is requesting that an interface's media type
+be set.  The interface name is passed in $interface, and the media
+type is passed in $medium.
+.SH PREINIT
+The DHCP client is requesting that an interface be configured as
+required in order to send packets prior to receiving an actual
+address.   For clients which use the BSD socket library, this means
+configuring the interface with an IP address of 0.0.0.0 and a
+broadcast address of 255.255.255.255.   For other clients, it may be
+possible to simply configure the interface up without actually giving
+it an IP address at all.   The interface name is passed in $interface,
+and the media type in $medium.
+.PP
+If an IP alias has been declared in dhclient.conf, its address will be
+passed in $alias_ip_address, and that ip alias should be deleted from
+the interface, along with any routes to it.
+.SH BOUND
+The DHCP client has done an initial binding to a new address.   The
+new ip address is passed in $new_ip_address, and the interface name is
+passed in $interface.   The media type is passed in $medium.   Any
+options acquired from the server are passed using the option name
+described in \fBdhcp-options\fR, except that dashes ('-') are replaced
+by underscores ('_') in order to make valid shell variables, and the
+variable names start with new_.   So for example, the new subnet mask
+would be passed in $new_subnet_mask.
+.PP
+Before actually configuring the address, dhclient-script should
+somehow ARP for it and exit with a nonzero status if it receives a
+reply.   In this case, the client will send a DHCPDECLINE message to
+the server and acquire a different address.   This may also be done in
+the RENEW, REBIND, or REBOOT states, but is not required, and indeed
+may not be desirable.
+.PP
+When a binding has been completed, a lot of network parameters are
+likely to need to be set up.   A new /etc/resolv.conf needs to be
+created, using the values of $new_domain_name and
+$new_domain_name_servers (which may list more than one server,
+separated by spaces).   A default route should be set using
+$new_routers, and static routes may need to be set up using
+$new_static_routes.
+.PP
+If an IP alias has been declared, it must be set up here.   The alias
+IP address will be written as $alias_ip_address, and other DHCP
+options that are set for the alias (e.g., subnet mask) will be passed
+in variables named as described previously except starting with
+$alias_ instead of $new_.   Care should be taken that the alias IP
+address not be used if it is identical to the bound IP address
+($new_ip_address), since the other alias parameters may be incorrect
+in this case.
+.SH RENEW
+When a binding has been renewed, the script is called as in BOUND,
+except that in addition to all the variables starting with $new_,
+there is another set of variables starting with $old_.  Persistent
+settings that may have changed need to be deleted - for example, if a
+local route to the bound address is being configured, the old local
+route should be deleted.  If the default route has changed, the old default
+route should be deleted.  If the static routes have changed, the old
+ones should be deleted.  Otherwise, processing can be done as with
+BOUND.
+.SH REBIND
+The DHCP client has rebound to a new DHCP server.  This can be handled
+as with RENEW, except that if the IP address has changed, the ARP
+table should be cleared.
+.SH REBOOT
+The DHCP client has successfully reacquired its old address after a
+reboot.   This can be processed as with BOUND.
+.SH EXPIRE
+The DHCP client has failed to renew its lease or acquire a new one,
+and the lease has expired.   The IP address must be relinquished, and
+all related parameters should be deleted, as in RENEW and REBIND.
+.SH FAIL
+The DHCP client has been unable to contact any DHCP servers, and any
+leases that have been tested have not proved to be valid.   The
+parameters from the last lease tested should be deconfigured.   This
+can be handled in the same way as EXPIRE.
+.SH STOP
+The dhclient has been informed to shut down gracefully, the
+dhclient-script should unconfigure or shutdown the interface as
+appropriate.
+.SH RELEASE
+The dhclient has been executed using the -r flag, indicating that the
+administrator wishes it to release its lease(s).  dhclient-script should
+unconfigure or shutdown the interface.
+.SH NBI
+No-Broadcast-Interfaces...dhclient was unable to find any interfaces
+upon which it believed it should commence DHCP.  What dhclient-script
+should do in this situation is entirely up to the implementor.
+.SH TIMEOUT
+The DHCP client has been unable to contact any DHCP servers.
+However, an old lease has been identified, and its parameters have
+been passed in as with BOUND.   The client configuration script should
+test these parameters and, if it has reason to believe they are valid,
+should exit with a value of zero.   If not, it should exit with a
+nonzero value.
+.PP
+The usual way to test a lease is to set up the network as with REBIND
+(since this may be called to test more than one lease) and then ping
+the first router defined in $routers.  If a response is received, the
+lease must be valid for the network to which the interface is
+currently connected.   It would be more complete to try to ping all of
+the routers listed in $new_routers, as well as those listed in
+$new_static_routes, but current scripts do not do this.
+.SH FILES
+Each operating system should generally have its own script file,
+although the script files for similar operating systems may be similar
+or even identical.   The script files included in Internet
+Systems Consortium DHCP distribution appear in the distribution tree
+under client/scripts, and bear the names of the operating systems on
+which they are intended to work.
+.SH BUGS
+If more than one interface is being used, there's no obvious way to
+avoid clashes between server-supplied configuration parameters - for
+example, the stock dhclient-script rewrites /etc/resolv.conf.   If
+more than one interface is being configured, /etc/resolv.conf will be
+repeatedly initialized to the values provided by one server, and then
+the other.   Assuming the information provided by both servers is
+valid, this shouldn't cause any real problems, but it could be
+confusing.
+.SH SEE ALSO
+dhclient(8), dhcpd(8), dhcrelay(8), dhclient.conf(5) and
+dhclient.leases(5).
+.SH AUTHOR
+.B dhclient-script(8)
+has been written for Internet Systems Consortium
+by Ted Lemon in cooperation with Vixie
+Enterprises.  To learn more about Internet Systems Consortium,
+see
+.B http://www.isc.org.
+To learn more about Vixie
+Enterprises, see
+.B http://www.vix.com.
diff --git a/dhclient.8 b/dhclient.8
new file mode 100644
index 0000000..6e494f3
--- /dev/null
+++ b/dhclient.8
@@ -0,0 +1,428 @@
+.\"	dhclient.8
+.\"
+.\" Copyright (c) 2004,2007 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1996-2003 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\"   Internet Systems Consortium, Inc.
+.\"   950 Charter Street
+.\"   Redwood City, CA 94063
+.\"   <info@isc.org>
+.\"   http://www.isc.org/
+.\"
+.\" Support and other services are available for ISC products - see
+.\" http://www.isc.org for more information.
+.\"
+.\" $Id: dhclient.8,v 1.18.116.4 2007/05/23 23:30:32 each Exp $
+.\"
+.TH dhclient 8
+.SH NAME
+dhclient - Dynamic Host Configuration Protocol Client
+.SH SYNOPSIS
+.B dhclient
+[
+.B -p
+.I port
+]
+[
+.B -d
+]
+[
+.B -e
+.I VAR=value
+]
+[
+.B -q
+]
+[
+.B -1
+]
+[
+.B -r
+]
+[
+.B -x
+]
+[
+.B -lf
+.I lease-file
+]
+[
+.B -pf
+.I pid-file
+]
+[
+.B -cf
+.I config-file
+]
+[
+.B -sf
+.I script-file
+]
+[
+.B -s
+server
+]
+[
+.B -g
+relay
+]
+[
+.B -n
+]
+[
+.B -nw
+]
+[
+.B -w
+]
+[
+.B -B
+]
+[
+.B -I
+.I dhcp-client-identifier
+]
+[
+.B -H
+.I host-name
+.R |
+.B -F fqdn.fqdn
+]
+[
+.B -V
+.I vendor-class-identifier
+]
+[
+.B -R
+.I request option list
+]
+[
+.B -T
+.I timeout
+]
+[
+.I if0
+[
+.I ...ifN
+]
+]
+.SH DESCRIPTION
+The Internet Systems Consortium DHCP Client, dhclient, provides a
+means for configuring one or more network interfaces using the Dynamic
+Host Configuration Protocol, BOOTP protocol, or if these protocols
+fail, by statically assigning an address.
+.SH OPERATION
+.PP
+The DHCP protocol allows a host to contact a central server which
+maintains a list of IP addresses which may be assigned on one or more
+subnets.   A DHCP client may request an address from this pool, and
+then use it on a temporary basis for communication on network.   The
+DHCP protocol also provides a mechanism whereby a client can learn
+important details about the network to which it is attached, such as
+the location of a default router, the location of a name server, and
+so on.
+.PP
+On startup, dhclient reads the
+.IR dhclient.conf
+for configuration instructions.   It then gets a list of all the
+network interfaces that are configured in the current system.   For
+each interface, it attempts to configure the interface using the DHCP
+protocol.
+.PP
+In order to keep track of leases across system reboots and server
+restarts, dhclient keeps a list of leases it has been assigned in the
+dhclient.leases(5) file.   On startup, after reading the dhclient.conf
+file, dhclient reads the dhclient.leases file to refresh its memory
+about what leases it has been assigned.
+.PP
+When a new lease is acquired, it is appended to the end of the
+dhclient.leases file.   In order to prevent the file from becoming
+arbitrarily large, from time to time dhclient creates a new
+dhclient.leases file from its in-core lease database.  The old version
+of the dhclient.leases file is retained under the name
+.IR dhclient.leases~
+until the next time dhclient rewrites the database.
+.PP
+Old leases are kept around in case the DHCP server is unavailable when
+dhclient is first invoked (generally during the initial system boot
+process).   In that event, old leases from the dhclient.leases file
+which have not yet expired are tested, and if they are determined to
+be valid, they are used until either they expire or the DHCP server
+becomes available.
+.PP
+A mobile host which may sometimes need to access a network on which no
+DHCP server exists may be preloaded with a lease for a fixed
+address on that network.   When all attempts to contact a DHCP server
+have failed, dhclient will try to validate the static lease, and if it
+succeeds, will use that lease until it is restarted.
+.PP
+A mobile host may also travel to some networks on which DHCP is not
+available but BOOTP is.   In that case, it may be advantageous to
+arrange with the network administrator for an entry on the BOOTP
+database, so that the host can boot quickly on that network rather
+than cycling through the list of old leases.
+.PP
+The names of the network interfaces that dhclient should attempt to
+configure may be specified on the command line.  If no interface names
+are specified on the command line dhclient will normally identify all
+network interfaces, eliminating non-broadcast interfaces if
+possible, and attempt to configure each interface.
+.PP
+It is also possible to specify interfaces by name in the
+.B dhclient.conf(5)
+file.   If interfaces are specified in this way, then the client will
+only configure interfaces that are either specified in the
+configuration file or on the command line, and will ignore all other
+interfaces.
+.SH OPTIONS
+.TP
+.BI \-p\ <port\ number>
+The UDP port number the DHCP client should listen and transmit on.  If
+unspecified,
+.B dhclient
+uses the default port 68.  This option is mostly useful for debugging
+purposes.  If a different port is specified for the client to listen and
+transmit on, the client will also use a different destination port - one
+greater than the specified destination port.
+
+.TP
+.BI \-d
+Force
+.B dhclient
+to run as a foreground process.  This is useful when running the client
+under a debugger, or when running it out of inittab on System V systems.
+
+.TP
+.BI \-e\ VAR=value
+Define additional environment variables for the environment where
+dhclient-script executes.  You may specify multiple
+.B \-e
+options on the command line.
+
+.TP
+.BI \-q
+Suppress all terminal and log output except error messages.
+
+.TP
+.BI \-1
+Try one to get a lease.  On failure, exit with code 2.
+
+.TP
+.BI \-r
+Tell
+.B dhclient
+to release the current lease it has from the server.  This is not required
+by the DHCP protocol, but some ISPs require their clients to notify the
+server if they wish to release an assigned IP address.
+
+.TP
+.BI \-lf\ <lease-file>
+Path to the lease database file.  If unspecified, the default
+.B DBDIR/dhclient.leases
+is used.
+
+.TP
+.BI \-pf\ <pid-file>
+Path to the process ID file.  If unspecified, the default
+.B RUNDIR/dhclient.pid
+is used.
+
+.TP
+.BI \-cf\ <config-file>
+Path to the client configuration file.  If unspecified, the default
+.B ETCDIR/dhclient.conf
+is used.
+
+.TP
+.BI \-sf\ <script-file>
+Path to the network configuration script invoked by
+.B dhclient
+when it gets a lease.  If unspecified, the default
+.B CLIENTBINDIR/dhclient-script
+is used.
+
+.TP
+.BI \-s\ <server>
+Specifiy the server IP address or fully qualified domain name to transmit
+DHCP protocol messages to.  Normally,
+.B dhclient
+transmits these messages to 255.255.255.255 (the IP limited broadcast
+address).  Overriding this is mostly useful for debugging purposes.
+
+.TP
+.BI \-g\ <relay>
+Only for debugging.  Set the giaddr field of all packets the client
+sends to the IP address specified.  This should not be expected to work
+in any consistent or useful way.
+
+.TP
+.BI \-n
+Do not configure any interfaces.  Most useful combined with the
+.B -w
+option.
+
+.TP
+.BI \-nw
+Become a daemon process immediately (nowait) rather than waiting until an IP
+address has been acquired.
+
+.TP
+.BI \-w
+Keep running even if no network interfaces are found.  The
+.B omshell
+program can be used to notify the client when a network interface has been
+added or removed so it can attempt to configure an IP address on that
+interface.
+
+.TP
+.BI \-B
+Set the BOOTP broadcast flag in request packets so servers will always
+broadcast replies.
+
+.TP
+.BI \-I\ <dhcp-client-identifier>
+Specify the dhcp-client-identifier option to send to the DHCP server.
+
+.TP
+.BI \-H\ <host-name>
+Specify the host-name option to send to the DHCP server.  The host-name
+string only contains the client's hostname prefix, to which the server will
+append the ddns-domainname or domain-name options, if any, to derive the
+fully qualified domain name of the client.  The
+.B -H
+option cannot be used with the
+.B -F
+option.
+
+.TP
+.BI \-F\ <fqdn.fqdn>
+Specify the fqdn.fqdn option to send to the DHCP server.  This option cannot
+be used with the
+.B -H
+option.  The fqdn.fqdn option must specify the complete domain name of the
+client host, which the server may use for dynamic DNS updates.
+
+.TP
+.BI \-V\ <vendor-class-identifier>
+Specify the vendor-class-identifier option to send to the DHCP server.
+
+.TP
+.BI \-R\ <option>[,<option>...]
+Specify the list of options the client is to request from the server.  The
+option list must be a single string consisting of option names separated
+by at least one command and optional space characters.  The default option
+list is:
+
+.BR
+    subnet-mask, broadcast-address, time-offset, routers,
+.BR
+    domain-name, domain-name-servers, host-name, nis-domain,
+.BR
+    nis-servers, ntp-servers
+
+The
+.B -R
+option does not append options to the default request, it overrides the
+default request list.  Keep this in mind if you want to request an
+additional option besides the default request list.  You will have to
+specify all option names for the
+.B -R
+parameter.
+
+.TP
+.BI \-T\ <timeout>
+Specify the time after which
+.B dhclient
+will decide that no DHCP servers can be contacted when no responses have been
+received.
+
+.PP
+If the client is killed by a signal (for example at shutdown or reboot)
+it won't execute the
+.B dhclient-script (8)
+at exit. However if you shut the client down gracefully with
+.B -r
+or
+.B -x
+it will execute
+.B dhclient-script (8)
+at shutdown with the specific reason for calling the script set.
+
+.PP
+.SH CONFIGURATION
+The syntax of the dhclient.conf(5) file is discussed separately.
+.SH OMAPI
+The DHCP client provides some ability to control it while it is
+running, without stopping it.  This capability is provided using OMAPI,
+an API for manipulating remote objects.  OMAPI clients connect to the
+client using TCP/IP, authenticate, and can then examine the client's
+current status and make changes to it. 
+.PP
+Rather than implementing the underlying OMAPI protocol directly, user
+programs should use the dhcpctl API or OMAPI itself.   Dhcpctl is a
+wrapper that handles some of the housekeeping chores that OMAPI does
+not do automatically.   Dhcpctl and OMAPI are documented in \fBdhcpctl(3)\fR
+and \fBomapi(3)\fR.   Most things you'd want to do with the client can
+be done directly using the \fBomshell(1)\fR command, rather than
+having to write a special program.
+.SH THE CONTROL OBJECT
+The control object allows you to shut the client down, releasing all
+leases that it holds and deleting any DNS records it may have added.
+It also allows you to pause the client - this unconfigures any
+interfaces the client is using.   You can then restart it, which
+causes it to reconfigure those interfaces.   You would normally pause
+the client prior to going into hibernation or sleep on a laptop
+computer.   You would then resume it after the power comes back.
+This allows PC cards to be shut down while the computer is hibernating
+or sleeping, and then reinitialized to their previous state once the
+computer comes out of hibernation or sleep.
+.PP
+The control object has one attribute - the state attribute.   To shut
+the client down, set its state attribute to 2.   It will automatically
+do a DHCPRELEASE.   To pause it, set its state attribute to 3.   To
+resume it, set its state attribute to 4.
+.PP
+.SH FILES
+.B CLIENTBINDIR/dhclient-script,
+.B ETCDIR/dhclient.conf, DBDIR/dhclient.leases, RUNDIR/dhclient.pid,
+.B DBDIR/dhclient.leases~.
+.SH SEE ALSO
+dhcpd(8), dhcrelay(8), dhclient-script(8), dhclient.conf(5),
+dhclient.leases(5), dhcp-eval(5).
+.SH AUTHOR
+.B dhclient(8)
+has been written for Internet Systems Consortium
+by Ted Lemon in cooperation with Vixie
+Enterprises.  To learn more about Internet Systems Consortium,
+see
+.B http://www.isc.org
+To learn more about Vixie
+Enterprises, see
+.B http://www.vix.com.
+.PP
+This client was substantially modified and enhanced by Elliot Poger
+for use on Linux while he was working on the MosquitoNet project at
+Stanford.
+.PP
+The current version owes much to Elliot's Linux enhancements, but
+was substantially reorganized and partially rewritten by Ted Lemon
+so as to use the same networking framework that the Internet Systems
+Consortium DHCP server uses.   Much system-specific configuration code
+was moved into a shell script so that as support for more operating
+systems is added, it will not be necessary to port and maintain
+system-specific configuration code to these operating systems - instead,
+the shell script can invoke the native tools to accomplish the same
+purpose.
+.PP
diff --git a/dhclient.conf.5 b/dhclient.conf.5
new file mode 100644
index 0000000..705f9c9
--- /dev/null
+++ b/dhclient.conf.5
@@ -0,0 +1,660 @@
+.\"	$Id: dhclient.conf.5,v 1.17.84.2 2007/05/23 23:30:32 each Exp $
+.\"
+.\" Copyright (c) 2004,2007 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1996-2003 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\"   Internet Systems Consortium, Inc.
+.\"   950 Charter Street
+.\"   Redwood City, CA 94063
+.\"   <info@isc.org>
+.\"   http://www.isc.org/
+.\"
+.\" This software has been written for Internet Software Consortium
+.\" by Ted Lemon in cooperation with Vixie Enterprises and Nominum, Inc.
+.\" To learn more about Internet Software Consortium, see
+.\" ``http://www.isc.org/''.  To learn more about Vixie Enterprises,
+.\" see ``http://www.vix.com''.   To learn more about Nominum, Inc., see
+.\" ``http://www.nominum.com''.
+.\"
+.\" $Id: dhclient.conf.5,v 1.17.84.2 2007/05/23 23:30:32 each Exp $
+.\"
+.TH dhclient.conf 5
+.SH NAME
+dhclient.conf - DHCP client configuration file
+.SH DESCRIPTION
+The dhclient.conf file contains configuration information for
+.IR dhclient,
+the Internet Systems Consortium DHCP Client.
+.PP
+The dhclient.conf file is a free-form ASCII text file.   It is parsed by
+the recursive-descent parser built into dhclient.   The file may contain
+extra tabs and newlines for formatting purposes.  Keywords in the file
+are case-insensitive.   Comments may be placed anywhere within the
+file (except within quotes).   Comments begin with the # character and
+end at the end of the line.
+.PP
+The dhclient.conf file can be used to configure the behaviour of the
+client in a wide variety of ways: protocol timing, information
+requested from the server, information required of the server,
+defaults to use if the server does not provide certain information,
+values with which to override information provided by the server, or
+values to prepend or append to information provided by the server.
+The configuration file can also be preinitialized with addresses to
+use on networks that don't have DHCP servers.
+.SH PROTOCOL TIMING
+The timing behaviour of the client need not be configured by the user.
+If no timing configuration is provided by the user, a fairly
+reasonable timing behaviour will be used by default - one which
+results in fairly timely updates without placing an inordinate load on
+the server.
+.PP
+The following statements can be used to adjust the timing behaviour of
+the DHCP client if required, however:
+.PP
+.I The
+.B timeout
+.I statement
+.PP
+.B timeout
+.I time
+.B ;
+.PP
+The
+.I timeout
+statement determines the amount of time that must pass between the
+time that the client begins to try to determine its address and the
+time that it decides that it's not going to be able to contact a
+server.   By default, this timeout is sixty seconds.   After the
+timeout has passed, if there are any static leases defined in the
+configuration file, or any leases remaining in the lease database that
+have not yet expired, the client will loop through these leases
+attempting to validate them, and if it finds one that appears to be
+valid, it will use that lease's address.   If there are no valid
+static leases or unexpired leases in the lease database, the client
+will restart the protocol after the defined retry interval.
+.PP
+.I The
+.B retry
+.I statement
+.PP
+ \fBretry \fItime\fR\fB;\fR
+.PP
+The
+.I retry
+statement determines the time that must pass after the client has
+determined that there is no DHCP server present before it tries again
+to contact a DHCP server.   By default, this is five minutes.
+.PP
+.I The
+.B select-timeout
+.I statement
+.PP
+ \fBselect-timeout \fItime\fR\fB;\fR
+.PP
+It is possible (some might say desirable) for there to be more than
+one DHCP server serving any given network.   In this case, it is
+possible that a client may be sent more than one offer in response to
+its initial lease discovery message.   It may be that one of these
+offers is preferable to the other (e.g., one offer may have the
+address the client previously used, and the other may not).
+.PP
+The
+.I select-timeout
+is the time after the client sends its first lease discovery request
+at which it stops waiting for offers from servers, assuming that it
+has received at least one such offer.   If no offers have been
+received by the time the
+.I select-timeout
+has expired, the client will accept the first offer that arrives.
+.PP
+By default, the select-timeout is zero seconds - that is, the client
+will take the first offer it sees.
+.PP
+.I The
+.B reboot
+.I statement
+.PP
+ \fBreboot \fItime\fR\fB;\fR
+.PP
+When the client is restarted, it first tries to reacquire the last
+address it had.   This is called the INIT-REBOOT state.   If it is
+still attached to the same network it was attached to when it last
+ran, this is the quickest way to get started.   The
+.I reboot
+statement sets the time that must elapse after the client first tries
+to reacquire its old address before it gives up and tries to discover
+a new address.   By default, the reboot timeout is ten seconds.
+.PP
+.I The
+.B backoff-cutoff
+.I statement
+.PP
+ \fBbackoff-cutoff \fItime\fR\fB;\fR
+.PP
+The client uses an exponential backoff algorithm with some randomness,
+so that if many clients try to configure themselves at the same time,
+they will not make their requests in lockstep.   The
+.I backoff-cutoff
+statement determines the maximum amount of time that the client is
+allowed to back off, the actual value will be evaluated randomly between
+1/2 to 1 1/2 times the \fItime\fR specified.   It defaults to two minutes.
+.PP
+.I The
+.B initial-interval
+.I statement
+.PP
+ \fBinitial-interval \fItime\fR\fB;\fR
+.PP
+The
+.I initial-interval
+statement sets the amount of time between the first attempt to reach a
+server and the second attempt to reach a server.  Each time a message
+is sent, the interval between messages is incremented by twice the
+current interval multiplied by a random number between zero and one.
+If it is greater than the backoff-cutoff amount, it is set to that
+amount.  It defaults to ten seconds.
+.SH LEASE REQUIREMENTS AND REQUESTS
+The DHCP protocol allows the client to request that the server send it
+specific information, and not send it other information that it is not
+prepared to accept.   The protocol also allows the client to reject
+offers from servers if they don't contain information the client
+needs, or if the information provided is not satisfactory.
+.PP
+There is a variety of data contained in offers that DHCP servers send
+to DHCP clients.  The data that can be specifically requested is what
+are called \fIDHCP Options\fR.  DHCP Options are defined in
+ \fBdhcp-options(5)\fR.
+.PP
+.I The
+.B request
+.I statement
+.PP
+ \fBrequest [ \fIoption\fR ] [\fB,\fI ... \fIoption\fR ]\fB;\fR
+.PP
+The request statement causes the client to request that any server
+responding to the client send the client its values for the specified
+options.   Only the option names should be specified in the request
+statement - not option parameters.   By default, the DHCP server
+requests the subnet-mask, broadcast-address, time-offset, routers,
+domain-name, domain-name-servers, host-name, nis-domain, nis-servers,
+and ntp-servers options.
+.PP
+In some cases, it may be desirable to send no parameter request list
+at all.   To do this, simply write the request statement but specify
+no parameters:
+.PP
+.nf
+	request;
+.fi
+.PP
+.I The
+.B require
+.I statement
+.PP
+ \fBrequire [ \fIoption\fR ] [\fB,\fI ... \fIoption ]\fB;\fR
+.PP
+The require statement lists options that must be sent in order for an
+offer to be accepted.   Offers that do not contain all the listed
+options will be ignored.
+.PP
+.I The
+.B send
+.I statement
+.PP
+ \fBsend { [ \fIoption declaration\fR ]
+[\fB,\fI ... \fIoption declaration\fR ]\fB}\fR
+.PP
+The send statement causes the client to send the specified options to
+the server with the specified values.  These are full option
+declarations as described in \fBdhcp-options(5)\fR.  Options that are
+always sent in the DHCP protocol should not be specified here, except
+that the client can specify a \fBrequested-lease-time\fR option other
+than the default requested lease time, which is two hours.  The other
+obvious use for this statement is to send information to the server
+that will allow it to differentiate between this client and other
+clients or kinds of clients.
+.SH DYNAMIC DNS
+The client now has some very limited support for doing DNS updates
+when a lease is acquired.   This is prototypical, and probably doesn't
+do what you want.   It also only works if you happen to have control
+over your DNS server, which isn't very likely.
+.PP
+To make it work, you have to declare a key and zone as in the DHCP
+server (see \fBdhcpd.conf\fR(5) for details).   You also need to
+configure the fqdn option on the client, as follows:
+.PP
+.nf
+  send fqdn.fqdn "grosse.fugue.com.";
+  send fqdn.encoded on;
+  send fqdn.server-update off;
+.fi
+.PP
+The \fIfqdn.fqdn\fR option \fBMUST\fR be a fully-qualified domain
+name.   You \fBMUST\fR define a zone statement for the zone to be
+updated.   The \fIfqdn.encoded\fR option may need to be set to
+\fIon\fR or \fIoff\fR, depending on the DHCP server you are using.
+.PP
+.I The
+.B do-forward-updates
+.I statement
+.PP
+ \fBdo-forward-updates [ \fIflag\fR ] \fB;\fR
+.PP
+If you want to do DNS updates in the DHCP client
+script (see \fBdhclient-script(8)\fR) rather than having the
+DHCP client do the update directly (for example, if you want to
+use SIG(0) authentication, which is not supported directly by the
+DHCP client, you can instruct the client not to do the update using
+the \fBdo-forward-updates\fR statement.   \fIFlag\fR should be \fBtrue\fR
+if you want the DHCP client to do the update, and \fBfalse\fR if
+you don't want the DHCP client to do the update.   By default, the DHCP
+client will do the DNS update.
+.SH OPTION MODIFIERS
+In some cases, a client may receive option data from the server which
+is not really appropriate for that client, or may not receive
+information that it needs, and for which a useful default value
+exists.   It may also receive information which is useful, but which
+needs to be supplemented with local information.   To handle these
+needs, several option modifiers are available.
+.PP
+.I The
+.B default
+.I statement
+.PP
+ \fBdefault [ \fIoption declaration\fR ] \fB;\fR
+.PP
+If for some option the client should use the value supplied by
+the server, but needs to use some default value if no value was supplied
+by the server, these values can be defined in the
+.B default
+statement.
+.PP
+.I The
+.B supersede
+.I statement
+.PP
+ \fBsupersede [ \fIoption declaration\fR ] \fB;\fR
+.PP
+If for some option the client should always use a locally-configured
+value or values rather than whatever is supplied by the server, these
+values can be defined in the 
+.B supersede
+statement.
+.PP
+.I The
+.B prepend
+.I statement
+.PP
+ \fBprepend [ \fIoption declaration\fR ] \fB;\fR
+.PP
+If for some set of options the client should use a value you
+supply, and then use the values supplied by
+the server, if any, these values can be defined in the
+.B prepend
+statement.   The
+.B prepend
+statement can only be used for options which
+allow more than one value to be given.   This restriction is not
+enforced - if you ignore it, the behaviour will be unpredictable.
+.PP
+.I The
+.B append
+.I statement
+.PP
+ \fBappend [ \fIoption declaration\fR ] \fB;\fR
+.PP
+If for some set of options the client should first use the values
+supplied by the server, if any, and then use values you supply, these
+values can be defined in the
+.B append
+statement.   The
+.B append
+statement can only be used for options which
+allow more than one value to be given.   This restriction is not
+enforced - if you ignore it, the behaviour will be unpredictable.
+.SH LEASE DECLARATIONS
+.PP
+.I The
+.B lease
+.I declaration
+.PP
+ \fBlease {\fR \fIlease-declaration\fR [ ... \fIlease-declaration ] \fB}\fR
+.PP
+The DHCP client may decide after some period of time (see \fBPROTOCOL
+TIMING\fR) that it is not going to succeed in contacting a
+server.   At that time, it consults its own database of old leases and
+tests each one that has not yet timed out by pinging the listed router
+for that lease to see if that lease could work.   It is possible to
+define one or more \fIfixed\fR leases in the client configuration file
+for networks where there is no DHCP or BOOTP service, so that the
+client can still automatically configure its address.   This is done
+with the
+.B lease
+statement.
+.PP
+NOTE: the lease statement is also used in the dhclient.leases file in
+order to record leases that have been received from DHCP servers.
+Some of the syntax for leases as described below is only needed in the
+dhclient.leases file.   Such syntax is documented here for
+completeness.
+.PP
+A lease statement consists of the lease keyword, followed by a left
+curly brace, followed by one or more lease declaration statements,
+followed by a right curly brace.   The following lease declarations
+are possible:
+.PP
+ \fBbootp;\fR
+.PP
+The
+.B bootp
+statement is used to indicate that the lease was acquired using the
+BOOTP protocol rather than the DHCP protocol.   It is never necessary
+to specify this in the client configuration file.   The client uses
+this syntax in its lease database file.
+.PP
+ \fBinterface\fR \fB"\fR\fIstring\fR\fB";\fR
+.PP
+The
+.B interface
+lease statement is used to indicate the interface on which the lease
+is valid.   If set, this lease will only be tried on a particular
+interface.   When the client receives a lease from a server, it always
+records the interface number on which it received that lease.
+If predefined leases are specified in the dhclient.conf file, the
+interface should also be specified, although this is not required.
+.PP
+ \fBfixed-address\fR \fIip-address\fR\fB;\fR
+.PP
+The
+.B fixed-address
+statement is used to set the ip address of a particular lease.   This
+is required for all lease statements.   The IP address must be
+specified as a dotted quad (e.g., 12.34.56.78).
+.PP
+ \fBfilename "\fR\fIstring\fR\fB";\fR
+.PP
+The
+.B filename
+statement specifies the name of the boot filename to use.   This is
+not used by the standard client configuration script, but is included
+for completeness.
+.PP
+ \fBserver-name "\fR\fIstring\fR\fB";\fR
+.PP
+The
+.B server-name
+statement specifies the name of the boot server name to use.   This is
+also not used by the standard client configuration script.
+.PP
+ \fBoption\fR \fIoption-declaration\fR\fB;\fR
+.PP
+The
+.B option
+statement is used to specify the value of an option supplied by the
+server, or, in the case of predefined leases declared in
+dhclient.conf, the value that the user wishes the client configuration
+script to use if the predefined lease is used.
+.PP
+ \fBscript "\fIscript-name\fB";\fR
+.PP
+The
+.B script
+statement is used to specify the pathname of the dhcp client
+configuration script.  This script is used by the dhcp client to set
+each interface's initial configuration prior to requesting an address,
+to test the address once it has been offered, and to set the
+interface's final configuration once a lease has been acquired.   If
+no lease is acquired, the script is used to test predefined leases, if
+any, and also called once if no valid lease can be identified.   For
+more information, see
+.B dhclient-script(8).
+.PP
+ \fBvendor option space "\fIname\fB";\fR
+.PP
+The
+.B vendor option space
+statement is used to specify which option space should be used for
+decoding the vendor-encapsulate-options option if one is received.
+The \fIdhcp-vendor-identifier\fR can be used to request a specific
+class of vendor options from the server.   See
+.B dhcp-options(5)
+for details.
+.PP
+ \fBmedium "\fImedia setup\fB";\fR
+.PP
+The
+.B medium
+statement can be used on systems where network interfaces cannot
+automatically determine the type of network to which they are
+connected.  The media setup string is a system-dependent parameter
+which is passed to the dhcp client configuration script when
+initializing the interface.  On Unix and Unix-like systems, the
+argument is passed on the ifconfig command line when configuring the
+interface.
+.PP
+The dhcp client automatically declares this parameter if it uses a
+media type (see the
+.B media
+statement) when configuring the interface in order to obtain a lease.
+This statement should be used in predefined leases only if the network
+interface requires media type configuration.
+.PP
+ \fBrenew\fR \fIdate\fB;\fR
+.PP
+ \fBrebind\fR \fIdate\fB;\fR
+.PP
+ \fBexpire\fR \fIdate\fB;\fR
+.PP
+The \fBrenew\fR statement defines the time at which the dhcp client
+should begin trying to contact its server to renew a lease that it is
+using.   The \fBrebind\fR statement defines the time at which the dhcp
+client should begin to try to contact \fIany\fR dhcp server in order
+to renew its lease.   The \fBexpire\fR statement defines the time at
+which the dhcp client must stop using a lease if it has not been able
+to contact a server in order to renew it.
+.PP
+These declarations are automatically set in leases acquired by the
+DHCP client, but must also be configured in predefined leases - a
+predefined lease whose expiry time has passed will not be used by the
+DHCP client.
+.PP
+Dates are specified as follows:
+.PP
+ \fI<weekday> <year>\fB/\fI<month>\fB/\fI<day>
+<hour>\fB:\fI<minute>\fB:\fI<second>\fR
+.PP
+The weekday is present to make it easy for a human to tell when a
+lease expires - it's specified as a number from zero to six, with zero
+being Sunday.  When declaring a predefined lease, it can always be
+specified as zero.  The year is specified with the century, so it
+should generally be four digits except for really long leases.  The
+month is specified as a number starting with 1 for January.  The day
+of the month is likewise specified starting with 1.  The hour is a
+number between 0 and 23, the minute a number between 0 and 59, and the
+second also a number between 0 and 59.
+.SH ALIAS DECLARATIONS
+ \fBalias { \fI declarations ... \fB}\fR
+.PP
+Some DHCP clients running TCP/IP roaming protocols may require that in
+addition to the lease they may acquire via DHCP, their interface also
+be configured with a predefined IP alias so that they can have a
+permanent IP address even while roaming.   The Internet Systems
+Consortium DHCP client doesn't support roaming with fixed addresses
+directly, but in order to facilitate such experimentation, the dhcp
+client can be set up to configure an IP alias using the
+.B alias
+declaration.
+.PP
+The alias declaration resembles a lease declaration, except that
+options other than the subnet-mask option are ignored by the standard
+client configuration script, and expiry times are ignored.  A typical
+alias declaration includes an interface declaration, a fixed-address
+declaration for the IP alias address, and a subnet-mask option
+declaration.   A medium statement should never be included in an alias
+declaration.
+.SH OTHER DECLARATIONS
+ \fBreject \fIcidr-ip-address\fR [\fB,\fR \fI...\fB \fIcidr-ip-address\fR ] \fB;\fR
+.PP
+The
+.B reject
+statement causes the DHCP client to reject offers from
+servers whose server identifier matches any of the specified hosts or
+subnets.  This can be used to avoid being configured by rogue or
+misconfigured dhcp servers, although it should be a last resort -
+better to track down the bad DHCP server and fix it.
+.PP
+The \fIcidr-ip-address\fR configuration type is of the
+form \fIip-address\fR[\fB/\fIprefixlen\fR], where \fIip-address\fR is a
+dotted quad IP address, and \fRprefixlen\fR is the CIDR prefix length of
+the subnet, counting the number of significant bits in the netmask starting
+from the leftmost end.  Example configuration syntax:
+.PP
+ \fIreject\fR 192.168.0.0\fB/\fR16\fB,\fR 10.0.0.5\fB;\fR
+.PP
+The above example would cause offers from any server identifier in the
+entire RFC 1918 "Class C" network 192.168.0.0/16, or the specific
+single address 10.0.0.5, to be rejected.
+.PP
+ \fBinterface "\fIname\fB" { \fIdeclarations ... \fB }
+.PP
+A client with more than one network interface may require different
+behaviour depending on which interface is being configured.   All
+timing parameters and declarations other than lease and alias
+declarations can be enclosed in an interface declaration, and those
+parameters will then be used only for the interface that matches the
+specified name.   Interfaces for which there is no interface
+declaration will use the parameters declared outside of any interface
+declaration, or the default settings.
+.PP
+.B Note well:
+ISC dhclient only maintains one list of interfaces, which is either
+determined at startup from command line arguments, or otherwise is
+autodetected.  If you supplied the list of interfaces on the command
+line, this configuration clause will add the named interface to the
+list in such a way that will cause it to be configured by DHCP.  Which
+may not be the result you had intended.  This is an undesirable side
+effect that will be addressed in a future release.
+.PP
+ \fBpseudo "\fIname\fR" "\fIreal-name\fB" { \fIdeclarations ... \fB }
+.PP
+Under some circumstances it can be useful to declare a pseudo-interface 
+and have the DHCP client acquire a configuration for that interface.
+Each interface that the DHCP client is supporting normally has a DHCP
+client state machine running on it to acquire and maintain its lease.
+A pseudo-interface is just another state machine running on the
+interface named \fIreal-name\fR, with its own lease and its own
+state.   If you use this feature, you must provide a client identifier
+for both the pseudo-interface and the actual interface, and the two
+identifiers must be different.   You must also provide a separate
+client script for the pseudo-interface to do what you want with the IP
+address.   For example:
+.PP
+.nf
+	interface "ep0" {
+		send dhcp-client-identifier "my-client-ep0";
+	}
+	pseudo "secondary" "ep0" {
+		send dhcp-client-identifier "my-client-ep0-secondary";
+		script "/etc/dhclient-secondary";
+	}
+.fi
+.PP
+The client script for the pseudo-interface should not configure the
+interface up or down - essentially, all it needs to handle are the
+states where a lease has been acquired or renewed, and the states
+where a lease has expired.   See \fBdhclient-script(8)\fR for more
+information.
+.PP
+ \fBmedia "\fImedia setup\fB"\fI [ \fB, "\fImedia setup\fB", \fI... ]\fB;\fR
+.PP
+The
+.B media
+statement defines one or more media configuration parameters which may
+be tried while attempting to acquire an IP address.   The dhcp client
+will cycle through each media setup string on the list, configuring
+the interface using that setup and attempting to boot, and then trying
+the next one.   This can be used for network interfaces which aren't
+capable of sensing the media type unaided - whichever media type
+succeeds in getting a request to the server and hearing the reply is
+probably right (no guarantees).
+.PP
+The media setup is only used for the initial phase of address
+acquisition (the DHCPDISCOVER and DHCPOFFER packets).   Once an
+address has been acquired, the dhcp client will record it in its lease
+database and will record the media type used to acquire the address.
+Whenever the client tries to renew the lease, it will use that same
+media type.   The lease must expire before the client will go back to
+cycling through media types.
+.PP
+ \fBbootp-broadcast-always;\fR
+.PP
+The
+.B bootp-broadcast-always
+statement instructs dhclient to always set the bootp broadcast flag in
+request packets, so that servers will always broadcast replies.
+This is equivalent to supplying the dhclient -B argument, and has
+the same effect as specifying 'always-broadcast' in the server's dhcpd.conf.
+This option is provided as an extension to enable dhclient to work
+on IBM s390 Linux guests.
+.PP
+.SH SAMPLE
+The following configuration file is used on a laptop running NetBSD
+1.3.   The laptop has an IP alias of 192.5.5.213, and has one
+interface, ep0 (a 3com 3C589C).   Booting intervals have been
+shortened somewhat from the default, because the client is known to
+spend most of its time on networks with little DHCP activity.   The
+laptop does roam to multiple networks.
+
+.nf
+
+timeout 60;
+retry 60;
+reboot 10;
+select-timeout 5;
+initial-interval 2;
+reject 192.33.137.209;
+
+interface "ep0" {
+    send host-name "andare.fugue.com";
+    send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
+    send dhcp-lease-time 3600;
+    supersede domain-name "fugue.com rc.vix.com home.vix.com";
+    prepend domain-name-servers 127.0.0.1;
+    request subnet-mask, broadcast-address, time-offset, routers,
+	    domain-name, domain-name-servers, host-name;
+    require subnet-mask, domain-name-servers;
+    script "CLIENTBINDIR/dhclient-script";
+    media "media 10baseT/UTP", "media 10base2/BNC";
+}
+
+alias {
+  interface "ep0";
+  fixed-address 192.5.5.213;
+  option subnet-mask 255.255.255.255;
+}
+.fi
+This is a very complicated dhclient.conf file - in general, yours
+should be much simpler.   In many cases, it's sufficient to just
+create an empty dhclient.conf file - the defaults are usually fine.
+.SH SEE ALSO
+dhcp-options(5), dhcp-eval(5), dhclient.leases(5), dhcpd(8), dhcpd.conf(5),
+RFC2132, RFC2131.
+.SH AUTHOR
+.B dhclient(8)
+was written by Ted Lemon
+under a contract with Vixie Labs.   Funding
+for this project was provided by Internet Systems Consortium.
+Information about Internet Systems Consortium can be found at
+.B http://www.isc.org.
diff --git a/dhcp-3.0.6-manpages.patch b/dhcp-3.0.6-manpages.patch
deleted file mode 100644
index 4e9d5a8..0000000
--- a/dhcp-3.0.6-manpages.patch
+++ /dev/null
@@ -1,331 +0,0 @@
-diff -up dhcp-3.0.6/dhcpctl/dhcpctl.3.manpages dhcp-3.0.6/dhcpctl/dhcpctl.3
---- dhcp-3.0.6/dhcpctl/dhcpctl.3.manpages	2004-09-24 17:08:38.000000000 -0400
-+++ dhcp-3.0.6/dhcpctl/dhcpctl.3	2007-09-26 15:22:12.000000000 -0400
-@@ -43,7 +43,7 @@
- .\"
- .\"
- .Sh SYNOPSIS
--.Fd #include <dhcpctl/dhcpctl.h>
-+.Fd #include <dhcpctl.h>
- .Ft dhcpctl_status
- .Fo dhcpctl_initialize
- .Fa void
-@@ -426,7 +426,7 @@ that most error checking has been ommitt
- #include <netinet/in.h>
- 
- #include <isc/result.h>
--#include <dhcpctl/dhcpctl.h>
-+#include <dhcpctl.h>
- 
- int main (int argc, char **argv) {
- 	dhcpctl_data_string ipaddrstring = NULL;
-diff -up dhcp-3.0.6/server/dhcpd.conf.5.manpages dhcp-3.0.6/server/dhcpd.conf.5
---- dhcp-3.0.6/server/dhcpd.conf.5.manpages	2007-05-01 16:42:56.000000000 -0400
-+++ dhcp-3.0.6/server/dhcpd.conf.5	2007-09-26 15:24:18.000000000 -0400
-@@ -531,9 +531,9 @@ primary server might look like this:
- failover peer "foo" {
-   primary;
-   address anthrax.rc.vix.com;
--  port 519;
-+  port 647;
-   peer address trantor.rc.vix.com;
--  peer port 520;
-+  peer port 847;
-   max-response-delay 60;
-   max-unacked-updates 10;
-   mclt 3600;
-@@ -592,9 +592,7 @@ statement
- .B port \fIport-number\fR\fB;\fR
- .PP
- The \fBport\fR statement declares the TCP port on which the server
--should listen for connections from its failover peer.   This statement
--may not currently be omitted, because the failover protocol does not
--yet have a reserved TCP port number.
-+should listen for connections from its failover peer.
- .RE
- .PP
- The 
-@@ -606,10 +604,8 @@ statement
- .PP
- The \fBpeer port\fR statement declares the TCP port to which the
- server should connect to reach its failover peer for failover
--messages.   This statement may not be omitted because the failover
--protocol does not yet have a reserved TCP port number.   The port
--number declared in the \fBpeer port\fR statement may be the same as
--the port number declared in the \fBport\fR statement.
-+messages. The port number declared in the \fBpeer port\fR statement
-+may be the same as the port number declared in the \fBport\fR statement.
- .RE
- .PP
- The 
-@@ -1133,7 +1129,7 @@ the zone containing PTR records - for IS
- .PP
- .nf
- key DHCP_UPDATER {
--  algorithm HMAC-MD5.SIG-ALG.REG.INT;
-+  algorithm hmac-md5;
-   secret pRP5FapFoJ95JEL06sv4PQ==;
- };
- 
-@@ -1156,7 +1152,7 @@ dhcpd.conf file:
- .PP
- .nf
- key DHCP_UPDATER {
--  algorithm HMAC-MD5.SIG-ALG.REG.INT;
-+  algorithm hmac-md5;
-   secret pRP5FapFoJ95JEL06sv4PQ==;
- };
- 
-@@ -2114,7 +2110,8 @@ statement
- The \fInext-server\fR statement is used to specify the host address of
- the server from which the initial boot file (specified in the
- \fIfilename\fR statement) is to be loaded.   \fIServer-name\fR should
--be a numeric IP address or a domain name.
-+be a numeric IP address or a domain name.  If no \fInext-server\fR statement
-+applies to a given client, the address 0.0.0.0 is used.
- .RE
- .PP
- The
-diff -up dhcp-3.0.6/common/dhcp-options.5.manpages dhcp-3.0.6/common/dhcp-options.5
---- dhcp-3.0.6/common/dhcp-options.5.manpages	2006-04-26 11:12:43.000000000 -0400
-+++ dhcp-3.0.6/common/dhcp-options.5	2007-09-26 15:22:12.000000000 -0400
-@@ -834,6 +834,24 @@ classless IP routing - it does not inclu
- classless IP routing is now the most widely deployed routing standard,
- this option is virtually useless, and is not implemented by any of the
- popular DHCP clients, for example the Microsoft DHCP client.
-+.PP
-+NOTE to Red Hat dhclient users:
-+.br
-+The RedHat dhclient-script interprets trailing 0 octets of the target
-+as indicating the subnet class of the route - so for this
-+static-routes value:
-+.br
-+        option static-routes 172.0.0.0 172.16.2.254,
-+.br
-+                             192.168.0.0 192.168.2.254;
-+.br
-+the Red Hat dhclient-script will create routes:
-+.br
-+        172/8 via 172.16.2.254 dev $interface
-+.br
-+        192.168/16 via 192.168.2.254 dev $interface
-+.br
-+which slightly increases the usefulness of the static-routes option.
- .RE
- .PP
- .nf
-diff -up dhcp-3.0.6/client/dhclient-script.8.manpages dhcp-3.0.6/client/dhclient-script.8
---- dhcp-3.0.6/client/dhclient-script.8.manpages	2005-09-28 15:17:08.000000000 -0400
-+++ dhcp-3.0.6/client/dhclient-script.8	2007-09-26 15:22:12.000000000 -0400
-@@ -47,7 +47,7 @@ customizations are needed, they should b
- exit hooks provided (see HOOKS for details).   These hooks will allow the
- user to override the default behaviour of the client in creating a
- .B /etc/resolv.conf
--file.
-+file, and to handle DHCP options not handled by default.
- .PP
- No standard client script exists for some operating systems, even though
- the actual client may work, so a pioneering user may well need to create
-@@ -91,6 +91,27 @@ present.   The
- .B ETCDIR/dhclient-exit-hooks
- script can modify the valid of exit_status to change the exit status
- of dhclient-script.
-+.PP
-+Immediately after dhclient brings an interface UP with a new IP address,
-+subnet mask, and routes, in the REBOOT/BOUND states, it will check for the
-+existence of an executable
-+.B ETCDIR/dhclient-up-hooks
-+script, and source it if found. This script can handle DHCP options in
-+the environment that are not handled by default. A per-interface.
-+.B ETCDIR/dhclient-${IF}-up-hooks
-+script will override the generic script and be sourced when interface
-+$IF has been brought up.
-+.PP
-+Immediately before dhclient brings an interface DOWN, removing its IP
-+address, subnet mask, and routes, in the STOP/RELEASE  states, it will
-+check for the existence of an executable
-+.B ETCDIR/dhclient-down-hooks
-+script, and source it if found. This script can handle DHCP options in
-+the environment that are not handled by default. A per-interface
-+.B ETCDIR/dhclient-${IF}-down-hooks
-+script will override the generic script and be sourced when interface
-+$IF is about to be brought down.
-+
- .SH OPERATION
- When dhclient needs to invoke the client configuration script, it
- defines a set of variables in the environment, and then invokes
-diff -up dhcp-3.0.6/client/dhclient.conf.5.manpages dhcp-3.0.6/client/dhclient.conf.5
---- dhcp-3.0.6/client/dhclient.conf.5.manpages	2007-05-01 16:42:55.000000000 -0400
-+++ dhcp-3.0.6/client/dhclient.conf.5	2007-09-26 15:22:12.000000000 -0400
-@@ -185,7 +185,8 @@ responding to the client send the client
- options.   Only the option names should be specified in the request
- statement - not option parameters.   By default, the DHCP server
- requests the subnet-mask, broadcast-address, time-offset, routers,
--domain-name, domain-name-servers and host-name options. 
-+domain-name, domain-name-servers, host-name, nis-domain, nis-servers,
-+and ntp-servers options.
- .PP
- In some cases, it may be desirable to send no parameter request list
- at all.   To do this, simply write the request statement but specify
-@@ -581,6 +582,18 @@ database and will record the media type 
- Whenever the client tries to renew the lease, it will use that same
- media type.   The lease must expire before the client will go back to
- cycling through media types.
-+.PP
-+ \fBbootp-broadcast-always;\fR
-+.PP
-+The
-+.B bootp-broadcast-always
-+statement instructs dhclient to always set the bootp broadcast flag in
-+request packets, so that servers will always broadcast replies.
-+This is equivalent to supplying the dhclient -B argument, and has
-+the same effect as specifying 'always-broadcast' in the server's dhcpd.conf.
-+This option is provided as a Red Hat extension to enable dhclient to work
-+on IBM zSeries z/OS Linux guests.
-+.PP
- .SH SAMPLE
- The following configuration file is used on a laptop running NetBSD
- 1.3.   The laptop has an IP alias of 192.5.5.213, and has one
-diff -up dhcp-3.0.6/client/dhclient.8.manpages dhcp-3.0.6/client/dhclient.8
---- dhcp-3.0.6/client/dhclient.8.manpages	2007-05-01 16:42:55.000000000 -0400
-+++ dhcp-3.0.6/client/dhclient.8	2007-09-26 15:22:12.000000000 -0400
-@@ -82,6 +82,28 @@ relay
- .B -w
- ]
- [
-+.B -I
-+.I dhcp-client-identifier
-+]
-+[
-+.B -H
-+.I host-name
-+.R |
-+.B -F fqdn.fqdn
-+]
-+[
-+.B -V
-+.I vendor-class-identifier
-+]
-+[
-+.B -R
-+.I request option list
-+]
-+[
-+.B -T
-+.I timeout
-+]
-+[
- .I if0
- [
- .I ...ifN
-@@ -265,6 +287,110 @@ than waiting until it has acquired an IP
- supplying the
- .B -nw
- flag.
-+.PP
-+The -I <id> argument allows you to specify the dhcp-client-identifier string,
-+<id>, to be sent to the dhcp server on the command line.  It is equivalent to
-+the top level dhclient.conf statement:
-+.br
-+ \fBsend dhcp-client-identifier "<id>";\fR
-+.br
-+The -I <id> command line option will override any top level dhclient.conf
-+ 'send dhcp-client-identifier' statement, but more specific per-interface
-+ 'interface "X" { send dhcp-client-identifier...; }' statements in dhclient.conf
-+will override the -I <id> command line option for interface "X".
-+This option is provided as a Red Hat extension to enable dhclient to work
-+on IBM zSeries z/OS Linux guests.
-+.PP
-+The -B option instructs dhclient to set the bootp broadcast flag in request
-+packets, so that servers will always broadcast replies. This is equivalent
-+to specifying the 'bootp-broadcast-always' option in dhclient.conf, and has
-+the same effect as specifying 'always-broadcast' in the server's dhcpd.conf.
-+This option is provided as a Red Hat extension to enable dhclient to work
-+on IBM zSeries z/OS Linux guests.
-+.PP
-+The -H <host-name> option allows you to specify the DHCP host-name option
-+to send to the server on the dhclient command line. It is equivalent to the
-+top level dhclient.conf statement:
-+.br
-+\f send host-name "<host-name>";\fR
-+.br
-+The -H <host-name> option  will override any top level dhclient.conf
-+ 'send host-name' statement, but more specific per-interface
-+ 'interface "X" { send host-name...;' statements in dhclient.conf
-+will override the -H <host-name> command line option for interface "X".
-+The host-name option only specifies the client's host name prefix, to which
-+the server will append the 'ddns-domainname' or 'domain-name' options, if any,
-+to derive the fully qualified domain name of the client host.
-+The -H <host-name> option cannot be used with the -F <fqdn.fqdn> option.
-+Only one -H <host-name> option may be specified.
-+The -H <host-name> option is provided as a Red Hat extension to simplify
-+configuration of clients of DHCP servers that require the host-name option
-+to be sent (eg. some modern cable modems), and for dynamic DNS updates (DDNS).
-+.PP
-+The -F <fqdn.fqdn> option allows you to specify the DHCP fqdn.fqdn option
-+to send to the server on the dhclient command line. It is equivalent to the
-+top level dhclient.conf statement:
-+.br
-+\f send fqdn.fqdn "<domain-name>";\fR
-+.br
-+The -F <fqdn.fqdn> option  will override any top level dhclient.conf
-+ 'send fqdn.fqdn' statement, but more specific per-interface
-+ 'interface "X" { send fqdn.fqdn...;' statements in dhclient.conf
-+will override the -F <fqdn.fqdn> command line option for interface "X".
-+This option cannot be used with the -H <host-name> option.
-+The DHCP fqdn.fqdn option must specify the complete domain name of the client
-+host, which the server may use for dynamic DNS updates.
-+Only one -F <fqdn.fqdn> option may be specified.
-+The -F <fqdn.fqdn> option is provided as a Red Hat extension to simplify
-+configuration of DDNS.
-+.PP
-+The -T <timeout> option allows you to specify the time after which
-+the dhclient will decide that no DHCP servers can be contacted when
-+no responses have been received. It is equivalent to the
-+.br
-+\f timeout <integer>;\fR
-+.br
-+dhclient.conf statement, and will override any such statements in dhclient.conf.
-+.br
-+This option is provided as a Red Hat extension.
-+.PP
-+The -V <vendor-class-identifier> option allows you to specify the DHCP
-+vendor-class-identifier option to send to the server on the dhclient command
-+line.  It is equivalent to the top level dhclient.conf statement:
-+.br
-+\f send vendor-class-identifier "<vendor-class-identifier>";\fR
-+.br
-+The -V <vendor-class-identifier> option  will override any top level
-+dhclient.conf
-+ 'send vendor-class-identifier' statement, but more specific per-interface
-+ 'interface "X" { send vendor-class-identifier...;' statements in dhclient.conf
-+will override the -V <vendor-class-identifier> command line option for
-+interface "X".
-+The -V <vendor-class-identifier> option is provided as a Red Hat extension to
-+simplify configuration of clients of DHCP servers that require the
-+vendor-class-identifier option to be sent.
-+.PP
-+The -R <request option list> option allows you to specify the list of options
-+the client is to request from the server on the dhclient command line.
-+The option list must be a single string, consisting of option names separated
-+by at least one comma and optional space characters. The default option list
-+is:
-+.br
-+    subnet-mask, broadcast-address, time-offset, routers,
-+.br
-+    domain-name, domain-name-servers, host-name, nis-domain,
-+.br
-+    nis-servers, ntp-servers
-+.br
-+You can specify a different list of options to request with the -R <option list>
-+argument.  This is equivalent to the dhclient.conf statement:
-+.br
-+\f    request <option list> ;\fR
-+.br
-+The -R argument is provided as a Red Hat extension to ISC dhclient to
-+facilitate requesting a list of options from the server different to the
-+default.
-+.PP
- .SH CONFIGURATION
- The syntax of the dhclient.conf(5) file is discussed separately.
- .SH OMAPI
diff --git a/dhcp-3.1.0-ldap-configuration.patch b/dhcp-3.1.0-ldap-configuration.patch
index cd674a3..137a8fc 100644
--- a/dhcp-3.1.0-ldap-configuration.patch
+++ b/dhcp-3.1.0-ldap-configuration.patch
@@ -1,6 +1,6 @@
 diff -up dhcp-3.1.0/server/mdb.c.ldap dhcp-3.1.0/server/mdb.c
 --- dhcp-3.1.0/server/mdb.c.ldap	2007-06-08 14:57:02.000000000 -0400
-+++ dhcp-3.1.0/server/mdb.c	2007-10-22 16:29:48.000000000 -0400
++++ dhcp-3.1.0/server/mdb.c	2007-11-12 15:41:15.000000000 -0500
 @@ -454,6 +454,12 @@ int find_hosts_by_haddr (struct host_dec
  {
  	struct host_decl *foo;
@@ -14,21 +14,169 @@ diff -up dhcp-3.1.0/server/mdb.c.ldap dhcp-3.1.0/server/mdb.c
  
  	h.hlen = hlen + 1;
  	h.hbuf [0] = htype;
+diff -up /dev/null dhcp-3.1.0/server/ldap_casa.c
+--- /dev/null	2007-11-12 10:55:50.854093917 -0500
++++ dhcp-3.1.0/server/ldap_casa.c	2007-11-12 15:41:15.000000000 -0500
+@@ -0,0 +1,138 @@
++/* ldap_casa.c
++   
++   CASA routines for DHCPD... */
++
++/* Copyright (c) 2004 Internet Systems Consorium, Inc. ("ISC")
++ * Copyright (c) 1995-2003 Internet Software Consortium.
++ * Copyright (c) 2006 Novell, Inc.
++
++ * All rights reserved.
++ * Redistribution and use in source and binary forms, with or without 
++ * modification, are permitted provided that the following conditions are met: 
++ * 1.Redistributions of source code must retain the above copyright notice, 
++ *   this list of conditions and the following disclaimer. 
++ * 2.Redistributions in binary form must reproduce the above copyright notice, 
++ *   this list of conditions and the following disclaimer in the documentation 
++ *   and/or other materials provided with the distribution. 
++ * 3.Neither the name of ISC, ISC DHCP, nor the names of its contributors 
++ *   may be used to endorse or promote products derived from this software 
++ *   without specific prior written permission. 
++
++ * THIS SOFTWARE IS PROVIDED BY INTERNET SYSTEMS CONSORTIUM AND CONTRIBUTORS 
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
++ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ISC OR CONTRIBUTORS BE LIABLE 
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
++ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
++ * POSSIBILITY OF SUCH DAMAGE.
++
++ * This file was written by S Kalyanasundaram <skalyanasundaram@novell.com>
++ */
++
++#if defined(LDAP_CASA_AUTH)
++#include "ldap_casa.h"
++#include "dhcpd.h"
++
++int
++load_casa (void)
++{
++       if( !(casaIDK = dlopen(MICASA_LIB,RTLD_LAZY)))
++       	  return 0;
++       p_miCASAGetCredential = (CASA_GetCredential_T) dlsym(casaIDK, "miCASAGetCredential");
++       p_miCASASetCredential = (CASA_SetCredential_T) dlsym(casaIDK, "miCASASetCredential");
++       p_miCASARemoveCredential = (CASA_RemoveCredential_T) dlsym(casaIDK, "miCASARemoveCredential");
++
++       if((p_miCASAGetCredential == NULL) ||
++         (p_miCASASetCredential == NULL) ||
++         (p_miCASARemoveCredential == NULL))
++       {
++          if(casaIDK)
++            dlclose(casaIDK);
++          casaIDK = NULL;
++          p_miCASAGetCredential = NULL;
++          p_miCASASetCredential = NULL;
++          p_miCASARemoveCredential = NULL;
++          return 0;
++       }
++       else
++          return 1;
++}
++
++static void
++release_casa(void)
++{
++   if(casaIDK)
++   {
++      dlclose(casaIDK);
++      casaIDK = NULL;
++   }
++
++   p_miCASAGetCredential = NULL;
++   p_miCASASetCredential = NULL;
++   p_miCASARemoveCredential = NULL;
++
++}
++
++int
++load_uname_pwd_from_miCASA (char **ldap_username, char **ldap_password)
++ {
++   int                     result = 0;
++   uint32_t                credentialtype = SSCS_CRED_TYPE_SERVER_F;
++   SSCS_BASIC_CREDENTIAL   credential;
++   SSCS_SECRET_ID_T        applicationSecretId;
++   char                    *tempVar = NULL;
++
++   const char applicationName[10] = "dhcp-ldap";
++
++   if ( load_casa() )
++   {
++      memset(&credential, 0, sizeof(SSCS_BASIC_CREDENTIAL));
++      memset(&applicationSecretId, 0, sizeof(SSCS_SECRET_ID_T));
++
++      applicationSecretId.len = strlen(applicationName) + 1;
++      memcpy (applicationSecretId.id, applicationName, applicationSecretId.len);
++
++      credential.unFlags = USERNAME_TYPE_CN_F;
++
++      result = p_miCASAGetCredential (0,
++                 &applicationSecretId,NULL,&credentialtype,
++                 &credential,NULL);
++
++      if(credential.unLen)
++      {
++         tempVar = dmalloc (credential.unLen + 1, MDL);
++         if (!tempVar)
++             log_fatal ("no memory for ldap_username");
++         memcpy(tempVar , credential.username, credential.unLen);
++         *ldap_username = tempVar;
++
++         tempVar = dmalloc (credential.pwordLen + 1, MDL);
++         if (!tempVar)
++             log_fatal ("no memory for ldap_password");
++         memcpy(tempVar, credential.password, credential.pwordLen);
++         *ldap_password = tempVar;
++
++#if defined (DEBUG_LDAP)
++         log_info ("Authentication credential taken from CASA");
++#endif
++
++         release_casa();
++         return 1;
++
++        }
++        else
++        {
++            release_casa();
++            return 0;
++        }
++      }
++      else
++          return 0; //casa libraries not loaded
++ }
++
++#endif /* LDAP_CASA_AUTH */
++
 diff -up dhcp-3.1.0/server/Makefile.dist.ldap dhcp-3.1.0/server/Makefile.dist
 --- dhcp-3.1.0/server/Makefile.dist.ldap	2006-07-25 09:26:00.000000000 -0400
-+++ dhcp-3.1.0/server/Makefile.dist	2007-10-22 16:29:48.000000000 -0400
-@@ -25,9 +25,9 @@
++++ dhcp-3.1.0/server/Makefile.dist	2007-11-12 15:41:15.000000000 -0500
+@@ -25,14 +25,14 @@
  CATMANPAGES = dhcpd.cat8 dhcpd.conf.cat5 dhcpd.leases.cat5
  SEDMANPAGES = dhcpd.man8 dhcpd.conf.man5 dhcpd.leases.man5
  SRCS   = dhcpd.c dhcp.c bootp.c confpars.c db.c class.c failover.c \
 -	 omapi.c mdb.c stables.c salloc.c ddns.c dhcpleasequery.c
-+	 omapi.c mdb.c stables.c salloc.c ddns.c dhcpleasequery.c ldap.c
++	 omapi.c mdb.c stables.c salloc.c ddns.c dhcpleasequery.c ldap.c ldap_casa.c
  OBJS   = dhcpd.o dhcp.o bootp.o confpars.o db.o class.o failover.o \
 -	 omapi.o mdb.o stables.o salloc.o ddns.o dhcpleasequery.o
-+	 omapi.o mdb.o stables.o salloc.o ddns.o dhcpleasequery.o ldap.o
++	 omapi.o mdb.o stables.o salloc.o ddns.o dhcpleasequery.o ldap.o ldap_casa.o
  PROG   = dhcpd
  MAN    = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5
  
+ INCLUDES = -I$(TOP) $(BINDINC) -I$(TOP)/includes
+-DHCPLIB = ../common/libdhcp.a $(BINDLIB) ../omapip/libomapi.a ../dst/libdst.a
++DHCPLIB = ../common/libdhcp.a $(BINDLIB) ../omapip/libomapi.a ../dst/libdst-nomd5.a
+ CFLAGS = $(DEBUG) $(PREDEFINES) $(INCLUDES) $(COPTS)
+ 
+ all:	$(PROG) $(CATMANPAGES)
 @@ -106,6 +106,6 @@ dhcpd.leases.man5:	dhcpd.leases.5
  		-e "s#RUNDIR#$(VARRUN)#g" < dhcpd.leases.5 >dhcpd.leases.man5
  
@@ -39,27 +187,32 @@ diff -up dhcp-3.1.0/server/Makefile.dist.ldap dhcp-3.1.0/server/Makefile.dist
  # Dependencies (semi-automatically-generated)
 diff -up dhcp-3.1.0/server/dhcpd.c.ldap dhcp-3.1.0/server/dhcpd.c
 --- dhcp-3.1.0/server/dhcpd.c.ldap	2007-05-29 13:49:44.000000000 -0400
-+++ dhcp-3.1.0/server/dhcpd.c	2007-10-22 16:29:48.000000000 -0400
-@@ -440,6 +440,9 @@ int main (argc, argv, envp)
++++ dhcp-3.1.0/server/dhcpd.c	2007-11-12 15:41:15.000000000 -0500
+@@ -440,6 +440,14 @@ int main (argc, argv, envp)
  	/* Add the ddns update style enumeration prior to parsing. */
  	add_enumeration (&ddns_styles);
  	add_enumeration (&syslog_enum);
 +#if defined (LDAP_CONFIGURATION)
 +	add_enumeration (&ldap_methods);
++#if defined (USE_SSL)
++	add_enumeration (&ldap_ssl_usage_enum);
++	add_enumeration (&ldap_tls_reqcert_enum);
++	add_enumeration (&ldap_tls_crlcheck_enum);
++#endif
 +#endif
  
  	if (!group_allocate (&root_group, MDL))
  		log_fatal ("Can't allocate root group!");
 diff -up /dev/null dhcp-3.1.0/server/ldap.c
---- /dev/null	2007-10-22 10:27:59.854008585 -0400
-+++ dhcp-3.1.0/server/ldap.c	2007-10-22 16:29:48.000000000 -0400
-@@ -0,0 +1,1142 @@
+--- /dev/null	2007-11-12 10:55:50.854093917 -0500
++++ dhcp-3.1.0/server/ldap.c	2007-11-12 17:31:46.000000000 -0500
+@@ -0,0 +1,2003 @@
 +/* ldap.c
 +
 +   Routines for reading the configuration from LDAP */
 +
 +/*
-+ * Copyright (c) 1996-2001 Ntelos, Inc.
++ * Copyright (c) 2003-2006 Ntelos, Inc.
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
@@ -89,81 +242,116 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 + * SUCH DAMAGE.
 + *
-+ * This LDAP module was written by Brian Masney <masneyb@ntelos.net>. It's
++ * This LDAP module was written by Brian Masney <masneyb@ntelos.net>. Its
 + * development was sponsored by Ntelos, Inc. (www.ntelos.com).
 + */
 +
 +#include "dhcpd.h"
++#include <signal.h>
 +
 +#if defined(LDAP_CONFIGURATION)
 +
++#if defined(LDAP_CASA_AUTH)
++#include "ldap_casa.h"
++#endif
++
 +static LDAP * ld = NULL;
 +static char *ldap_server = NULL, 
 +            *ldap_username = NULL, 
 +            *ldap_password = NULL,
-+            *ldap_base_dn = NULL;
-+static int ldap_method = LDAP_METHOD_DYNAMIC,
-+           disable_ldap = 0;
++            *ldap_base_dn = NULL,
++            *ldap_dhcp_server_cn = NULL,
++            *ldap_debug_file = NULL;
++static int ldap_port = LDAP_PORT,
++           ldap_method = LDAP_METHOD_DYNAMIC,
++           ldap_referrals = -1,
++           ldap_debug_fd = -1;
++#if defined (USE_SSL)
++static int ldap_use_ssl = -1,        /* try TLS if possible */
++           ldap_tls_reqcert = -1,
++           ldap_tls_crlcheck = -1;
++static char *ldap_tls_ca_file = NULL,
++            *ldap_tls_ca_dir = NULL,
++            *ldap_tls_cert = NULL,
++            *ldap_tls_key = NULL,
++            *ldap_tls_ciphers = NULL,
++            *ldap_tls_randfile = NULL;
++#endif
 +static struct ldap_config_stack *ldap_stack = NULL;
 +
++typedef struct ldap_dn_node {
++    struct ldap_dn_node *next;
++    size_t refs;
++    char *dn;
++} ldap_dn_node;
++
++static ldap_dn_node *ldap_service_dn_head = NULL;
++static ldap_dn_node *ldap_service_dn_tail = NULL;
++
++
++static char *
++x_strncat(char *dst, const char *src, size_t dst_size)
++{
++  size_t len = strlen(dst);
++  return strncat(dst, src, dst_size > len ? dst_size - len - 1: 0);
++}
 +
 +static void
 +ldap_parse_class (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  struct berval **temp;
++  struct berval **tempbv;
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
-+      temp[0]->bv_val == NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
++      tempbv[0] == NULL)
 +    {
-+      if (temp != NULL)
-+        ldap_value_free_len (temp);
++      if (tempbv != NULL)
++        ldap_value_free_len (tempbv);
 +
 +      return;
 +    }
 +
-+  strncat (cfile->inbuf, "class \"", LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, temp[0]->bv_val, LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, "\" {\n", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "class \"", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "\" {\n", LDAP_BUFFER_SIZE);
 +
 +  item->close_brace = 1;
-+  ldap_value_free_len (temp);
++  ldap_value_free_len (tempbv);
 +}
 +
 +
 +static void
 +ldap_parse_subclass (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  struct berval **temp, **classdata;
++  struct berval **tempbv, **classdata;
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
-+      temp[0]->bv_val == NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
++      tempbv[0] == NULL)
 +    {
-+      if (temp != NULL)
-+        ldap_value_free_len (temp);
++      if (tempbv != NULL)
++        ldap_value_free_len (tempbv);
 +
 +      return;
 +    }
 +
-+
 +  if ((classdata = ldap_get_values_len (ld, item->ldent, 
 +                                  "dhcpClassData")) == NULL || 
-+      classdata[0]->bv_val == NULL)
++      classdata[0] == NULL)
 +    {
 +      if (classdata != NULL)
 +        ldap_value_free_len (classdata);
-+      ldap_value_free_len (temp);
++      ldap_value_free_len (tempbv);
 +
 +      return;
 +    }
 +
-+  strncat (cfile->inbuf, "subclass ", LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, (*classdata)->bv_val, LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, (*temp)->bv_val, LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "subclass ", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, classdata[0]->bv_val, LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
 +
 +  item->close_brace = 1;
-+  ldap_value_free_len (temp);
++  ldap_value_free_len (tempbv);
 +  ldap_value_free_len (classdata);
 +}
 +
@@ -171,62 +359,55 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +static void
 +ldap_parse_host (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  struct berval **temp, **hwaddr;
-+
++  struct berval **tempbv, **hwaddr;
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
-+      temp[0]->bv_val == NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
++      tempbv[0] == NULL)
 +    {
-+      if (temp != NULL)
-+        ldap_value_free_len (temp);
++      if (tempbv != NULL)
++        ldap_value_free_len (tempbv);
 +
 +      return;
 +    }
 +
-+  if ((hwaddr = ldap_get_values_len (ld, item->ldent, 
-+                                 "dhcpHWAddress")) == NULL || 
-+      hwaddr[0]->bv_val == NULL)
-+    {
-+      if (hwaddr != NULL)
-+        ldap_value_free_len (hwaddr);
-+      ldap_value_free_len (temp);
++  hwaddr = ldap_get_values_len (ld, item->ldent, "dhcpHWAddress");
 +
-+      return;
-+    }
++  x_strncat (cfile->inbuf, "host ", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
 +
-+  strncat (cfile->inbuf, "host ", LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, (*temp)->bv_val, LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, " {\nhardware ", LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, (*hwaddr)->bv_val, LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++  if (hwaddr != NULL && hwaddr[0] != NULL)
++    {
++      x_strncat (cfile->inbuf, " {\nhardware ", LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, hwaddr[0]->bv_val, LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++      ldap_value_free_len (hwaddr);
++    }
 +
 +  item->close_brace = 1;
-+  ldap_value_free_len (temp);
-+  ldap_value_free_len (hwaddr);
++  ldap_value_free_len (tempbv);
 +}
 +
 +
 +static void
 +ldap_parse_shared_network (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  struct berval **temp;
++  struct berval **tempbv;
 +
-+
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
-+      temp[0]->bv_val == NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
++      tempbv[0] == NULL)
 +    {
-+      if (temp != NULL)
-+        ldap_value_free_len (temp);
++      if (tempbv != NULL)
++        ldap_value_free_len (tempbv);
 +
 +      return;
 +    }
 +
-+  strncat (cfile->inbuf, "shared-network ", LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, (*temp)->bv_val, LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "shared-network \"", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "\" {\n", LDAP_BUFFER_SIZE);
 +
 +  item->close_brace = 1;
-+  ldap_value_free_len (temp);
++  ldap_value_free_len (tempbv);
 +}
 +
 +
@@ -248,55 +429,55 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +                                      (int) nm & 0xff);
 +}
 +
++
 +static void
 +ldap_parse_subnet (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  struct berval **temp, **netmask;
++  struct berval **tempbv, **netmaskstr;
 +  char netmaskbuf[16];
 +  int i;
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
-+      temp[0]->bv_val == NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
++      tempbv[0] == NULL)
 +    {
-+      if (temp != NULL)
-+        ldap_value_free_len (temp);
++      if (tempbv != NULL)
++        ldap_value_free_len (tempbv);
 +
 +      return;
 +    }
 +
-+  if ((netmask = ldap_get_values_len (ld, item->ldent, 
++  if ((netmaskstr = ldap_get_values_len (ld, item->ldent, 
 +                                     "dhcpNetmask")) == NULL || 
-+      netmask[0]->bv_val == NULL)
++      netmaskstr[0] == NULL)
 +    {
-+      if (netmask != NULL)
-+        ldap_value_free_len (netmask);
-+      ldap_value_free_len (temp);
++      if (netmaskstr != NULL)
++        ldap_value_free_len (netmaskstr);
++      ldap_value_free_len (tempbv);
 +
 +      return;
 +    }
 +
-+  strncat (cfile->inbuf, "subnet ", LDAP_BUFFER_SIZE);
-+  strncat (cfile->inbuf, temp[0]->bv_val, LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "subnet ", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
 +
-+  strncat (cfile->inbuf, " netmask ", LDAP_BUFFER_SIZE);
-+  parse_netmask (strtol (netmask[0]->bv_val, NULL, 10), netmaskbuf);
-+  strncat (cfile->inbuf, netmaskbuf, LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, " netmask ", LDAP_BUFFER_SIZE);
++  parse_netmask (strtol (netmaskstr[0]->bv_val, NULL, 10), netmaskbuf);
++  x_strncat (cfile->inbuf, netmaskbuf, LDAP_BUFFER_SIZE);
 +
-+  strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
 +
-+  ldap_value_free_len (temp);
-+  ldap_value_free_len (netmask);
++  ldap_value_free_len (tempbv);
++  ldap_value_free_len (netmaskstr);
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
 +    {
-+      strncat (cfile->inbuf, "range", LDAP_BUFFER_SIZE);
-+      for (i=0; temp[i] != NULL && temp[i]->bv_val != NULL; i++)
++      for (i=0; tempbv[i] != NULL; i++)
 +        {
-+          strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
-+          strncat (cfile->inbuf, temp[i]->bv_val, LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, "range", LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, tempbv[i]->bv_val, LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
 +        }
-+      strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
-+      ldap_value_free_len (temp);
 +    }
 +
 +  item->close_brace = 1;
@@ -306,31 +487,31 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +static void
 +ldap_parse_pool (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  struct berval **temp;
++  struct berval **tempbv;
 +  int i;
 +
-+  strncat (cfile->inbuf, "pool {\n", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "pool {\n", LDAP_BUFFER_SIZE);
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
 +    {
-+      strncat (cfile->inbuf, "range", LDAP_BUFFER_SIZE);
-+      for (i=0; temp[i] != NULL && temp[i]->bv_val != NULL; i++)
++      x_strncat (cfile->inbuf, "range", LDAP_BUFFER_SIZE);
++      for (i=0; tempbv[i] != NULL; i++)
 +        {
-+          strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
-+          strncat (cfile->inbuf, temp[i]->bv_val, LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, " ", LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, tempbv[i]->bv_val, LDAP_BUFFER_SIZE);
 +        }
-+      strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
-+      ldap_value_free_len (temp);
++      x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++      ldap_value_free_len (tempbv);
 +    }
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "dhcpPermitList")) != NULL)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpPermitList")) != NULL)
 +    {
-+      for (i=0; temp[i] != NULL && temp[i]->bv_val != NULL; i++)
++      for (i=0; tempbv[i] != NULL; i++)
 +        {
-+          strncat (cfile->inbuf, temp[i]->bv_val, LDAP_BUFFER_SIZE);
-+          strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, tempbv[i]->bv_val, LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
 +        }
-+      ldap_value_free_len (temp);
++      ldap_value_free_len (tempbv);
 +    }
 +
 +  item->close_brace = 1;
@@ -340,229 +521,312 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +static void
 +ldap_parse_group (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  strncat (cfile->inbuf, "group {\n", LDAP_BUFFER_SIZE);
++  x_strncat (cfile->inbuf, "group {\n", LDAP_BUFFER_SIZE);
 +  item->close_brace = 1;
 +}
 +
 +
 +static void
-+parse_external_dns (LDAPMessage * ent)
++ldap_parse_key (struct ldap_config_stack *item, struct parse *cfile)
 +{
-+  char *search[] = {"dhcpOptionsDN", "dhcpSharedNetworkDN", "dhcpSubnetDN",
-+                    "dhcpGroupDN", "dhcpHostDN", "dhcpClassesDN", 
-+                    "dhcpPoolDN", NULL};
-+  LDAPMessage * newres, * newent;
-+  struct ldap_config_stack *ns;
-+  struct berval **temp;
-+  int i, ret;
++  struct berval **tempbv;
 +
-+  for (i=0; search[i] != NULL; i++)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) != NULL)
 +    {
-+      if ((ldap_method == LDAP_METHOD_DYNAMIC) &&
-+          (strcmp (search[i], "dhcpHostDN") == 0))
-+        continue;
++      x_strncat (cfile->inbuf, "key ", LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
++      ldap_value_free_len (tempbv);
++    }
 +
-+      if ((temp = ldap_get_values_len (ld, ent, search[i])) == NULL)
-+        continue;
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeyAlgorithm")) != NULL)
++    {
++      x_strncat (cfile->inbuf, "algorithm ", LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++      ldap_value_free_len (tempbv);
++    }
 +
-+      if ((ret = ldap_search_ext_s (ld, temp[0]->bv_val, LDAP_SCOPE_BASE, 
-+                                    "objectClass=*", NULL, 0, 
-+                                    NULL, NULL, NULL, 0,
-+                                    &newres)) != LDAP_SUCCESS)
-+        {
-+          ldap_value_free_len (temp);
-+          ldap_unbind_ext (ld, NULL, NULL);
-+          ld = NULL;
-+          return;
-+        }
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeySecret")) != NULL)
++    {
++      x_strncat (cfile->inbuf, "secret ", LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++      ldap_value_free_len (tempbv);
++    }
 +
-+      ldap_value_free_len (temp);
++  item->close_brace = 1;
++}
 +
-+      newent = ldap_first_entry (ld, newres);
-+      if (newent == NULL)
-+        {
-+          ldap_msgfree (newres);
-+          continue;
-+        }
 +
-+#if defined(DEBUG_LDAP)
-+      log_info ("Adding LDAP entry '%s' as child", ldap_get_dn (ld, newent));
-+#endif
++static void
++ldap_parse_zone (struct ldap_config_stack *item, struct parse *cfile)
++{
++  char *cnFindStart, *cnFindEnd;
++  struct berval **tempbv;
++  char *keyCn;
++  size_t len;
 +
-+      ns = dmalloc (sizeof (*ns), MDL);
-+      ns->res = newres;
-+      ns->ldent = newent;
-+      ns->close_brace = 0;
-+      ns->processed = 0;
-+      ns->children = NULL;
-+      ns->next = ldap_stack->children;
-+      ldap_stack->children = ns;
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) != NULL)
++    {
++      x_strncat (cfile->inbuf, "zone ", LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, " {\n", LDAP_BUFFER_SIZE);
++      ldap_value_free_len (tempbv);
 +    }
-+}
 +
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpDnsZoneServer")) != NULL)
++    {
++      x_strncat (cfile->inbuf, "primary ", LDAP_BUFFER_SIZE);
++      x_strncat (cfile->inbuf, tempbv[0]->bv_val, LDAP_BUFFER_SIZE);
 +
-+static void
-+ldap_generate_config_string (struct ldap_config_stack *item, struct parse *cfile)
-+{
-+  struct berval **objectClass, **temp;
-+  int i, j, ignore, found;
++      x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++      ldap_value_free_len (tempbv);
++    }
 +
-+  if ((objectClass = ldap_get_values_len (ld, item->ldent, 
-+                                      "objectClass")) == NULL)
-+    return;
-+    
-+  ignore = 0;
-+  found = 1;
-+  for (i=0; objectClass[i] != NULL && objectClass[i]->bv_val != NULL; i++)
-+    {
-+      if (strcmp (objectClass[i]->bv_val, "dhcpSharedNetwork") == 0)
-+        ldap_parse_shared_network (item, cfile);
-+      else if (strcmp (objectClass[i]->bv_val, "dhcpClass") == 0)
-+        ldap_parse_class (item, cfile);
-+      else if (strcmp (objectClass[i]->bv_val, "dhcpSubnet") == 0)
-+        ldap_parse_subnet (item, cfile);
-+      else if (strcmp (objectClass[i]->bv_val, "dhcpPool") == 0)
-+        ldap_parse_pool (item, cfile);
-+      else if (strcmp (objectClass[i]->bv_val, "dhcpGroup") == 0)
-+        ldap_parse_group (item, cfile);
-+      else if (strcmp (objectClass[i]->bv_val, "dhcpHost") == 0)
-+        {
-+          if (ldap_method == LDAP_METHOD_STATIC)
-+            ldap_parse_host (item, cfile);
-+          else
-+            {
-+              ignore = 1;
-+              break;
-+            }
-+        }
-+      else if (strcmp (objectClass[i]->bv_val, "dhcpSubClass") == 0)
++  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeyDN")) != NULL)
++    {
++      cnFindStart = strchr(tempbv[0]->bv_val,'=');
++      if (cnFindStart != NULL)
++        cnFindEnd = strchr(++cnFindStart,',');
++      else
++        cnFindEnd = NULL;
++
++      if (cnFindEnd != NULL && cnFindEnd > cnFindStart)
 +        {
-+          if (ldap_method == LDAP_METHOD_STATIC)
-+            ldap_parse_subclass (item, cfile);
-+          else
-+            {
-+              ignore = 1;
-+              break;
-+            }
++          len = cnFindEnd - cnFindStart;
++          keyCn = dmalloc (len + 1, MDL);
 +        }
 +      else
-+        found = 0;
-+
-+      if (found && cfile->inbuf[0] == '\0')
 +        {
-+          ignore = 1;
-+          break;
++          len = 0;
++          keyCn = NULL;
 +        }
-+    }
 +
-+  ldap_value_free_len (objectClass);
++      if (keyCn != NULL)
++        {
++          strncpy (keyCn, cnFindStart, len);
++          keyCn[len] = '\0';
 +
-+  if (ignore)
-+    return;
++          x_strncat (cfile->inbuf, "key ", LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, keyCn, LDAP_BUFFER_SIZE);
++          x_strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "dhcpOption")) != NULL)
-+    {
-+      for (j=0; temp[j] != NULL && temp[j]->bv_val != NULL; j++)
-+        {
-+          strncat (cfile->inbuf, "option ", LDAP_BUFFER_SIZE);
-+          strncat (cfile->inbuf, temp[j]->bv_val, LDAP_BUFFER_SIZE);
-+          strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
++          dfree (keyCn, MDL);
 +        }
-+      ldap_value_free_len (temp);
-+    }
 +
-+  if ((temp = ldap_get_values_len (ld, item->ldent, "dhcpStatements")) != NULL)
-+    {
-+      for (j=0; temp[j] != NULL && temp[j]->bv_val != NULL; j++)
-+        {
-+          strncat (cfile->inbuf, temp[j]->bv_val, LDAP_BUFFER_SIZE);
-+          strncat (cfile->inbuf, ";\n", LDAP_BUFFER_SIZE);
-+        }
-+      ldap_value_free_len (temp);
-+    }
++      ldap_value_free_len (tempbv);
++     }
 +
-+  parse_external_dns (item->ldent);
++  item->close_brace = 1;
 +}
 +
 +
 +static void
-+free_stack_entry (struct ldap_config_stack *item)
++add_to_config_stack (LDAPMessage * res, LDAPMessage * ent)
 +{
-+  ldap_msgfree (item->res);
-+  dfree (item, MDL);
++  struct ldap_config_stack *ns;
++
++  ns = dmalloc (sizeof (*ns), MDL);
++  ns->res = res;
++  ns->ldent = ent;
++  ns->close_brace = 0;
++  ns->processed = 0;
++  ns->next = ldap_stack;
++  ldap_stack = ns;
 +}
 +
 +
 +static void
-+next_ldap_entry (struct parse *cfile)
++ldap_stop()
 +{
-+  struct ldap_config_stack *temp_stack;
++  struct sigaction old, new;
++
++  if (ld == NULL)
++    return;
++
++  /*
++   ** ldap_unbind after a LDAP_SERVER_DOWN result
++   ** causes a SIGPIPE and dhcpd gets terminated,
++   ** since it doesn't handle it...
++   */
++
++  new.sa_flags   = 0;
++  new.sa_handler = SIG_IGN;
++  sigemptyset (&new.sa_mask);
++  sigaction (SIGPIPE, &new, &old);
++
++  ldap_unbind_ext_s (ld, NULL, NULL);
++  ld = NULL;
++
++  sigaction (SIGPIPE, &old, &new);
++}
++
++
++static char *
++_do_lookup_dhcp_string_option (struct option_state *options, int option_name)
++{
++  struct option_cache *oc;
++  struct data_string db;
++  char *ret;
++
++  memset (&db, 0, sizeof (db));
++  oc = lookup_option (&server_universe, options, option_name);
++  if (oc &&
++      evaluate_option_cache (&db, (struct packet*) NULL,
++                             (struct lease *) NULL,
++                             (struct client_state *) NULL, options,
++                             (struct option_state *) NULL,
++                             &global_scope, oc, MDL) &&
++      db.data != NULL && *db.data != '\0')
 +
-+  if (ldap_stack->processed && ldap_stack->children != NULL)
 +    {
-+      temp_stack = ldap_stack->children;
-+      if (temp_stack->close_brace)
-+        strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
++      ret = dmalloc (db.len + 1, MDL);
++      if (ret == NULL)
++        log_fatal ("no memory for ldap option %d value", option_name);
 +
-+      ldap_stack->children = ldap_stack->children->next;
-+      free_stack_entry (temp_stack);
++      memcpy (ret, db.data, db.len);
++      ret[db.len] = 0;
++      data_string_forget (&db, MDL);
++    }
++  else
++    ret = NULL;
 +
-+      if (ldap_stack->processed && ldap_stack->children != NULL)
-+        return;
++  return (ret);
++}
++
++
++static int
++_do_lookup_dhcp_int_option (struct option_state *options, int option_name)
++{
++  struct option_cache *oc;
++  struct data_string db;
++  int ret;
++
++  memset (&db, 0, sizeof (db));
++  oc = lookup_option (&server_universe, options, option_name);
++  if (oc &&
++      evaluate_option_cache (&db, (struct packet*) NULL,
++                             (struct lease *) NULL,
++                             (struct client_state *) NULL, options,
++                             (struct option_state *) NULL,
++                             &global_scope, oc, MDL) &&
++      db.data != NULL && *db.data != '\0')
++    {
++      ret = strtol ((const char *) db.data, NULL, 10);
++      data_string_forget (&db, MDL);
 +    }
++  else
++    ret = 0;
++
++  return (ret);
++}
 +
-+  if (ldap_stack->close_brace)
++
++static int
++_do_lookup_dhcp_enum_option (struct option_state *options, int option_name)
++{
++  struct option_cache *oc;
++  struct data_string db;
++  int ret = -1;
++
++  memset (&db, 0, sizeof (db));
++  oc = lookup_option (&server_universe, options, option_name);
++  if (oc &&
++      evaluate_option_cache (&db, (struct packet*) NULL,
++                             (struct lease *) NULL,
++                             (struct client_state *) NULL, options,
++                             (struct option_state *) NULL,
++                             &global_scope, oc, MDL) &&
++      db.data != NULL && *db.data != '\0')
 +    {
-+      strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
-+      ldap_stack->close_brace = 0;
++      if (db.len == 1) 
++        ret = db.data [0];
++      else
++        log_fatal ("invalid option name %d", option_name);
++
++      data_string_forget (&db, MDL);
++    }
++  else
++    ret = 0;
++
++  return (ret);
++}
++
++int
++ldap_rebind_cb (LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *parms)
++{
++  int ret;
++  LDAPURLDesc *ldapurl = NULL;
++  char *who = NULL;
++  struct berval creds;
++
++  log_info("LDAP rebind to '%s'", url);
++  if ((ret = ldap_url_parse(url, &ldapurl)) != LDAP_SUCCESS)
++    {
++      log_error ("Error: Can not parse ldap rebind url '%s': %s",
++                 url, ldap_err2string(ret));
++      return ret;
 +    }
 +
-+  while (ldap_stack != NULL && ldap_stack->children == NULL &&
-+         (ldap_stack->ldent = ldap_next_entry (ld, ldap_stack->ldent)) == NULL)
++
++#if defined (USE_SSL)
++  if (strcasecmp(ldapurl->lud_scheme, "ldaps") == 0)
 +    {
-+      if (ldap_stack->close_brace)
++      int opt = LDAP_OPT_X_TLS_HARD;
++      if ((ret = ldap_set_option (ld, LDAP_OPT_X_TLS, &opt)) != LDAP_SUCCESS)
 +        {
-+          strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
-+          ldap_stack->close_brace = 0;
++          log_error ("Error: Cannot init LDAPS session to %s:%d: %s",
++                    ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
++          return ret;
++        }
++      else
++        {
++          log_info ("LDAPS session successfully enabled to %s", ldap_server);
 +        }
-+
-+      temp_stack = ldap_stack;
-+      ldap_stack = ldap_stack->next;
-+      free_stack_entry (temp_stack);
 +    }
-+
-+  if (ldap_stack != NULL && ldap_stack->children == NULL &&
-+      ldap_stack->close_brace)
++  else
++  if (strcasecmp(ldapurl->lud_scheme, "ldap") == 0 &&
++      ldap_use_ssl != LDAP_SSL_OFF)
 +    {
-+      strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
-+      ldap_stack->close_brace = 0;
++      if ((ret = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
++        {
++          log_error ("Error: Cannot start TLS session to %s:%d: %s",
++                     ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
++          return ret;
++        }
++      else
++        {
++          log_info ("TLS session successfully started to %s:%d",
++                    ldapurl->lud_host, ldapurl->lud_port);
++        }
 +    }
-+}
++#endif
 +
 +
-+static void
-+add_to_config_stack (LDAPMessage * res, LDAPMessage * ent)
-+{
-+  struct ldap_config_stack *ns;
++  if (ldap_username != NULL || *ldap_username != '\0')
++    {
++      who = ldap_username;
++      creds.bv_val = strdup(ldap_password);
++      creds.bv_len = strlen(ldap_password);
++    }
 +
-+  ns = dmalloc (sizeof (*ns), MDL);
-+  ns->res = res;
-+  ns->ldent = ent;
-+  ns->close_brace = 0;
-+  ns->processed = 0;
-+  ns->children = NULL;
-+  ns->next = ldap_stack;
-+  ldap_stack = ns;
++  if ((ret = ldap_sasl_bind_s (ld, who, LDAP_SASL_SIMPLE, &creds,
++                               NULL, NULL, NULL)) != LDAP_SUCCESS)
++    {
++      log_error ("Error: Cannot login into ldap server %s:%d: %s",
++                 ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
++    }
++  return ret;
 +}
 +
-+
 +static void
 +ldap_start (void)
 +{
 +  struct option_state *options;
-+  struct option_cache *oc;
-+  struct data_string db;
-+  int ret;
++  int ret, version;
++  char *uri = NULL;
++  struct berval creds;
 +
 +  if (ld != NULL)
 +    return;
@@ -577,130 +841,255 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +                 (struct client_state *) NULL, (struct option_state *) NULL,
 +                 options, &global_scope, root_group, (struct group *) NULL);
 +
-+      memset (&db, 0, sizeof (db));
-+      oc = lookup_option (&server_universe, options, SV_LDAP_SERVER);
-+      if (oc &&
-+          evaluate_option_cache (&db,  (struct packet*) NULL,
-+                (struct lease *) NULL, (struct client_state *) NULL,
-+                options, (struct option_state *) NULL, &global_scope, oc, MDL))
-+        {
-+          ldap_server = dmalloc (db.len + 1, MDL);
-+          if (!ldap_server)
-+            log_fatal ("no memory for ldap server");
-+          memcpy (ldap_server, db.data, db.len);
-+          ldap_server[db.len] = 0;
-+          data_string_forget (&db, MDL);
-+        }
-+
-+      oc = lookup_option (&server_universe, options, SV_LDAP_USERNAME);
-+      if (oc &&
-+          evaluate_option_cache (&db,  (struct packet*) NULL,
-+                (struct lease *) NULL, (struct client_state *) NULL,
-+                options, (struct option_state *) NULL, &global_scope, oc, MDL))
-+        {
-+          ldap_username = dmalloc (db.len + 1, MDL);
-+          if (!ldap_username)
-+            log_fatal ("no memory for ldap username");
-+          memcpy (ldap_username, db.data, db.len);
-+          ldap_username[db.len] = 0;
-+          data_string_forget (&db, MDL);
-+        }
-+
-+      oc = lookup_option (&server_universe, options, SV_LDAP_PASSWORD);
-+      if (oc &&
-+          evaluate_option_cache (&db,  (struct packet*) NULL,
-+                (struct lease *) NULL, (struct client_state *) NULL,
-+                options, (struct option_state *) NULL, &global_scope, oc, MDL))
++      ldap_server = _do_lookup_dhcp_string_option (options, SV_LDAP_SERVER);
++      ldap_dhcp_server_cn = _do_lookup_dhcp_string_option (options,
++                                                      SV_LDAP_DHCP_SERVER_CN);
++      ldap_port = _do_lookup_dhcp_int_option (options, SV_LDAP_PORT);
++      ldap_base_dn = _do_lookup_dhcp_string_option (options, SV_LDAP_BASE_DN);
++      ldap_method = _do_lookup_dhcp_enum_option (options, SV_LDAP_METHOD);
++      ldap_debug_file = _do_lookup_dhcp_string_option (options,
++                                                       SV_LDAP_DEBUG_FILE);
++      ldap_referrals = _do_lookup_dhcp_enum_option (options, SV_LDAP_REFERRALS);
++
++#if defined (USE_SSL)
++      ldap_use_ssl = _do_lookup_dhcp_enum_option (options, SV_LDAP_SSL);
++      if( ldap_use_ssl != LDAP_SSL_OFF)
 +        {
-+          ldap_password = dmalloc (db.len + 1, MDL);
-+          if (!ldap_password)
-+            log_fatal ("no memory for ldap password");
-+          memcpy (ldap_password, db.data, db.len);
-+          ldap_password[db.len] = 0;
-+          data_string_forget (&db, MDL);
++          ldap_tls_reqcert = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_REQCERT);
++          ldap_tls_ca_file = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CA_FILE);
++          ldap_tls_ca_dir = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CA_DIR);
++          ldap_tls_cert = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CERT);
++          ldap_tls_key = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_KEY);
++          ldap_tls_crlcheck = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_CRLCHECK);
++          ldap_tls_ciphers = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CIPHERS);
++          ldap_tls_randfile = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_RANDFILE);
 +        }
++#endif
 +
-+      oc = lookup_option (&server_universe, options, SV_LDAP_BASE_DN);
-+      if (oc &&
-+          evaluate_option_cache (&db,  (struct packet*) NULL,
-+                (struct lease *) NULL, (struct client_state *) NULL,
-+                options, (struct option_state *) NULL, &global_scope, oc, MDL))
++#if defined (LDAP_CASA_AUTH)
++      if (!load_uname_pwd_from_miCASA(&ldap_username,&ldap_password))
 +        {
-+          ldap_base_dn = dmalloc (db.len + 1, MDL);
-+          if (!ldap_base_dn)
-+            log_fatal ("no memory for ldap password");
-+          memcpy (ldap_base_dn, db.data, db.len);
-+          ldap_base_dn[db.len] = 0;
-+          data_string_forget (&db, MDL);
-+        }
++#if defined (DEBUG_LDAP)
++          log_info ("Authentication credential taken from file");
++#endif
++#endif
 +
-+      oc = lookup_option (&server_universe, options, SV_LDAP_METHOD);
-+      if (oc &&
-+          evaluate_option_cache (&db,  (struct packet*) NULL,
-+                (struct lease *) NULL, (struct client_state *) NULL,
-+                options, (struct option_state *) NULL, &global_scope, oc, MDL))
-+        {
++      ldap_username = _do_lookup_dhcp_string_option (options, SV_LDAP_USERNAME);
++      ldap_password = _do_lookup_dhcp_string_option (options, SV_LDAP_PASSWORD);
 +
-+          if (db.len == 1) 
-+            ldap_method = db.data [0];
-+          else
-+            log_fatal ("invalid dns update type");
-+          data_string_forget (&db, MDL);
-+        }
++#if defined (LDAP_CASA_AUTH)
++      }
++#endif
 +
 +      option_state_dereference (&options, MDL);
 +    }
 +
-+  if (ldap_server == NULL || ldap_username == NULL || ldap_password == NULL ||
-+      ldap_base_dn == NULL)
++  if (ldap_server == NULL || ldap_base_dn == NULL)
 +    {
-+      log_info ("Not searching LDAP since ldap-server, ldap-username, ldap-password and ldap-base-dn were not specified in the config file");
-+      disable_ldap = 1;
++      log_info ("Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file");
++      ldap_method = LDAP_METHOD_STATIC;
 +      return;
 +    }
 +
++  if (ldap_debug_file != NULL && ldap_debug_fd == -1)
++    {
++      if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY,
++                                 S_IRUSR | S_IWUSR)) < 0)
++        log_error ("Error opening debug LDAP log file %s: %s", ldap_debug_file,
++                   strerror (errno));
++    }
++
 +#if defined (DEBUG_LDAP)
-+  log_info ("Connecting to LDAP server ldap://%s", ldap_server);
++  log_info ("Connecting to LDAP server %s:%d", ldap_server, ldap_port);
 +#endif
 +
-+  char *tmpserver = NULL;
-+  if ((tmpserver = malloc(strlen(ldap_server) + 8)) == NULL)
++#if defined (USE_SSL)
++  if (ldap_use_ssl == -1)
 +    {
-+      log_error ("Cannot init tmpldapserver string to ldap://%s", ldap_server);
-+      disable_ldap = 1;
-+      return;
++      /*
++      ** There was no "ldap-ssl" option in dhcpd.conf (also not "off").
++      ** Let's try, if we can use an anonymous TLS session without to
++      ** verify the server certificate -- if not continue without TLS.
++      */
++      int opt = LDAP_OPT_X_TLS_ALLOW;
++      if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
++                                  &opt)) != LDAP_SUCCESS)
++        {
++          log_error ("Warning: Cannot set LDAP TLS require cert option to 'allow': %s",
++                     ldap_err2string (ret));
++        }
++    }
++
++  if (ldap_use_ssl != LDAP_SSL_OFF)
++    {
++      if (ldap_tls_reqcert != -1)
++        {
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
++                                      &ldap_tls_reqcert)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS require cert option: %s",
++                         ldap_err2string (ret));
++            }
++        }
++
++      if( ldap_tls_ca_file != NULL)
++        {
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
++                                      ldap_tls_ca_file)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS CA certificate file %s: %s",
++                         ldap_tls_ca_file, ldap_err2string (ret));
++            }
++        }
++      if( ldap_tls_ca_dir != NULL)
++        {
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
++                                      ldap_tls_ca_dir)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS CA certificate dir %s: %s",
++                         ldap_tls_ca_dir, ldap_err2string (ret));
++            }
++        }
++      if( ldap_tls_cert != NULL)
++        {
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
++                                      ldap_tls_cert)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS client certificate file %s: %s",
++                         ldap_tls_cert, ldap_err2string (ret));
++            }
++        }
++      if( ldap_tls_key != NULL)
++        {
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
++                                      ldap_tls_key)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS certificate key file %s: %s",
++                         ldap_tls_key, ldap_err2string (ret));
++            }
++        }
++      if( ldap_tls_crlcheck != -1)
++        {
++          int opt = ldap_tls_crlcheck;
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CRLCHECK,
++                                      &opt)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS crl check option: %s",
++                         ldap_err2string (ret));
++            }
++        }
++      if( ldap_tls_ciphers != NULL)
++        {
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
++                                      ldap_tls_ciphers)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS cipher suite %s: %s",
++                         ldap_tls_ciphers, ldap_err2string (ret));
++            }
++        }
++      if( ldap_tls_randfile != NULL)
++        {
++          if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
++                                      ldap_tls_randfile)) != LDAP_SUCCESS)
++            {
++              log_error ("Cannot set LDAP TLS random file %s: %s",
++                         ldap_tls_randfile, ldap_err2string (ret));
++            }
++        }
 +    }
++#endif
 +
-+  if (sprintf(tmpserver, "ldap://%s", ldap_server) == -1)
++  /* enough for 'ldap://+ + hostname + ':' + port number */
++  uri = malloc(strlen(ldap_server) + 16);
++  if (uri == NULL)
 +    {
-+      log_error ("Cannot init tmpldapserver via sprintf()");
-+      disable_ldap = 1;
++      log_error ("Cannot build ldap init URI %s:%d", ldap_server, ldap_port);
 +      return;
 +    }
 +
-+  ldap_initialize (&ld, tmpserver);
++  sprintf("ldap://%s:%d", ldap_server, ldap_port);
++  ldap_initialize(&ld, uri);
++
 +  if (ld == NULL)
 +    {
-+      log_error ("Cannot init ldap session to %s", ldap_server);
-+      disable_ldap = 1;
++      log_error ("Cannot init ldap session to %s:%d", ldap_server, ldap_port);
 +      return;
 +    }
 +
-+  free (tmpserver);
++  free(uri);
 +
-+  struct berval cred;
-+  cred.bv_val = strdup(ldap_password);
-+  cred.bv_len = strlen(ldap_password);
-+  ret = ldap_sasl_bind_s (ld, ldap_username, LDAP_SASL_SIMPLE,
-+                          &cred, NULL,NULL, NULL);
-+  if (ret != LDAP_SUCCESS)
++  version = LDAP_VERSION3;
++  if ((ret = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_OPT_SUCCESS)
 +    {
-+      log_error ("Error: Cannot log into ldap server %s: %s", ldap_server,
++      log_error ("Cannot set LDAP version to %d: %s", version,
 +                 ldap_err2string (ret));
-+      disable_ldap = 1;
-+      ldap_unbind_ext (ld, NULL, NULL);
-+      ld = NULL;
-+      return;
++    }
++
++  if (ldap_referrals != -1)
++    {
++      if ((ret = ldap_set_option (ld, LDAP_OPT_REFERRALS, ldap_referrals ?
++                                  LDAP_OPT_ON : LDAP_OPT_OFF)) != LDAP_OPT_SUCCESS)
++        {
++          log_error ("Cannot %s LDAP referrals option: %s",
++                     (ldap_referrals ? "enable" : "disable"),
++                     ldap_err2string (ret));
++        }
++    }
++
++  if ((ret = ldap_set_rebind_proc(ld, ldap_rebind_cb, NULL)) != LDAP_SUCCESS)
++    {
++      log_error ("Warning: Cannot set ldap rebind procedure: %s",
++                 ldap_err2string (ret));
++    }
++
++#if defined (USE_SSL)
++  if (ldap_use_ssl == LDAP_SSL_LDAPS ||
++     (ldap_use_ssl == LDAP_SSL_ON && ldap_port == LDAPS_PORT))
++    {
++      int opt = LDAP_OPT_X_TLS_HARD;
++      if ((ret = ldap_set_option (ld, LDAP_OPT_X_TLS, &opt)) != LDAP_SUCCESS)
++        {
++          log_error ("Error: Cannot init LDAPS session to %s:%d: %s",
++                    ldap_server, ldap_port, ldap_err2string (ret));
++          ldap_stop();
++          return;
++        }
++      else
++        {
++          log_info ("LDAPS session successfully enabled to %s:%d",
++                    ldap_server, ldap_port);
++        }
++    }
++  else if (ldap_use_ssl != LDAP_SSL_OFF)
++    {
++      if ((ret = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
++        {
++          log_error ("Error: Cannot start TLS session to %s:%d: %s",
++                     ldap_server, ldap_port, ldap_err2string (ret));
++          ldap_stop();
++          return;
++        }
++      else
++        {
++          log_info ("TLS session successfully started to %s:%d",
++                    ldap_server, ldap_port);
++        }
++    }
++#endif
++
++  if (ldap_username != NULL && *ldap_username != '\0')
++    {
++      creds.bv_val = strdup(ldap_password);
++      creds.bv_len = strlen(ldap_password);
++
++      if ((ret == ldap_sasl_bind_s (ld, ldap_username, LDAP_SASL_SIMPLE,
++                                    &creds, NULL, NULL, NULL)) != LDAP_SUCCESS)
++        {
++          log_error ("Error: Cannot login into ldap server %s:%d: %s",
++                     ldap_server, ldap_port, ldap_err2string (ret));
++          ldap_stop();
++          return;
++        }
 +    }
 +
 +#if defined (DEBUG_LDAP)
@@ -709,93 +1098,403 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +}
 +
 +
-+static int
-+ldap_read_function (struct parse *cfile)
++static void
++parse_external_dns (LDAPMessage * ent)
 +{
-+  char *dn, eofstring[2] = {EOF, '\0'};
-+  struct ldap_config_stack *curentry;
-+  LDAPMessage * ent, * res;
-+  int ret;
-+ 
-+  cfile->inbuf[0] = '\0';
-+  cfile->buflen = 0;
-+  while (1)
++  char *search[] = {"dhcpOptionsDN", "dhcpSharedNetworkDN", "dhcpSubnetDN",
++                    "dhcpGroupDN", "dhcpHostDN", "dhcpClassesDN",
++                    "dhcpPoolDN", NULL};
++  LDAPMessage * newres, * newent;
++  struct berval **tempbv;
++  int i, j, ret;
++#if defined (DEBUG_LDAP)
++  char *dn;
++
++  dn = ldap_get_dn (ld, ent);
++  if (dn != NULL)
++    {
++      log_info ("Parsing external DNs for '%s'", dn);
++      ldap_memfree (dn);
++    }
++#endif
++
++  if (ld == NULL)
++    ldap_start ();
++  if (ld == NULL)
++    return;
++
++  for (i=0; search[i] != NULL; i++)
++    {
++      if ((tempbv = ldap_get_values_len (ld, ent, search[i])) == NULL)
++        continue;
++
++      for (j=0; tempbv[j] != NULL; j++)
++        {
++          if (*tempbv[j]->bv_val == '\0')
++            continue;
++
++          if ((ret = ldap_search_ext_s(ld, tempbv[j]->bv_val, LDAP_SCOPE_BASE,
++                                       "objectClass=*", NULL, 0, NULL,
++                                       NULL, NULL, 0, &newres)) != LDAP_SUCCESS)
++            {
++              ldap_value_free_len (tempbv);
++              ldap_stop();
++              return;
++            }
++    
++#if defined (DEBUG_LDAP)
++          log_info ("Adding contents of subtree '%s' to config stack from '%s' reference", tempbv[j], search[i]);
++#endif
++          for (newent = ldap_first_entry (ld, newres);
++               newent != NULL;
++               newent = ldap_next_entry (ld, newent))
++            {
++#if defined (DEBUG_LDAP)
++              dn = ldap_get_dn (ld, newent);
++              if (dn != NULL)
++                {
++                  log_info ("Adding LDAP result set starting with '%s' to config stack", dn);
++                  ldap_memfree (dn);
++                }
++#endif
++
++              add_to_config_stack (newres, newent);
++              /* don't free newres here */
++            }
++        }
++
++      ldap_value_free_len (tempbv);
++    }
++}
++
++
++static void
++free_stack_entry (struct ldap_config_stack *item)
++{
++  struct ldap_config_stack *look_ahead_pointer = item;
++  int may_free_msg = 1;
++
++  while (look_ahead_pointer->next != NULL)
++    {
++      look_ahead_pointer = look_ahead_pointer->next;
++      if (look_ahead_pointer->res == item->res)
++        {
++          may_free_msg = 0;
++          break;
++        }
++    }
++
++  if (may_free_msg) 
++    ldap_msgfree (item->res);
++
++  dfree (item, MDL);
++}
++
++
++static void
++next_ldap_entry (struct parse *cfile)
++{
++  struct ldap_config_stack *temp_stack;
++
++  if (ldap_stack != NULL && ldap_stack->close_brace)
 +    {
-+      if (ldap_stack == NULL)
++      x_strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
++      ldap_stack->close_brace = 0;
++    }
++
++  while (ldap_stack != NULL && 
++         (ldap_stack->ldent == NULL ||
++          (ldap_stack->ldent = ldap_next_entry (ld, ldap_stack->ldent)) == NULL))
++    {
++      if (ldap_stack->close_brace)
 +        {
-+          strncat (cfile->inbuf, eofstring, LDAP_BUFFER_SIZE);
-+          cfile->buflen = strlen (cfile->inbuf);
-+          cfile->bufix = 1;
-+          return (cfile->inbuf[0]);
++          x_strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
++          ldap_stack->close_brace = 0;
 +        }
 +
-+      if (ldap_stack->processed && ldap_stack->children != NULL)
-+        curentry = ldap_stack->children;
++      temp_stack = ldap_stack;
++      ldap_stack = ldap_stack->next;
++      free_stack_entry (temp_stack);
++    }
++
++  if (ldap_stack != NULL && ldap_stack->close_brace)
++    {
++      x_strncat (cfile->inbuf, "}\n", LDAP_BUFFER_SIZE);
++      ldap_stack->close_brace = 0;
++    }
++}
++
++
++static char
++check_statement_end (const char *statement)
++{
++  char *ptr;
++
++  if (statement == NULL || *statement == '\0')
++    return ('\0');
++
++  /*
++  ** check if it ends with "}", e.g.:
++  **   "zone my.domain. { ... }"
++  ** optionally followed by spaces
++  */
++  ptr = strrchr (statement, '}');
++  if (ptr != NULL)
++    {
++      /* skip following white-spaces */
++      for (++ptr; isspace ((int)*ptr); ptr++);
++
++      /* check if we reached the end */
++      if (*ptr == '\0')
++        return ('}'); /* yes, block end */
 +      else
-+        curentry = ldap_stack;
++        return (*ptr);
++    }
 +
-+      dn = ldap_get_dn (ld, curentry->ldent);
-+#if defined(DEBUG_LDAP)
-+      log_info ("Found LDAP entry '%s'", dn);
-+#endif
++  /*
++  ** this should not happen, but...
++  ** check if it ends with ";", e.g.:
++  **   "authoritative;"
++  ** optionally followed by spaces
++  */
++  ptr = strrchr (statement, ';');
++  if (ptr != NULL)
++    {
++      /* skip following white-spaces */
++      for (++ptr; isspace ((int)*ptr); ptr++);
++
++      /* check if we reached the end */
++      if (*ptr == '\0')
++        return (';'); /* ends with a ; */
++      else
++        return (*ptr);
++    }
 +
-+      ldap_generate_config_string (curentry, cfile);
-+      if (strlen (cfile->inbuf) == 0)
++  return ('\0');
++}
++
++
++static isc_result_t
++ldap_parse_entry_options (LDAPMessage *ent, char *buffer, size_t size,
++                          int *lease_limit)
++{
++  struct berval **tempbv;
++  int i;
++
++  if (ent == NULL || buffer == NULL || size == 0)
++    return (ISC_R_FAILURE);
++
++  if ((tempbv = ldap_get_values_len (ld, ent, "dhcpStatements")) != NULL)
++    {
++      for (i=0; tempbv[i] != NULL; i++)
 +        {
-+#if defined(DEBUG_LDAP)
-+          log_info ("Skipping LDAP entry '%s'", dn);
-+#endif
-+          ldap_memfree (dn);
-+          dn = NULL;
-+          next_ldap_entry (cfile);
-+          continue;
++          if (lease_limit != NULL &&
++              strncasecmp ("lease limit ", tempbv[i]->bv_val, 12) == 0)
++            {
++              *lease_limit = (int) strtol ((tempbv[i]->bv_val) + 12, NULL, 10);
++              continue;
++            }
++
++          x_strncat (buffer, tempbv[i]->bv_val, size);
++
++          switch((int) check_statement_end (tempbv[i]->bv_val))
++            {
++              case '}':
++              case ';':
++                x_strncat (buffer, "\n", size);
++                break;
++              default:
++                x_strncat (buffer, ";\n", size);
++                break;
++            }
 +        }
++      ldap_value_free_len (tempbv);
++    }
 +
-+      curentry->processed = 1;
-+      break;
++  if ((tempbv = ldap_get_values_len (ld, ent, "dhcpOption")) != NULL)
++    {
++      for (i=0; tempbv[i] != NULL; i++)
++        {
++          x_strncat (buffer, "option ", size);
++          x_strncat (buffer, tempbv[i]->bv_val, size);
++          switch ((int) check_statement_end (tempbv[i]->bv_val))
++            {
++              case ';':
++                x_strncat (buffer, "\n", size);
++                break;
++              default:
++                x_strncat (buffer, ";\n", size);
++                break;
++            }
++        }
++      ldap_value_free_len (tempbv);
 +    }
 +
++  return (ISC_R_SUCCESS);
++}
++
++
++static void
++ldap_generate_config_string (struct parse *cfile)
++{
++  struct berval **objectClass;
++  char *dn;
++  struct ldap_config_stack *entry;
++  LDAPMessage * ent, * res;
++  int i, ignore, found;
++  int ret;
++
 +  if (ld == NULL)
 +    ldap_start ();
-+
 +  if (ld == NULL)
++    return;
++
++  entry = ldap_stack;
++  if ((objectClass = ldap_get_values_len (ld, entry->ldent, 
++                                      "objectClass")) == NULL)
++    return;
++    
++  ignore = 0;
++  found = 1;
++  for (i=0; objectClass[i] != NULL; i++)
++    {
++      if (strcasecmp (objectClass[i]->bv_val, "dhcpSharedNetwork") == 0)
++        ldap_parse_shared_network (entry, cfile);
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpClass") == 0)
++        ldap_parse_class (entry, cfile);
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpSubnet") == 0)
++        ldap_parse_subnet (entry, cfile);
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpPool") == 0)
++        ldap_parse_pool (entry, cfile);
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpGroup") == 0)
++        ldap_parse_group (entry, cfile);
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpTSigKey") == 0)
++        ldap_parse_key (entry, cfile);
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpDnsZone") == 0)
++        ldap_parse_zone (entry, cfile);
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpHost") == 0)
++        {
++          if (ldap_method == LDAP_METHOD_STATIC)
++            ldap_parse_host (entry, cfile);
++          else
++            {
++              ignore = 1;
++              break;
++            }
++        }
++      else if (strcasecmp (objectClass[i]->bv_val, "dhcpSubClass") == 0)
++        {
++          if (ldap_method == LDAP_METHOD_STATIC)
++            ldap_parse_subclass (entry, cfile);
++          else
++            {
++              ignore = 1;
++              break;
++            }
++        }
++      else
++        found = 0;
++
++      if (found && cfile->inbuf[0] == '\0')
++        {
++          ignore = 1;
++          break;
++        }
++    }
++
++  ldap_value_free_len (objectClass);
++
++  if (ignore)
 +    {
-+      strncat (cfile->inbuf, eofstring, LDAP_BUFFER_SIZE);
-+      cfile->buflen = strlen (cfile->inbuf);
-+      cfile->bufix = 1;
-+      return (cfile->inbuf[0]);
++      next_ldap_entry (cfile);
++      return;
 +    }
 +
-+  if ((ret = ldap_search_ext_s (ld, dn, LDAP_SCOPE_ONELEVEL, "objectClass=*", 
-+                                NULL, 0, NULL, NULL, NULL, 0,
-+                                &res)) != LDAP_SUCCESS)
++  ldap_parse_entry_options(entry->ldent, cfile->inbuf,
++                           LDAP_BUFFER_SIZE-1, NULL);
++
++  dn = ldap_get_dn (ld, entry->ldent);
++
++#if defined(DEBUG_LDAP)
++  if (dn != NULL)
++    log_info ("Found LDAP entry '%s'", dn);
++#endif
++
++  if (dn == NULL ||
++      (ret = ldap_search_ext_s (ld, dn, LDAP_SCOPE_ONELEVEL,
++                                "objectClass=*", NULL, 0, NULL, NULL,
++                                NULL, 0, &res)) != LDAP_SUCCESS)
 +    {
-+      ldap_unbind_ext (ld, NULL, NULL);
-+      ld = NULL;
++      if (dn)
++        ldap_memfree (dn);
 +
-+      strncat (cfile->inbuf, eofstring, LDAP_BUFFER_SIZE);
-+      cfile->buflen = strlen (cfile->inbuf);
-+      cfile->bufix = 1;
-+      return (cfile->inbuf[0]);
++      ldap_stop();
++      return;
 +    }
 +
 +  ldap_memfree (dn);
 +
-+  ent = ldap_first_entry (ld, res);
-+  if (ent != NULL)
-+    add_to_config_stack (res, ent);
++  if ((ent = ldap_first_entry (ld, res)) != NULL)
++    {
++      add_to_config_stack (res, ent);
++      parse_external_dns (entry->ldent);
++    }
 +  else
 +    {
 +      ldap_msgfree (res);
++      parse_external_dns (entry->ldent);
 +      next_ldap_entry (cfile);
 +    }
++}
++
++
++static void
++ldap_close_debug_fd()
++{
++  if (ldap_debug_fd != -1)
++    {
++      close (ldap_debug_fd);
++      ldap_debug_fd = -1;
++    }
++}
++
++
++static void
++ldap_write_debug (const void *buff, size_t size)
++{
++  if (ldap_debug_fd != -1)
++    {
++      if (write (ldap_debug_fd, buff, size) < 0)
++        {
++          log_error ("Error writing to LDAP debug file %s: %s."
++                     " Disabling log file.", ldap_debug_file,
++                     strerror (errno));
++          ldap_close_debug_fd();
++        }
++    }
++}
++
++static int
++ldap_read_function (struct parse *cfile)
++{
++  cfile->inbuf[0] = '\0';
++  cfile->buflen = 0;
++ 
++  while (ldap_stack != NULL && *cfile->inbuf == '\0')
++    ldap_generate_config_string (cfile);
++
++  if (ldap_stack == NULL && *cfile->inbuf == '\0')
++    return (EOF);
++
++  cfile->bufix = 1;
++  cfile->buflen = strlen (cfile->inbuf);
++  if (cfile->buflen > 0)
++    ldap_write_debug (cfile->inbuf, cfile->buflen);
 +
 +#if defined (DEBUG_LDAP)
 +  log_info ("Sending config line '%s'", cfile->inbuf);
 +#endif
 +
-+  cfile->buflen = strlen (cfile->inbuf);
-+  cfile->bufix = 1;
 +  return (cfile->inbuf[0]);
 +}
 +
@@ -813,8 +1512,12 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +        ldap_value_free_len (name);
 +
 +#if defined (DEBUG_LDAP)
-+      log_info ("Cannot get cn attribute for LDAP entry %s",
-+                ldap_get_dn (ld, ent));
++      ret = ldap_get_dn (ld, ent);
++      if (ret != NULL)
++        {
++          log_info ("Cannot get cn attribute for LDAP entry %s", ret);
++          ldap_memfree(ret);
++        }
 +#endif
 +      return (NULL);
 +    }
@@ -827,100 +1530,260 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +}
 +
 +
++static int
++getfqhostname(char *fqhost, size_t size)
++{
++#if defined(MAXHOSTNAMELEN)
++  char   hname[MAXHOSTNAMELEN];
++#else
++  char   hname[65];
++#endif
++  struct hostent *hp;
++
++  if(NULL == fqhost || 1 >= size)
++    return -1;
++
++  memset(hname, 0, sizeof(hname));
++  if( gethostname(hname, sizeof(hname)-1))
++    return -1;
++
++  if(NULL == (hp = gethostbyname(hname)))
++    return -1;
++
++  strncpy(fqhost, hp->h_name, size-1);
++  fqhost[size-1] = '\0';
++  return 0;
++}
++
++
 +isc_result_t
 +ldap_read_config (void)
 +{
-+  struct berval **temp;
-+  char *buffer, dn[256];
-+  LDAPMessage * ldres, * ent;
++  LDAPMessage * ldres, * hostres, * ent, * hostent;
++  char hfilter[1024], sfilter[1024], fqdn[257];
++  char *buffer, *hostdn;
++  ldap_dn_node *curr = NULL;
 +  struct parse *cfile;
 +  struct utsname unme;
 +  isc_result_t res;
-+  int ret;
++  size_t length;
++  int ret, cnt;
++  struct berval **tempbv = NULL;
 +
++  if (ld == NULL)
++    ldap_start ();
++  if (ld == NULL)
++    return (ldap_server == NULL ? ISC_R_SUCCESS : ISC_R_FAILURE);
++ 
++  buffer = dmalloc (LDAP_BUFFER_SIZE+1, MDL);
++  if (buffer == NULL)
++    return (ISC_R_FAILURE);
 +
-+  buffer = dmalloc (LDAP_BUFFER_SIZE, MDL);
 +  cfile = (struct parse *) NULL;
 +  res = new_parse (&cfile, -1, buffer, LDAP_BUFFER_SIZE, "LDAP", 0);
 +  if (res != ISC_R_SUCCESS)
 +    return (res);
-+
-+  cfile->bufix = cfile->buflen = 0;
-+  cfile->read_function = ldap_read_function;
-+
-+  if (ld == NULL)
-+    ldap_start ();
-+  if (ld == NULL)
-+    return (ldap_server == NULL ? ISC_R_SUCCESS : ISC_R_FAILURE);
-+  
++ 
 +  uname (&unme);
-+  snprintf (dn, sizeof (dn), "(&(objectClass=dhcpServer)(cn=%s))", 
-+            unme.nodename);
++  if (ldap_dhcp_server_cn != NULL)
++    {
++     snprintf (hfilter, sizeof (hfilter),
++                "(&(objectClass=dhcpServer)(cn=%s))", ldap_dhcp_server_cn);
++    }
++  else
++  {
++  if(0 == getfqhostname(fqdn, sizeof(fqdn)))
++    {
++      snprintf (hfilter, sizeof (hfilter),
++                "(&(objectClass=dhcpServer)(|(cn=%s)(cn=%s)))", 
++                unme.nodename, fqdn);
++    }
++  else
++    {
++      snprintf (hfilter, sizeof (hfilter),
++                "(&(objectClass=dhcpServer)(cn=%s))", unme.nodename);
++    }
 +
-+  if ((ret = ldap_search_ext_s (ld, ldap_base_dn, LDAP_SCOPE_SUBTREE, dn, NULL, 
-+                               0, NULL, NULL, NULL, 0, &ldres)) != LDAP_SUCCESS)
++  }
++  hostres = NULL;
++  if ((ret = ldap_search_ext_s (ld, ldap_base_dn, LDAP_SCOPE_SUBTREE,
++                                hfilter, NULL, 0, NULL, NULL, NULL, 0,
++                                &hostres)) != LDAP_SUCCESS)
 +    {
-+      ldap_unbind_ext (ld, NULL, NULL);
-+      ld = NULL;
-+      log_error ("Cannot search LDAP for %s: %s", dn, ldap_err2string (ret));
++      log_error ("Cannot find host LDAP entry %s %s",
++		 ((ldap_dhcp_server_cn == NULL)?(unme.nodename):(ldap_dhcp_server_cn)), hfilter);
++      if(NULL != hostres)
++        ldap_msgfree (hostres);
++      ldap_stop();
 +      return (ISC_R_FAILURE);
 +    }
 +
-+  if ((ent = ldap_first_entry (ld, ldres)) == NULL)
++  if ((hostent = ldap_first_entry (ld, hostres)) == NULL)
 +    {
-+      ldap_unbind_ext (ld, NULL, NULL);
-+      ld = NULL;
-+      log_error ("Error: Cannot find LDAP entry matching %s", dn);
++      log_error ("Error: Cannot find LDAP entry matching %s", hfilter);
++      ldap_msgfree (hostres);
++      ldap_stop();
 +      return (ISC_R_FAILURE);
 +    }
 +
++  hostdn = ldap_get_dn (ld, hostent);
 +#if defined(DEBUG_LDAP)
-+  buffer = ldap_get_dn (ld, ent);
-+  log_info ("Found LDAP entry '%s'", buffer);
-+  ldap_memfree (buffer);
++  if (hostdn != NULL)
++    log_info ("Found dhcpServer LDAP entry '%s'", hostdn);
 +#endif
 +
-+  if ((temp = ldap_get_values_len (ld, ent, "dhcpServiceDN")) == NULL ||
-+      temp[0]->bv_val == NULL)
++  if (hostdn == NULL ||
++      (tempbv = ldap_get_values_len (ld, hostent, "dhcpServiceDN")) == NULL ||
++      tempbv[0] == NULL)
 +    {
-+      if (temp != NULL)
-+        ldap_value_free_len (temp);
++      log_error ("Error: Cannot find LDAP entry matching %s", hfilter);
++
++      if (tempbv != NULL)
++        ldap_value_free_len (tempbv);
 +
-+      ldap_unbind_ext (ld, NULL, NULL);
-+      ld = NULL;
-+      log_error ("Error: Cannot find LDAP entry matching %s", dn);
++      if (hostdn)
++        ldap_memfree (hostdn);
++      ldap_msgfree (hostres);
++      ldap_stop();
 +      return (ISC_R_FAILURE);
 +    }
 +
-+  ldap_msgfree (ldres);
++#if defined(DEBUG_LDAP)
++  log_info ("LDAP: Parsing dhcpServer options '%s' ...", hostdn);
++#endif
 +
-+  if ((ret = ldap_search_ext_s (ld, temp[0]->bv_val, LDAP_SCOPE_BASE, 
-+                                "objectClass=*", NULL, 0,
-+                                NULL, NULL, NULL, 0, &ldres)) != LDAP_SUCCESS)
++  cfile->inbuf[0] = '\0';
++  ldap_parse_entry_options(hostent, cfile->inbuf, LDAP_BUFFER_SIZE, NULL);
++  cfile->buflen = strlen (cfile->inbuf);
++  if(cfile->buflen > 0)
 +    {
-+      ldap_value_free_len (temp);
-+      ldap_unbind_ext (ld, NULL, NULL);
-+      ld = NULL;
-+      log_error ("Cannot search LDAP for %s: %s", temp[0]->bv_val, 
-+                 ldap_err2string (ret));
-+      return (ISC_R_FAILURE);
++      ldap_write_debug (cfile->inbuf, cfile->buflen);
++
++      res = conf_file_subparse (cfile, root_group, ROOT_GROUP);
++      if (res != ISC_R_SUCCESS)
++        {
++          log_error ("LDAP: cannot parse dhcpServer entry '%s'", hostdn);
++          ldap_memfree (hostdn);
++          ldap_stop();
++          return res;
++        }
++      cfile->inbuf[0] = '\0';
 +    }
++  ldap_msgfree (hostres);
++
++  /*
++  ** attach ldap (tree) read function now
++  */
++  cfile->bufix = cfile->buflen = 0;
++  cfile->read_function = ldap_read_function;
 +
-+  if ((ent = ldap_first_entry (ld, ldres)) == NULL)
++  res = ISC_R_SUCCESS;
++  for (cnt=0; tempbv[cnt] != NULL; cnt++)
 +    {
-+      ldap_value_free_len (temp);
-+      ldap_unbind_ext (ld, NULL, NULL);
-+      ld = NULL;
-+      log_error ("Error: Cannot find LDAP entry matching %s", temp[0]->bv_val);
-+      return (ISC_R_FAILURE);
-+    }
++      snprintf(sfilter, sizeof(sfilter), "(&(objectClass=dhcpService)"
++                        "(|(dhcpPrimaryDN=%s)(dhcpSecondaryDN=%s)))",
++                        hostdn, hostdn);
++      ldres = NULL;
++      if ((ret = ldap_search_ext_s (ld, tempbv[cnt]->bv_val, LDAP_SCOPE_BASE,
++                                    sfilter, NULL, 0, NULL, NULL, NULL,
++                                    0, &ldres)) != LDAP_SUCCESS)
++        {
++          log_error ("Error searching for dhcpServiceDN '%s': %s. Please update the LDAP entry '%s'",
++                     tempbv[cnt]->bv_val, ldap_err2string (ret), hostdn);
++          if(NULL != ldres)
++            ldap_msgfree(ldres);
++          res = ISC_R_FAILURE;
++          break;
++        }
++
++      if ((ent = ldap_first_entry (ld, ldres)) == NULL)
++        {
++          log_error ("Error: Cannot find dhcpService DN '%s' with primary or secondary server reference. Please update the LDAP server entry '%s'",
++                     tempbv[cnt]->bv_val, hostdn);
++
++          ldap_msgfree(ldres);
++          res = ISC_R_FAILURE;
++          break;
++        }
++
++      /*
++      ** FIXME: how to free the remembered dn's on exit?
++      **        This should be OK if dmalloc registers the
++      **        memory it allocated and frees it on exit..
++      */
++
++      curr = dmalloc (sizeof (*curr), MDL);
++      if (curr != NULL)
++        {
++          length = strlen (tempbv[cnt]->bv_val);
++          curr->dn = dmalloc (length + 1, MDL);
++          if (curr->dn == NULL)
++            {
++              dfree (curr, MDL);
++              curr = NULL;
++            }
++          else
++            strcpy (curr->dn, tempbv[cnt]->bv_val);
++        }
++
++      if (curr != NULL)
++        {
++          curr->refs++;
++
++          /* append to service-dn list */
++          if (ldap_service_dn_tail != NULL)
++            ldap_service_dn_tail->next = curr;
++          else
++            ldap_service_dn_head = curr;
 +
-+  ldap_value_free_len (temp);
++          ldap_service_dn_tail = curr;
++        }
++      else
++        log_fatal ("no memory to remember ldap service dn");
 +
-+  add_to_config_stack (ldres, ent);
++#if defined (DEBUG_LDAP)
++      log_info ("LDAP: Parsing dhcpService DN '%s' ...", tempbv[cnt]);
++#endif
++      add_to_config_stack (ldres, ent);
++      res = conf_file_subparse (cfile, root_group, ROOT_GROUP);
++      if (res != ISC_R_SUCCESS)
++        {
++          log_error ("LDAP: cannot parse dhcpService entry '%s'", tempbv[cnt]->bv_val);
++          break;
++        }
++    }
 +
-+  res = conf_file_subparse (cfile, root_group, ROOT_GROUP);
 +  end_parse (&cfile);
++  ldap_close_debug_fd();
++
++  ldap_memfree (hostdn);
++  ldap_value_free_len (tempbv);
++
++  if (res != ISC_R_SUCCESS)
++    {
++      struct ldap_config_stack *temp_stack;
++
++      while ((curr = ldap_service_dn_head) != NULL)
++        {
++          ldap_service_dn_head = curr->next;
++          dfree (curr->dn, MDL);
++          dfree (curr, MDL);
++        }
++
++      ldap_service_dn_tail = NULL;
++
++      while ((temp_stack = ldap_stack) != NULL)
++        {
++          ldap_stack = temp_stack->next;
++          free_stack_entry (temp_stack);
++        }
++
++      ldap_stop();
++    }
++
++  /* Unbind from ldap immediately after reading config in static mode. */
++  if (ldap_method == LDAP_METHOD_STATIC)
++    ldap_stop();
 +
 +  return (res);
 +}
@@ -937,9 +1800,8 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +                         int type, struct host_decl *host,
 +                         struct class **class)
 +{
-+  struct berval **temp;
++  int declaration, lease_limit;
 +  char option_buffer[8192];
-+  int i, declaration, lease_limit;
 +  enum dhcp_token token;
 +  struct parse *cfile;
 +  isc_result_t res;
@@ -947,33 +1809,70 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +
 +  lease_limit = 0;
 +  *option_buffer = '\0';
-+  if ((temp = ldap_get_values_len (ld, ent, "dhcpStatements")) != NULL)
++ 
++ /* This block of code will try to find the parent of the host, and
++    if it is a group object, fetch the options and apply to the host. */
++  if (type == HOST_DECL) 
 +    {
-+      for (i=0; temp[i] != NULL && temp[i]->bv_val != NULL; i++)
++      char *hostdn, *basedn, *temp1, *temp2, filter[1024];
++      LDAPMessage *groupdn, *entry;
++      int ret;
++
++      hostdn = ldap_get_dn (ld, ent);
++      if( hostdn != NULL)
 +        {
-+          if (strncasecmp ("lease limit ", temp[i]->bv_val, 12) == 0)
++          basedn = NULL;
++
++          temp1 = strchr (hostdn, '=');
++          if (temp1 != NULL)
++            temp1 = strchr (++temp1, '=');
++          if (temp1 != NULL)
++            temp2 = strchr (++temp1, ',');
++          else
++            temp2 = NULL;
++
++          if (temp2 != NULL)
 +            {
-+              lease_limit = strtol ((temp[i]->bv_val) + 12, NULL, 10);
-+              continue;
++              snprintf (filter, sizeof(filter),
++                        "(&(cn=%.*s)(objectClass=dhcpGroup))",
++                        (int)(temp2 - temp1), temp1);
++
++              basedn = strchr (temp1, ',');
++              if (basedn != NULL)
++                ++basedn;
 +            }
 +
-+          strncat (option_buffer, temp[i]->bv_val, sizeof (option_buffer) - strlen (option_buffer) - 1);
-+          strncat (option_buffer, ";\n", sizeof (option_buffer) - strlen (option_buffer) - 1);
++          if (basedn != NULL && *basedn != '\0')
++            {
++              ret = ldap_search_ext_s (ld, basedn, LDAP_SCOPE_SUBTREE, filter,
++                                       NULL, 0, NULL, NULL, NULL, 0, &groupdn);
++              if (ret == LDAP_SUCCESS)
++                {
++                  if ((entry = ldap_first_entry (ld, groupdn)) != NULL)
++                    {
++                      res = ldap_parse_entry_options (entry, option_buffer,
++                                                      sizeof(option_buffer) - 1,
++                                                      &lease_limit);
++                      if (res != ISC_R_SUCCESS)
++                        {
++                          /* reset option buffer discarding any results */
++                          *option_buffer = '\0';
++                          lease_limit = 0;
++                        }
++                    }
++                  ldap_msgfree( groupdn);
++                }
++            }
++          ldap_memfree( hostdn);
 +        }
-+      ldap_value_free_len (temp);
 +    }
 +
-+  if ((temp = ldap_get_values_len (ld, ent, "dhcpOption")) != NULL)
-+    {
-+      for (i=0; temp[i] != NULL && temp[i]->bv_val != NULL; i++)
-+        {
-+          strncat (option_buffer, "option ", sizeof (option_buffer) - strlen (option_buffer) - 1);
-+          strncat (option_buffer, temp[i]->bv_val, sizeof (option_buffer) - strlen (option_buffer) - 1);
-+          strncat (option_buffer, ";\n", sizeof (option_buffer) - strlen (option_buffer) - 1);
-+        }
-+      ldap_value_free_len (temp);
-+    }
++  res = ldap_parse_entry_options (ent, option_buffer, sizeof(option_buffer) - 1,
++                                  &lease_limit);
++  if (res != ISC_R_SUCCESS)
++    return (lease_limit);
 +
++  option_buffer[sizeof(option_buffer) - 1] = '\0';
 +  if (*option_buffer == '\0')
 +    return (lease_limit);
 +
@@ -988,11 +1887,12 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +#endif
 +
 +  declaration = 0;
-+  do {
-+     token = peek_token (&val, NULL, cfile);
-+     if (token == END_OF_FILE)
-+       break;
-+      declaration = parse_statement (cfile, group, type, host, declaration);
++  do
++    {
++      token = peek_token (&val, NULL, cfile);
++      if (token == END_OF_FILE)
++        break;
++       declaration = parse_statement (cfile, group, type, host, declaration);
 +    } while (1);
 +
 +  end_parse (&cfile);
@@ -1006,13 +1906,14 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +find_haddr_in_ldap (struct host_decl **hp, int htype, unsigned hlen,
 +                    const unsigned char *haddr, const char *file, int line)
 +{
-+  char buf[60], *type_str;
++  char buf[128], *type_str;
 +  LDAPMessage * res, *ent;
 +  struct host_decl * host;
 +  isc_result_t status;
++  ldap_dn_node *curr;
 +  int ret;
 +
-+  if (disable_ldap || ldap_method == LDAP_METHOD_STATIC)
++  if (ldap_method == LDAP_METHOD_STATIC)
 +    return (0);
 +
 +  if (ld == NULL)
@@ -1035,45 +1936,100 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +        log_info ("Ignoring unknown type %d", htype);
 +        return (0);
 +    }
-+  
-+  snprintf (buf, sizeof (buf), "dhcpHWAddress=%s %s", type_str,
-+            print_hw_addr (htype, hlen, haddr));
++
++  /*
++  ** FIXME: It is not guaranteed, that the dhcpHWAddress attribute
++  **        contains _exactly_ "type addr" with one space between!
++  */
++  snprintf (buf, sizeof (buf),
++            "(&(objectClass=dhcpHost)(dhcpHWAddress=%s %s))",
++           type_str, print_hw_addr (htype, hlen, haddr));
++
++  res = ent = NULL;
++  for (curr = ldap_service_dn_head;
++       curr != NULL && *curr->dn != '\0';
++       curr = curr->next)
++    {
 +#if defined (DEBUG_LDAP)
-+  log_info ("Searching for %s in LDAP tree %s", buf, ldap_base_dn);
++      log_info ("Searching for %s in LDAP tree %s", buf, curr->dn);
 +#endif
++      ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf, NULL, 0,
++                               NULL, NULL, NULL, 0, &res);
 +
-+  if ((ret = ldap_search_ext_s (ld, ldap_base_dn, LDAP_SCOPE_SUBTREE, 
-+                                buf, NULL, 0, NULL, NULL, NULL, 0, 
-+                                &res)) != LDAP_SUCCESS)
-+    {
-+      if (ret != LDAP_NO_SUCH_OBJECT)
++      if(ret == LDAP_SERVER_DOWN)
 +        {
-+          log_error ("Cannot search for %s in LDAP tree %s: %s", buf, 
-+                     ldap_base_dn, ldap_err2string (ret));
-+          ldap_unbind_ext (ld, NULL, NULL);
-+          ld = NULL;
++          log_info ("LDAP server was down, trying to reconnect...");
++
++          ldap_stop();
++          ldap_start();
++          if(ld == NULL)
++            {
++              log_info ("LDAP reconnect failed - try again later...");
++              return (0);
++            }
++
++          ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf, NULL,
++                                   0, NULL, NULL, NULL, 0, &res);
 +        }
++
++      if (ret == LDAP_SUCCESS)
++        {
++          if( (ent = ldap_first_entry (ld, res)) != NULL)
++            break; /* search OK and have entry */
++
 +#if defined (DEBUG_LDAP)
-+      else
-+        log_info ("ldap_search_ext_s returned %s when searching for %s in %s",
-+                  ldap_err2string (ret), buf, ldap_base_dn);
++          log_info ("No host entry for %s in LDAP tree %s",
++                    buf, curr->dn);
 +#endif
++          if(res)
++            {
++              ldap_msgfree (res);
++              res = NULL;
++            }
++        }
++      else
++        {
++          if(res)
++            {
++              ldap_msgfree (res);
++              res = NULL;
++            }
 +
-+      return (0);
++          if (ret != LDAP_NO_SUCH_OBJECT && ret != LDAP_SUCCESS)
++            {
++              log_error ("Cannot search for %s in LDAP tree %s: %s", buf, 
++                         curr->dn, ldap_err2string (ret));
++              ldap_stop();
++              return (0);
++            }
++#if defined (DEBUG_LDAP)
++          else
++            {
++              log_info ("ldap_search_ext_s returned %s when searching for %s in %s",
++                        ldap_err2string (ret), buf, curr->dn);
++            }
++#endif
++        }
 +    }
 +
-+  if ((ent = ldap_first_entry (ld, res)) != NULL)
++  if (res && ent)
 +    {
 +#if defined (DEBUG_LDAP)
-+      log_info ("Found LDAP entry %s", ldap_get_dn (ld, ent));
++      char *dn = ldap_get_dn (ld, ent);
++      if (dn != NULL)
++        {
++          log_info ("Found dhcpHWAddress LDAP entry %s", dn);
++          ldap_memfree(dn);
++        }
 +#endif
-+      
++
 +      host = (struct host_decl *)0;
 +      status = host_allocate (&host, MDL);
 +      if (status != ISC_R_SUCCESS)
 +        {
 +          log_fatal ("can't allocate host decl struct: %s", 
 +                     isc_result_totext (status)); 
++          ldap_msgfree (res);
 +          return (0);
 +        }
 +
@@ -1089,6 +2045,7 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +        {
 +          log_fatal ("can't clone group for host %s", host->name);
 +          host_dereference (&host, MDL);
++          ldap_msgfree (res);
 +          return (0);
 +        }
 +
@@ -1100,7 +2057,7 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +    }
 +
 +
-+  ldap_msgfree (res);
++  if(res) ldap_msgfree (res);
 +  return (0);
 +}
 +
@@ -1112,9 +2069,10 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +  LDAPMessage * res, * ent;
 +  int ret, lease_limit;
 +  isc_result_t status;
++  ldap_dn_node *curr;
 +  char buf[1024];
 +
-+  if (disable_ldap || ldap_method == LDAP_METHOD_STATIC)
++  if (ldap_method == LDAP_METHOD_STATIC)
 +    return (0);
 +
 +  if (ld == NULL)
@@ -1122,41 +2080,98 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +  if (ld == NULL)
 +    return (0);
 +
-+  snprintf (buf, sizeof (buf), "(&(objectClass=dhcpSubClass)(cn=%s)(dhcpClassData=%s))", print_hex_1 (data->len, data->data, 60), print_hex_2 (strlen (class->name), (const u_int8_t *) class->name, 60));
++  snprintf (buf, sizeof (buf),
++            "(&(objectClass=dhcpSubClass)(cn=%s)(dhcpClassData=%s))",
++            print_hex_1 (data->len, data->data, 60),
++            print_hex_2 (strlen (class->name), (u_int8_t *) class->name, 60));
 +#if defined (DEBUG_LDAP)
 +  log_info ("Searching LDAP for %s", buf);
 +#endif
 +
-+  if ((ret = ldap_search_ext_s (ld, ldap_base_dn, LDAP_SCOPE_SUBTREE, 
-+                                buf, NULL, 0, NULL, NULL, NULL, 0,
-+                                &res)) != LDAP_SUCCESS)
++  res = ent = NULL;
++  for (curr = ldap_service_dn_head;
++       curr != NULL && *curr->dn != '\0';
++       curr = curr->next)
 +    {
-+      if (ret != LDAP_NO_SUCH_OBJECT)
++#if defined (DEBUG_LDAP)
++      log_info ("Searching for %s in LDAP tree %s", buf, curr->dn);
++#endif
++      ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf, NULL, 0,
++                               NULL, NULL, NULL, 0, &res);
++
++      if(ret == LDAP_SERVER_DOWN)
 +        {
-+          log_error ("Cannot search for %s in LDAP tree %s: %s", buf, 
-+                     ldap_base_dn, ldap_err2string (ret));
-+          ldap_unbind_ext (ld, NULL, NULL);
-+          ld = NULL;
++          log_info ("LDAP server was down, trying to reconnect...");
++
++          ldap_stop();
++          ldap_start();
++
++          if(ld == NULL)
++            {
++              log_info ("LDAP reconnect failed - try again later...");
++              return (0);
++            }
++
++          ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf,
++                                   NULL, 0, NULL, NULL, NULL, 0, &res);
 +        }
++
++      if (ret == LDAP_SUCCESS)
++        {
++          if( (ent = ldap_first_entry (ld, res)) != NULL)
++            break; /* search OK and have entry */
++
 +#if defined (DEBUG_LDAP)
-+      else
-+        log_info ("ldap_search_ext_s returned %s when searching for %s in %s",
-+                  ldap_err2string (ret), buf, ldap_base_dn);
++          log_info ("No subclass entry for %s in LDAP tree %s",
++                    buf, curr->dn);
 +#endif
++          if(res)
++            {
++              ldap_msgfree (res);
++              res = NULL;
++            }
++        }
++      else
++        {
++          if(res)
++            {
++              ldap_msgfree (res);
++              res = NULL;
++            }
 +
-+      return (0);
++          if (ret != LDAP_NO_SUCH_OBJECT && ret != LDAP_SUCCESS)
++            {
++              log_error ("Cannot search for %s in LDAP tree %s: %s", buf, 
++                         curr->dn, ldap_err2string (ret));
++              ldap_stop();
++              return (0);
++            }
++#if defined (DEBUG_LDAP)
++          else
++            {
++              log_info ("ldap_search_ext_s returned %s when searching for %s in %s",
++                        ldap_err2string (ret), buf, curr->dn);
++            }
++#endif
++        }
 +    }
 +
-+  if ((ent = ldap_first_entry (ld, res)) != NULL)
++  if (res && ent)
 +    {
 +#if defined (DEBUG_LDAP)
-+      log_info ("Found LDAP entry %s", ldap_get_dn (ld, ent));
++      char *dn = ldap_get_dn (ld, ent);
++      if (dn != NULL)
++        {
++          log_info ("Found subclass LDAP entry %s", dn);
++          ldap_memfree(dn);
++        }
 +#endif
-+      
++
 +      status = class_allocate (newclass, MDL);
 +      if (status != ISC_R_SUCCESS)
 +        {
 +          log_error ("Cannot allocate memory for a new class");
++          ldap_msgfree (res);
 +          return (0);
 +        }
 +
@@ -1177,6 +2192,7 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +            {
 +              log_error ("no memory for billing");
 +              class_dereference (newclass, MDL);
++              ldap_msgfree (res);
 +              return (0);
 +            }
 +          memset ((*newclass)->billed_leases, 0, 
@@ -1189,16 +2205,14 @@ diff -up /dev/null dhcp-3.1.0/server/ldap.c
 +      return (1);
 +    }
 +
-+
-+  ldap_msgfree (res);
++  if(res) ldap_msgfree (res);
 +  return (0);
 +}
 +
 +#endif
-+
 diff -up dhcp-3.1.0/server/confpars.c.ldap dhcp-3.1.0/server/confpars.c
 --- dhcp-3.1.0/server/confpars.c.ldap	2007-06-28 13:20:40.000000000 -0400
-+++ dhcp-3.1.0/server/confpars.c	2007-10-22 16:29:48.000000000 -0400
++++ dhcp-3.1.0/server/confpars.c	2007-11-12 15:41:15.000000000 -0500
 @@ -63,7 +63,17 @@ void parse_trace_setup ()
  
  isc_result_t readconf ()
@@ -1220,7 +2234,7 @@ diff -up dhcp-3.1.0/server/confpars.c.ldap dhcp-3.1.0/server/confpars.c
  isc_result_t read_conf_file (const char *filename, struct group *group,
 diff -up dhcp-3.1.0/server/class.c.ldap dhcp-3.1.0/server/class.c
 --- dhcp-3.1.0/server/class.c.ldap	2006-06-01 16:23:17.000000000 -0400
-+++ dhcp-3.1.0/server/class.c	2007-10-22 16:29:48.000000000 -0400
++++ dhcp-3.1.0/server/class.c	2007-11-12 15:41:15.000000000 -0500
 @@ -90,6 +90,7 @@ int check_collection (packet, lease, col
  	int matched = 0;
  	int status;
@@ -1250,8 +2264,8 @@ diff -up dhcp-3.1.0/server/class.c.ldap dhcp-3.1.0/server/class.c
  					      print_hex_1 (data.len,
 diff -up dhcp-3.1.0/server/stables.c.ldap dhcp-3.1.0/server/stables.c
 --- dhcp-3.1.0/server/stables.c.ldap	2007-04-27 18:48:10.000000000 -0400
-+++ dhcp-3.1.0/server/stables.c	2007-10-22 16:29:48.000000000 -0400
-@@ -238,9 +238,38 @@ static struct option server_options[] = 
++++ dhcp-3.1.0/server/stables.c	2007-11-12 15:41:15.000000000 -0500
+@@ -238,9 +238,107 @@ static struct option server_options[] = 
  	{ "adaptive-lease-time-threshold", "B",	&server_universe,  50, 1 },
  	{ "do-reverse-updates", "f",		&server_universe,  51, 1 },
  	{ "fqdn-reply", "f",			&server_universe,  52, 1 },
@@ -1262,13 +2276,40 @@ diff -up dhcp-3.1.0/server/stables.c.ldap dhcp-3.1.0/server/stables.c
 +	{ "ldap-password", "t",				&server_universe, 56 },
 +	{ "ldap-base-dn", "t",				&server_universe, 57 },
 +	{ "ldap-method", "Nldap-methods.",	&server_universe, 58 },
++	{ "ldap-debug-file", "t",			&server_universe, 59 },
++	{ "ldap-dhcp-server-cn", "t",		&server_universe, 60 },
++	{ "ldap-referrals", "f",			&server_universe, 61 },
++#if defined(USE_SSL)
++	{ "ldap-ssl", "Nldap-ssl-usage.",	&server_universe, 62 },
++	{ "ldap-tls-reqcert", "Nldap-tls-reqcert.",	&server_universe, 63 },
++	{ "ldap-tls-ca-file", "t",			&server_universe, 64 },
++	{ "ldap-tls-ca-dir", "t",			&server_universe, 65 },
++	{ "ldap-tls-cert", "t",				&server_universe, 66 },
++	{ "ldap-tls-key", "t",				&server_universe, 67 },
++	{ "ldap-tls-crlcheck", "Nldap-tls-crlcheck.",	&server_universe, 68 },
++	{ "ldap-tls-ciphers", "t",			&server_universe, 69 },
++	{ "ldap-tls-randfile", "t",			&server_universe, 70 },
++#else
++	{ "unknown-62", "X",			&server_universe, 62 },
++	{ "unknown-63", "X",			&server_universe, 63 },
++	{ "unknown-64", "X",			&server_universe, 64 },
++	{ "unknown-65", "X",			&server_universe, 65 },
++	{ "unknown-66", "X",			&server_universe, 66 },
++	{ "unknown-67", "X",			&server_universe, 67 },
++	{ "unknown-68", "X",			&server_universe, 68 },
++	{ "unknown-69", "X",			&server_universe, 69 },
++	{ "unknown-70", "X",			&server_universe, 70 },
++#endif
 +#else
-+	{ "unknown-53", "X",				&server_universe, 53 },
-+	{ "unknown-54", "X",				&server_universe, 54 },
-+	{ "unknown-55", "X",				&server_universe, 55 },
-+	{ "unknown-56", "X",				&server_universe, 56 },
-+	{ "unknown-57", "X",				&server_universe, 57 },
-+	{ "unknown-58", "X",				&server_universe, 58 },
++	{ "unknown-53", "X",			&server_universe, 53 },
++	{ "unknown-54", "X",			&server_universe, 54 },
++	{ "unknown-55", "X",			&server_universe, 55 },
++	{ "unknown-56", "X",			&server_universe, 56 },
++	{ "unknown-57", "X",			&server_universe, 57 },
++	{ "unknown-58", "X",			&server_universe, 58 },
++	{ "unknown-59", "X",			&server_universe, 59 },
++	{ "unknown-60", "X",			&server_universe, 60 },
++	{ "unknown-61", "X",			&server_universe, 61 },
 +#endif
  	{ NULL, NULL, NULL, 0, 0 }
  };
@@ -1285,14 +2326,92 @@ diff -up dhcp-3.1.0/server/stables.c.ldap dhcp-3.1.0/server/stables.c
 +	"ldap-methods",
 +	ldap_values
 +};
++
++#if defined(USE_SSL)
++struct enumeration_value ldap_ssl_usage_values [] = {
++	{ "off", LDAP_SSL_OFF },
++	{ "on",LDAP_SSL_ON },
++	{ "ldaps", LDAP_SSL_LDAPS },
++	{ "start_tls", LDAP_SSL_TLS },
++	{ (char *) 0, 0 }
++};
++
++struct enumeration ldap_ssl_usage_enum = {
++	(struct enumeration *)0,
++	"ldap-ssl-usage",
++	ldap_ssl_usage_values
++};
++
++struct enumeration_value ldap_tls_reqcert_values [] = {
++	{ "never", LDAP_OPT_X_TLS_NEVER },
++	{ "hard", LDAP_OPT_X_TLS_HARD  },
++	{ "demand", LDAP_OPT_X_TLS_DEMAND},
++	{ "allow", LDAP_OPT_X_TLS_ALLOW },
++	{ "try", LDAP_OPT_X_TLS_TRY   },
++	{ (char *) 0, 0 }
++};
++struct enumeration ldap_tls_reqcert_enum = {
++	(struct enumeration *)0,
++	"ldap-tls-reqcert",
++	ldap_tls_reqcert_values
++};
++
++struct enumeration_value ldap_tls_crlcheck_values [] = {
++	{ "none", LDAP_OPT_X_TLS_CRL_NONE},
++	{ "peer", LDAP_OPT_X_TLS_CRL_PEER},
++	{ "all",  LDAP_OPT_X_TLS_CRL_ALL },
++	{ (char *) 0, 0 }
++};
++struct enumeration ldap_tls_crlcheck_enum = {
++	(struct enumeration *)0,
++	"ldap-tls-crlcheck",
++	ldap_tls_crlcheck_values
++};
++#endif
 +#endif
 +
  struct enumeration_value ddns_styles_values [] = {
  	{ "none", 0 },
  	{ "ad-hoc", 1 },
+diff -up dhcp-3.1.0/dst/Makefile.dist.ldap dhcp-3.1.0/dst/Makefile.dist
+--- dhcp-3.1.0/dst/Makefile.dist.ldap	2005-03-17 15:15:06.000000000 -0500
++++ dhcp-3.1.0/dst/Makefile.dist	2007-11-12 15:41:15.000000000 -0500
+@@ -23,12 +23,13 @@
+ 
+ SRC    = dst_support.c dst_api.c hmac_link.c md5_dgst.c base64.c prandom.c
+ OBJ    = dst_support.o dst_api.o hmac_link.o md5_dgst.o base64.o prandom.o
++OBJ_NM5= dst_support.o dst_api.o hmac_link.o base64.o prandom.o
+ HDRS   = dst_internal.h md5.h md5_locl.h
+ 
+ INCLUDES = $(BINDINC) -I$(TOP)/includes
+ CFLAGS = $(DEBUG) $(PREDEFINES) $(INCLUDES) $(COPTS) -DHMAC_MD5 -DMINIRES_LIB
+ 
+-all:	libdst.a
++all:	libdst.a libdst-nomd5.a
+ 
+ install:
+ 
+@@ -37,11 +38,16 @@ libdst.a:	$(OBJ)
+ 	ar cruv libdst.a $(OBJ)
+ 	$(RANLIB) libdst.a
+ 
++libdst-nomd5.a:	$(OBJ_NM5)
++	rm -f libdst-nomd5.a
++	ar cruv libdst-nomd5.a $(OBJ_NM5)
++	$(RANLIB) libdst-nomd5.a
++
+ depend:
+ 	$(MKDEP) $(INCLUDES) $(PREDEFINES) $(SRC)
+ 
+ clean:
+-	-rm -f $(OBJ) libdst.a
++	-rm -f $(OBJ) libdst.a libdst-nomd5.a
+ 
+ realclean: clean
+ 	-rm -f *~ $(CATMANPAGES) $(SEDMANPAGES)
 diff -up dhcp-3.1.0/common/print.c.ldap dhcp-3.1.0/common/print.c
 --- dhcp-3.1.0/common/print.c.ldap	2007-05-29 13:49:44.000000000 -0400
-+++ dhcp-3.1.0/common/print.c	2007-10-22 16:29:48.000000000 -0400
++++ dhcp-3.1.0/common/print.c	2007-11-12 15:41:15.000000000 -0500
 @@ -168,9 +168,9 @@ char *print_base64 (const unsigned char 
  }
  
@@ -1308,7 +2427,7 @@ diff -up dhcp-3.1.0/common/print.c.ldap dhcp-3.1.0/common/print.c
  	char *s;
 diff -up dhcp-3.1.0/common/conflex.c.ldap dhcp-3.1.0/common/conflex.c
 --- dhcp-3.1.0/common/conflex.c.ldap	2007-05-29 13:49:44.000000000 -0400
-+++ dhcp-3.1.0/common/conflex.c	2007-10-22 16:29:48.000000000 -0400
++++ dhcp-3.1.0/common/conflex.c	2007-11-12 15:41:15.000000000 -0500
 @@ -47,6 +47,7 @@ static enum dhcp_token read_string PROTO
  static enum dhcp_token read_number PROTO ((int, struct parse *));
  static enum dhcp_token read_num_or_name PROTO ((int, struct parse *));
@@ -1381,7 +2500,7 @@ diff -up dhcp-3.1.0/common/conflex.c.ldap dhcp-3.1.0/common/conflex.c
 +}
 diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
 --- dhcp-3.1.0/includes/dhcpd.h.ldap	2007-05-29 13:49:44.000000000 -0400
-+++ dhcp-3.1.0/includes/dhcpd.h	2007-10-22 16:29:56.000000000 -0400
++++ dhcp-3.1.0/includes/dhcpd.h	2007-11-12 15:41:15.000000000 -0500
 @@ -81,6 +81,11 @@ typedef struct hash_table class_hash_t;
  #include <isc-dhcp/result.h>
  #include <omapip/omapip_p.h>
@@ -1403,7 +2522,7 @@ diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
  };
  
  /* Variable-length array of data. */
-@@ -362,6 +369,26 @@ struct hardware {
+@@ -362,6 +369,32 @@ struct hardware {
  	u_int8_t hbuf [17];
  };
  
@@ -1411,6 +2530,12 @@ diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
 +# define LDAP_BUFFER_SIZE		8192
 +# define LDAP_METHOD_STATIC		0
 +# define LDAP_METHOD_DYNAMIC	1
++#if defined (USE_SSL)
++# define LDAP_SSL_OFF			0
++# define LDAP_SSL_ON			1
++# define LDAP_SSL_TLS			2
++# define LDAP_SSL_LDAPS			3
++#endif
 +
 +/* This is a tree of the current configuration we are building from LDAP */
 +struct ldap_config_stack {
@@ -1430,7 +2555,7 @@ diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
  typedef enum {
  	server_startup = 0,
  	server_running = 1,
-@@ -558,6 +585,15 @@ struct lease_state {
+@@ -558,6 +591,29 @@ struct lease_state {
  # define DEFAULT_PING_TIMEOUT 1
  #endif
  
@@ -1441,12 +2566,26 @@ diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
 +# define SV_LDAP_PASSWORD	50
 +# define SV_LDAP_BASE_DN	51
 +# define SV_LDAP_METHOD		52
++# define SV_LDAP_DEBUG_FILE		53
++# define SV_LDAP_DHCP_SERVER_CN		54
++# define SV_LDAP_REFERRALS		55
++#if defined (USE_SSL)
++# define SV_LDAP_SSL		56
++# define SV_LDAP_TLS_REQCERT		57
++# define SV_LDAP_TLS_CA_FILE		58
++# define SV_LDAP_TLS_CA_DIR		59
++# define SV_LDAP_TLS_CERT		60
++# define SV_LDAP_TLS_KEY		61
++# define SV_LDAP_TLS_CRLCHECK		62
++# define SV_LDAP_TLS_CIPHERS		63
++# define SV_LDAP_TLS_RANDFILE		64
++#endif
 +#endif
 +
  #if !defined (DEFAULT_DEFAULT_LEASE_TIME)
  # define DEFAULT_DEFAULT_LEASE_TIME 43200
  #endif
-@@ -1702,7 +1738,7 @@ extern int db_time_format;
+@@ -1702,7 +1758,7 @@ extern int db_time_format;
  char *quotify_string (const char *, const char *, int);
  char *quotify_buf (const unsigned char *, unsigned, const char *, int);
  char *print_base64 (const unsigned char *, unsigned, const char *, int);
@@ -1455,7 +2594,7 @@ diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
  void print_lease PROTO ((struct lease *));
  void dump_raw PROTO ((const unsigned char *, unsigned));
  void dump_packet_option (struct option_cache *, struct packet *,
-@@ -2812,3 +2848,13 @@ OMAPI_OBJECT_ALLOC_DECL (dhcp_failover_l
+@@ -2812,3 +2868,18 @@ OMAPI_OBJECT_ALLOC_DECL (dhcp_failover_l
  #endif /* FAILOVER_PROTOCOL */
  
  const char *binding_state_print (enum failover_state);
@@ -1463,6 +2602,11 @@ diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
 +/* ldap.c */
 +#if defined(LDAP_CONFIGURATION)
 +extern struct enumeration ldap_methods;
++#if defined (USE_SSL)
++extern struct enumeration ldap_ssl_usage_enum;
++extern struct enumeration ldap_tls_reqcert_enum;
++extern struct enumeration ldap_tls_crlcheck_enum;
++#endif
 +isc_result_t ldap_read_config (void);
 +int find_haddr_in_ldap (struct host_decl **, int, unsigned,
 +                        const unsigned char *, const char *, int);
@@ -1471,8 +2615,8 @@ diff -up dhcp-3.1.0/includes/dhcpd.h.ldap dhcp-3.1.0/includes/dhcpd.h
 +#endif
 diff -up dhcp-3.1.0/includes/site.h.ldap dhcp-3.1.0/includes/site.h
 --- dhcp-3.1.0/includes/site.h.ldap	2006-07-31 18:19:51.000000000 -0400
-+++ dhcp-3.1.0/includes/site.h	2007-10-22 16:29:48.000000000 -0400
-@@ -183,3 +183,13 @@
++++ dhcp-3.1.0/includes/site.h	2007-11-12 15:41:15.000000000 -0500
+@@ -183,3 +183,18 @@
     traces. */
  
  #define TRACING
@@ -1482,7 +2626,99 @@ diff -up dhcp-3.1.0/includes/site.h.ldap dhcp-3.1.0/includes/site.h
 +
 +#define LDAP_CONFIGURATION
 +
++/* Define this if you want to enable LDAP over a SSL connection. You will need
++   to add -lcrypto -lssl to the LIBS= line of server/Makefile */
++
++#define USE_SSL
++
 +#define _PATH_DHCPD_DB    "/var/lib/dhcpd/dhcpd.leases"
 +#define _PATH_DHCLIENT_DB "/var/lib/dhclient/dhclient.leases"
 +#define _PATH_DHCPD_DB    "/var/lib/dhcpd/dhcpd.leases"
 +#define _PATH_DHCLIENT_DB "/var/lib/dhclient/dhclient.leases"
+diff -up /dev/null dhcp-3.1.0/includes/ldap_casa.h
+--- /dev/null	2007-11-12 10:55:50.854093917 -0500
++++ dhcp-3.1.0/includes/ldap_casa.h	2007-11-12 15:41:15.000000000 -0500
+@@ -0,0 +1,83 @@
++/* ldap_casa.h
++   
++   Definition for CASA modules... */
++
++/* Copyright (c) 2004 Internet Systems Consorium, Inc. ("ISC")
++ * Copyright (c) 1995-2003 Internet Software Consortium.
++ * Copyright (c) 2006 Novell, Inc.
++
++ * All rights reserved.
++ * Redistribution and use in source and binary forms, with or without 
++ * modification, are permitted provided that the following conditions are met: 
++ * 1.Redistributions of source code must retain the above copyright notice, 
++ *   this list of conditions and the following disclaimer. 
++ * 2.Redistributions in binary form must reproduce the above copyright notice, 
++ *   this list of conditions and the following disclaimer in the documentation 
++ *   and/or other materials provided with the distribution. 
++ * 3.Neither the name of ISC, ISC DHCP, nor the names of its contributors 
++ *   may be used to endorse or promote products derived from this software 
++ *   without specific prior written permission. 
++
++ * THIS SOFTWARE IS PROVIDED BY INTERNET SYSTEMS CONSORTIUM AND CONTRIBUTORS 
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
++ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ISC OR CONTRIBUTORS BE LIABLE 
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
++ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
++ * POSSIBILITY OF SUCH DAMAGE.
++
++ * This file was written by S Kalyanasundaram <skalyanasundaram@novell.com>
++ */
++
++#if defined(LDAP_CASA_AUTH)
++#ifndef __LDAP_CASA_H__
++#define __LDAP_CASA_H__
++
++#include <micasa_mgmd.h>
++#include <dlfcn.h>
++#include <string.h>
++
++#define MICASA_LIB     "libmicasa.so.1"
++
++SSCS_TYPEDEF_LIBCALL(int, CASA_GetCredential_T)
++(
++       uint32_t            ssFlags,
++       SSCS_SECRET_ID_T   *appSecretID,
++       SSCS_SECRET_ID_T   *sharedSecretID,
++       uint32_t           *credentialType,
++       void               *credential,
++       SSCS_EXT_T         *ext 
++);
++SSCS_TYPEDEF_LIBCALL(int, CASA_SetCredential_T)
++(
++       uint32_t            ssFlags,
++       SSCS_SECRET_ID_T   *appSecretID,
++       SSCS_SECRET_ID_T   *sharedSecretID,
++       uint32_t            credentialType,
++       void               *credential,
++       SSCS_EXT_T         *ext
++);
++
++SSCS_TYPEDEF_LIBCALL(int, CASA_RemoveCredential_T)
++(
++       uint32_t            ssFlags,
++       SSCS_SECRET_ID_T   *appSecretID,
++       SSCS_SECRET_ID_T   *sharedSecretID,
++       SSCS_EXT_T         *ext
++);
++static CASA_GetCredential_T            p_miCASAGetCredential = NULL;
++static CASA_SetCredential_T            p_miCASASetCredential = NULL;
++static CASA_RemoveCredential_T         p_miCASARemoveCredential = NULL;
++static void                            *casaIDK = NULL;
++
++int load_casa(void);
++static void release_casa(void);
++int load_uname_pwd_from_miCASA(char **, char **);
++
++#endif /* __LDAP_CASA_H__ */
++#endif /* LDAP_CASA_AUTH */
++
diff --git a/dhcp-options.5 b/dhcp-options.5
new file mode 100644
index 0000000..fea9744
--- /dev/null
+++ b/dhcp-options.5
@@ -0,0 +1,1642 @@
+.\"	$Id: dhcp-options.5,v 1.31.14.2 2007/05/23 23:30:32 each Exp $
+.\"
+.\" Copyright (c) 2004-2007 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1996-2003 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\"   Internet Systems Consortium, Inc.
+.\"   950 Charter Street
+.\"   Redwood City, CA 94063
+.\"   <info@isc.org>
+.\"   http://www.isc.org/
+.\"
+.\" This software has been written for Internet Systems Consortium
+.\" by Ted Lemon in cooperation with Vixie Enterprises and Nominum, Inc.
+.\" To learn more about Internet Systems Consortium, see
+.\" ``http://www.isc.org/''.  To learn more about Vixie Enterprises,
+.\" see ``http://www.vix.com''.   To learn more about Nominum, Inc., see
+.\" ``http://www.nominum.com''.
+.TH dhcpd-options 5
+.SH NAME
+dhcp-options - Dynamic Host Configuration Protocol options
+.SH DESCRIPTION
+The Dynamic Host Configuration protocol allows the client to receive
+.B options
+from the DHCP server describing the network configuration and various
+services that are available on the network.   When configuring
+.B dhcpd(8)
+or
+.B dhclient(8) ,
+options must often be declared.   The syntax for declaring options,
+and the names and formats of the options that can be declared, are
+documented here.
+.SH REFERENCE: OPTION STATEMENTS
+.PP
+DHCP \fIoption\fR statements always start with the \fIoption\fR
+keyword, followed by an option name, followed by option data.  The
+option names and data formats are described below.   It is not
+necessary to exhaustively specify all DHCP options - only those
+options which are needed by clients must be specified.
+.PP
+Option data comes in a variety of formats, as defined below:
+.PP
+The
+.B ip-address
+data type can be entered either as an explicit IP
+address (e.g., 239.254.197.10) or as a domain name (e.g.,
+haagen.isc.org).  When entering a domain name, be sure that that
+domain name resolves to a single IP address.
+.PP
+The
+.B int32
+data type specifies a signed 32-bit integer.   The 
+.B uint32
+data type specifies an unsigned 32-bit integer.   The 
+.B int16
+and
+.B uint16
+data types specify signed and unsigned 16-bit integers.   The 
+.B int8
+and
+.B uint8
+data types specify signed and unsigned 8-bit integers.
+Unsigned 8-bit integers are also sometimes referred to as octets.
+.PP
+The
+.B text
+data type specifies an NVT ASCII string, which must be
+enclosed in double quotes - for example, to specify a root-path
+option, the syntax would be
+.nf
+.sp 1
+option root-path "10.0.1.4:/var/tmp/rootfs";
+.fi
+.PP
+The
+.B domain-name
+data type specifies a domain name, which must not
+enclosed in double quotes.   This data type is not used for any
+existing DHCP options.   The domain name is stored just as if it were
+a text option.
+.PP
+The
+.B domain-list
+data type specifies a list of domain names, a space between each name and
+the entire string enclosed in double quotes.  These types of data are used
+for the domain-search option for example, and encodes an RFC1035 compressed
+DNS label list on the wire.
+.PP
+The
+.B flag
+data type specifies a boolean value.   Booleans can be either true or
+false (or on or off, if that makes more sense to you).
+.PP
+The
+.B string
+data type specifies either an NVT ASCII string
+enclosed in double quotes, or a series of octets specified in
+hexadecimal, separated by colons.   For example:
+.nf
+.sp 1
+  option dhcp-client-identifier "CLIENT-FOO";
+or
+  option dhcp-client-identifier 43:4c:49:45:54:2d:46:4f:4f;
+.fi
+.SH SETTING OPTION VALUES USING EXPRESSIONS
+Sometimes it's helpful to be able to set the value of a DHCP option
+based on some value that the client has sent.   To do this, you can
+use expression evaluation.   The 
+.B dhcp-eval(5)
+manual page describes how to write expressions.   To assign the result
+of an evaluation to an option, define the option as follows:
+.nf
+.sp 1
+  \fBoption \fImy-option \fB= \fIexpression \fB;\fR
+.fi
+.PP
+For example:
+.nf
+.sp 1
+  option hostname = binary-to-ascii (16, 8, "-",
+                                     substring (hardware, 1, 6));
+.fi
+.SH STANDARD DHCP OPTIONS
+The documentation for the various options mentioned below is taken
+from the latest IETF draft document on DHCP options.  Options not
+listed below may not yet be implemented, but it is possible to use
+such options by defining them in the configuration file.  Please see
+the DEFINING NEW OPTIONS heading later in this document for more
+information.
+.PP
+Some of the options documented here are automatically generated by
+the DHCP server or by clients, and cannot be configured by the user.
+The value of such an option can be used in the configuration file of
+the receiving DHCP protocol agent (server or client), for example in
+conditional expressions. However, the value of the option cannot be
+used in the configuration file of the sending agent, because the value
+is determined only \fIafter\fR the configuration file has been
+processed. In the following documentation, such options will be shown
+as "not user configurable"
+.PP
+The standard options are:
+.PP
+.B option \fBall-subnets-local\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether or not the client may assume that all
+subnets of the IP network to which the client is connected use the
+same MTU as the subnet of that network to which the client is
+directly connected.  A value of true indicates that all subnets share
+the same MTU.  A value of false means that the client should assume that
+some subnets of the directly connected network may have smaller MTUs.
+.RE
+.PP
+.B option \fBarp-cache-timeout\fR \fIuint32\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the timeout in seconds for ARP cache entries.
+.RE
+.PP
+.B option \fBbcms-controller-address\fR \fIip-address\fR [\fB,\fR
+\fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+This option configures a list of IPv4 addresses for use as Broadcast and
+Multicast Controller Servers ("BCMS").
+.RE
+.PP
+.B option \fBbootfile-name\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used to identify a bootstrap file.  If supported by the
+client, it should have the same effect as the \fBfilename\fR
+declaration.  BOOTP clients are unlikely to support this option.  Some
+DHCP clients will support it, and others actually require it.
+.RE
+.PP
+.B option \fBboot-size\fR \fIuint16\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the length in 512-octet blocks of the default
+boot image for the client.
+.RE
+.PP
+.B option \fBbroadcast-address\fR \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the broadcast address in use on the client's
+subnet.  Legal values for broadcast addresses are specified in
+section 3.2.1.3 of STD 3 (RFC1122).
+.RE
+.PP
+.B option \fBcookie-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The cookie server option specifies a list of RFC 865 cookie
+servers available to the client.  Servers should be listed in order
+of preference.
+.RE
+.PP
+.B option \fBdefault-ip-ttl\fR \fIuint8;\fR
+.RS 0.25i
+.PP
+This option specifies the default time-to-live that the client should
+use on outgoing datagrams.
+.RE
+.PP
+.B option \fBdefault-tcp-ttl\fR \fIuint8\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the default TTL that the client should use when
+sending TCP segments.  The minimum value is 1.
+.RE
+.PP
+.B option \fBdefault-url\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The format and meaning of this option is not described in any standards
+document, but is claimed to be in use by Apple Computer.  It is not known
+what clients may reasonably do if supplied with this option.  Use at your
+own risk.
+.RE
+.PP
+.B option \fBdhcp-client-identifier\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+This option can be used to specify a DHCP client identifier in a
+host declaration, so that dhcpd can find the host record by matching
+against the client identifier.
+.PP
+Please be aware that some DHCP clients, when configured with client
+identifiers that are ASCII text, will prepend a zero to the ASCII
+text.   So you may need to write:
+.nf
+
+	option dhcp-client-identifier "\\0foo";
+
+rather than:
+
+	option dhcp-client-identifier "foo";
+.fi
+.RE
+.PP
+.B option \fBdhcp-lease-time\fR \fIuint32\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used in a client request (DHCPDISCOVER or DHCPREQUEST)
+to allow the client to request a lease time for the IP address.  In a
+server reply (DHCPOFFER), a DHCP server uses this option to specify
+the lease time it is willing to offer.                                    
+.PP
+This option is not directly user configurable in the server; refer to the
+\fImax-lease-time\fR and \fIdefault-lease-time\fR server options in
+.B dhcpd.conf(5).
+.RE
+.PP
+.B option \fBdhcp-max-message-size\fR \fIuint16\fR\fB;\fR
+.RS 0.25i
+.PP
+This option, when sent by the client, specifies the maximum size of
+any response that the server sends to the client.   When specified on
+the server, if the client did not send a dhcp-max-message-size option,
+the size specified on the server is used.   This works for BOOTP as
+well as DHCP responses.
+.RE
+.PP
+.B option \fBdhcp-message\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used by a DHCP server to provide an error message to a
+DHCP client in a DHCPNAK message in the event of a failure. A client
+may use this option in a DHCPDECLINE message to indicate why the
+client declined the offered parameters.
+.PP
+This option is not user configurable.
+.RE
+.PP
+.B option \fBdhcp-message-type\fR \fIuint8\fR\fB;\fR
+.RS 0.25i
+.PP
+This option, sent by both client and server, specifies the type of DHCP
+message contained in the DHCP packet. Possible values (taken directly from
+RFC2132) are:
+.PP
+.nf
+             1     DHCPDISCOVER
+             2     DHCPOFFER
+             3     DHCPREQUEST
+             4     DHCPDECLINE
+             5     DHCPACK
+             6     DHCPNAK
+             7     DHCPRELEASE
+             8     DHCPINFORM               
+.fi
+.PP
+This option is not user configurable.
+.PP
+.RE
+.B option \fBdhcp-option-overload\fR \fIuint8\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used to indicate that the DHCP 'sname' or 'file'
+fields are being overloaded by using them to carry DHCP options. A
+DHCP server inserts this option if the returned parameters will
+exceed the usual space allotted for options.
+.PP
+If this option is present, the client interprets the specified
+additional fields after it concludes interpretation of the standard
+option fields.
+.PP
+Legal values for this option are:
+.PP
+.nf
+             1     the 'file' field is used to hold options
+             2     the 'sname' field is used to hold options
+             3     both fields are used to hold options                        
+.fi
+.PP
+This option is not user configurable.
+.PP
+.RE
+.PP
+.B option \fBdhcp-parameter-request-list\fR \fIuint16\fR\fB;\fR
+.RS 0.25i
+.PP
+This option, when sent by the client, specifies which options the
+client wishes the server to return.   Normally, in the ISC DHCP
+client, this is done using the \fIrequest\fR statement.   If this
+option is not specified by the client, the DHCP server will normally
+return every option that is valid in scope and that fits into the
+reply.   When this option is specified on the server, the server
+returns the specified options.   This can be used to force a client to
+take options that it hasn't requested, and it can also be used to
+tailor the response of the DHCP server for clients that may need a
+more limited set of options than those the server would normally
+return.
+.RE
+.PP
+.B option \fBdhcp-rebinding-time\fR \fIuint32\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the number of seconds from the time a client gets
+an address until the client transitions to the REBINDING state.
+.PP
+This option is not user configurable.
+.PP
+.RE
+.PP
+.B option \fBdhcp-renewal-time\fR \fIuint32\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the number of seconds from the time a client gets
+an address until the client transitions to the RENEWING state.
+.PP
+This option is not user configurable.
+.PP
+.RE
+.PP
+.B option \fBdhcp-requested-address\fR \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used by the client in a DHCPDISCOVER to
+request that a particular IP address be assigned.                 
+.PP
+This option is not user configurable.
+.PP
+.RE
+.PP
+.B option \fBdhcp-server-identifier\fR \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used in DHCPOFFER and DHCPREQUEST messages, and may
+optionally be included in the DHCPACK and DHCPNAK messages.  DHCP
+servers include this option in the DHCPOFFER in order to allow the
+client to distinguish between lease offers.  DHCP clients use the
+contents of the 'server identifier' field as the destination address
+for any DHCP messages unicast to the DHCP server.  DHCP clients also
+indicate which of several lease offers is being accepted by including
+this option in a DHCPREQUEST message.
+.PP
+The value of this option is the IP address of the server.
+.PP
+This option is not directly user configurable. See the 
+\fIserver-identifier\fR server option in
+.B \fIdhcpd.conf(5).
+.PP
+.RE
+.PP
+.B option \fBdomain-name\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the domain name that client should use when
+resolving hostnames via the Domain Name System.
+.RE
+.PP
+.B option \fBdomain-name-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The domain-name-servers option specifies a list of Domain Name System
+(STD 13, RFC 1035) name servers available to the client.  Servers
+should be listed in order of preference.
+.RE
+.PP
+.B option \fBdomain-search\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The domain-search option specifies a 'search list' of Domain Names to be
+used by the client to locate not-fully-qualified domain names.  The difference
+between this option and historic use of the domain-name option for the same
+ends is that this option is encoded in RFC1035 compressed labels on the wire.
+.RE
+.PP
+.B option \fBextensions-path\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the name of a file containing additional options
+to be interpreted according to the DHCP option format as specified in
+RFC2132.
+.RE
+.PP
+.B option \fBfinger-server\fR \fIip-address\fR [\fB,\fR
+\fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The Finger server option specifies a list of Finger servers available
+to the client.  Servers should be listed in order of preference.
+.RE
+.PP
+.B option \fBfont-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a list of X Window System Font servers available
+to the client. Servers should be listed in order of preference.
+.RE
+.PP
+.B option \fBhost-name\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the name of the client.  The name may or may
+not be qualified with the local domain name (it is preferable to use
+the domain-name option to specify the domain name).  See RFC 1035 for
+character set restrictions.  This option is only honored by
+.B dhclient-script(8)
+if the hostname for the client machine is not set.
+.RE
+.PP
+.B option \fBieee802-3-encapsulation\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether or not the client should use Ethernet
+Version 2 (RFC 894) or IEEE 802.3 (RFC 1042) encapsulation if the
+interface is an Ethernet.  A value of false indicates that the client
+should use RFC 894 encapsulation.  A value of true means that the client
+should use RFC 1042 encapsulation.
+.RE
+.PP
+.B option \fBien116-name-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+];
+.RS 0.25i
+.PP
+The ien116-name-servers option specifies a list of IEN 116 name servers
+available to the client.  Servers should be listed in order of
+preference.
+.RE
+.PP
+.B option \fBimpress-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The impress-server option specifies a list of Imagen Impress servers
+available to the client.  Servers should be listed in order of
+preference.
+.RE
+.PP
+.B option \fBinterface-mtu\fR \fIuint16\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the MTU to use on this interface.   The minimum
+legal value for the MTU is 68.
+.RE
+.PP
+.B option \fBip-forwarding\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether the client should configure its IP
+layer for packet forwarding.  A value of false means disable IP
+forwarding, and a value of true means enable IP forwarding.
+.RE
+.PP
+.B option \fBirc-server\fR \fIip-address\fR [\fB,\fR
+\fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The IRC server option specifies a list of IRC servers available
+to the client.  Servers should be listed in order of preference.
+.RE
+.PP
+.B option \fBlog-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The log-server option specifies a list of MIT-LCS UDP log servers
+available to the client.  Servers should be listed in order of
+preference.
+.RE
+.PP
+.B option \fBlpr-servers\fR \fIip-address \fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The LPR server option specifies a list of RFC 1179 line printer
+servers available to the client.  Servers should be listed in order
+of preference.
+.RE
+.PP
+.B option \fBmask-supplier\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether or not the client should respond to
+subnet mask requests using ICMP.  A value of false indicates that the
+client should not respond.  A value of true means that the client should
+respond.
+.RE
+.PP
+.B option \fBmax-dgram-reassembly\fR \fIuint16\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the maximum size datagram that the client
+should be prepared to reassemble.  The minimum legal value is
+576.
+.RE
+.PP
+.B option \fBmerit-dump\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the path-name of a file to which the client's
+core image should be dumped in the event the client crashes.  The
+path is formatted as a character string consisting of characters from
+the NVT ASCII character set.
+.RE
+.PP
+.B option \fBmobile-ip-home-agent\fR \fIip-address\fR [\fB,\fR \fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a list of IP addresses indicating mobile IP
+home agents available to the client.  Agents should be listed in
+order of preference, although normally there will be only one such
+agent.
+.RE
+.PP
+.B option \fBnds-context\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The nds-context option specifies the name of the initial Netware
+Directory Service for an NDS client.
+.RE
+.PP
+.B option \fBnds-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The nds-servers option specifies a list of IP addresses of NDS servers.
+.RE
+.PP
+.B option \fBnds-tree-name\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The nds-tree-name option specifies NDS tree name that the NDS client
+should use.
+.RE
+.PP
+.B option \fBnetbios-dd-server\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The NetBIOS datagram distribution server (NBDD) option specifies a
+list of RFC 1001/1002 NBDD servers listed in order of preference.
+.RE
+.PP
+.B option \fBnetbios-name-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...]\fB;\fR
+.RS 0.25i
+.PP
+The NetBIOS name server (NBNS) option specifies a list of RFC
+1001/1002 NBNS name servers listed in order of preference.   NetBIOS
+Name Service is currently more commonly referred to as WINS.   WINS
+servers can be specified using the netbios-name-servers option.
+.RE
+.PP
+.B option \fBnetbios-node-type\fR \fIuint8\fR\fB;\fR
+.RS 0.25i
+.PP
+The NetBIOS node type option allows NetBIOS over TCP/IP clients which
+are configurable to be configured as described in RFC 1001/1002.  The
+value is specified as a single octet which identifies the client type.
+.PP
+Possible node types are:
+.PP
+.TP 5
+.I 1
+B-node: Broadcast - no WINS
+.TP
+.I 2
+P-node: Peer - WINS only
+.TP
+.I 4
+M-node: Mixed - broadcast, then WINS
+.TP
+.I 8
+H-node: Hybrid - WINS, then broadcast
+.RE
+.PP
+.B option \fBnetbios-scope\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The NetBIOS scope option specifies the NetBIOS over TCP/IP scope
+parameter for the client as specified in RFC 1001/1002. See RFC1001,
+RFC1002, and RFC1035 for character-set restrictions.
+.RE
+.PP
+.B option \fBnetinfo-server-address\fR \fIip-address\fR [\fB,\fR
+\fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The \fBnetinfo-server-address\fR option has not been described in any
+RFC, but has been allocated (and is claimed to be in use) by Apple
+Computers.  It's hard to say if the above is the correct format, or
+what clients might be expected to do if values were configured.  Use
+at your own risk.
+.RE
+.PP
+.B option \fBnetinfo-server-tag\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+The \fBnetinfo-server-tag\fR option has not been described in any
+RFC, but has been allocated (and is claimed to be in use) by Apple
+Computers.  It's hard to say if the above is the correct format,
+or what clients might be expected to do if values were configured.  Use
+at your own risk.
+.RE
+.PP
+.B option \fBnis-domain\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the name of the client's NIS (Sun Network
+Information Services) domain.  The domain is formatted as a character
+string consisting of characters from the NVT ASCII character set.
+.RE
+.PP
+.B option \fBnis-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a list of IP addresses indicating NIS servers
+available to the client.  Servers should be listed in order of
+preference.
+.RE
+.PP
+.B option \fBnisplus-domain\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the name of the client's NIS+ domain.  The
+domain is formatted as a character string consisting of characters
+from the NVT ASCII character set.
+.RE
+.PP
+.B option \fBnisplus-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a list of IP addresses indicating NIS+ servers
+available to the client.  Servers should be listed in order of
+preference.
+.RE
+.PP
+.B option \fBnntp-server\fR \fIip-address\fR [\fB,\fR
+\fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The NNTP server option specifies a list of NNTP servesr available
+to the client.  Servers should be listed in order of preference.
+.RE
+.PP
+.B option \fBnon-local-source-routing\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether the client should configure its IP
+layer to allow forwarding of datagrams with non-local source routes
+(see Section 3.3.5 of [4] for a discussion of this topic).  A value
+of false means disallow forwarding of such datagrams, and a value of true
+means allow forwarding.
+.RE
+.PP
+.B option \fBntp-servers\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a list of IP addresses indicating NTP (RFC 1035)
+servers available to the client.  Servers should be listed in order
+of preference.
+.RE
+.PP
+.B option \fBnwip-domain\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The name of the NetWare/IP domain that a NetWare/IP client should
+use.
+.RE
+.PP
+.B option \fBnwip-suboptions\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+A sequence of suboptions for NetWare/IP clients - see RFC2242 for
+details.   Normally this option is set by specifying specific
+NetWare/IP suboptions - see the NETWARE/IP SUBOPTIONS section for more
+information.
+.RE
+.PP
+.B option \fBpath-mtu-aging-timeout\fR \fIuint32\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the timeout (in seconds) to use when aging Path
+MTU values discovered by the mechanism defined in RFC 1191.
+.RE
+.PP
+.B option \fBpath-mtu-plateau-table\fR \fIuint16\fR [\fB,\fR \fIuint16\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a table of MTU sizes to use when performing
+Path MTU Discovery as defined in RFC 1191.  The table is formatted as
+a list of 16-bit unsigned integers, ordered from smallest to largest.
+The minimum MTU value cannot be smaller than 68.
+.RE
+.PP
+.B option \fBperform-mask-discovery\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether or not the client should perform subnet
+mask discovery using ICMP.  A value of false indicates that the client
+should not perform mask discovery.  A value of true means that the
+client should perform mask discovery.
+.RE
+.PP
+.nf
+.B option \fBpolicy-filter\fR \fIip-address ip-address\fR
+                  [\fB,\fR \fIip-address ip-address\fR...]\fB;\fR
+.RE
+.fi
+.RS 0.25i
+.PP
+This option specifies policy filters for non-local source routing.
+The filters consist of a list of IP addresses and masks which specify
+destination/mask pairs with which to filter incoming source routes.
+.PP
+Any source routed datagram whose next-hop address does not match one
+of the filters should be discarded by the client.
+.PP
+See STD 3 (RFC1122) for further information.
+.RE
+.PP
+.B option \fBpop-server\fR \fIip-address\fR [\fB,\fR \fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The POP3 server option specifies a list of POP3 servers available
+to the client.  Servers should be listed in order of preference.
+.RE
+.PP
+.B option \fBresource-location-servers\fR \fIip-address\fR
+                              [\fB, \fR\fIip-address\fR...]\fB;\fR
+.fi
+.RS 0.25i
+.PP
+This option specifies a list of RFC 887 Resource Location
+servers available to the client.  Servers should be listed in order
+of preference.
+.RE
+.PP
+.B option \fBroot-path\fR \fItext\fB;\fR\fR
+.RS 0.25i
+.PP
+This option specifies the path-name that contains the client's root
+disk.  The path is formatted as a character string consisting of
+characters from the NVT ASCII character set.
+.RE
+.PP
+.B option \fBrouter-discovery\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether or not the client should solicit
+routers using the Router Discovery mechanism defined in RFC 1256.
+A value of false indicates that the client should not perform
+router discovery.  A value of true means that the client should perform
+router discovery.
+.RE
+.PP
+.B option \fBrouter-solicitation-address\fR \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the address to which the client should transmit
+router solicitation requests.
+.RE
+.PP
+.B option routers \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The routers option specifies a list of IP addresses for routers on the
+client's subnet.  Routers should be listed in order of preference.
+.RE
+.PP
+.B option slp-directory-agent \fIboolean ip-address
+[\fB,\fR \fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies two things: the IP addresses of one or more
+Service Location Protocol Directory Agents, and whether the use of
+these addresses is mandatory.   If the initial boolean value is true,
+the SLP agent should just use the IP addresses given.   If the value
+is false, the SLP agent may additionally do active or passive
+multicast discovery of SLP agents (see RFC2165 for details).
+.PP
+Please note that in this option and the slp-service-scope option, the
+term "SLP Agent" is being used to refer to a Service Location Protocol
+agent running on a machine that is being configured using the DHCP
+protocol.
+.PP
+Also, please be aware that some companies may refer to SLP as NDS.
+If you have an NDS directory agent whose address you need to
+configure, the slp-directory-agent option should work.
+.RE
+.PP
+.B option slp-service-scope \fIboolean text\fR\fB;\fR
+.RS 0.25i
+.PP
+The Service Location Protocol Service Scope Option specifies two
+things: a list of service scopes for SLP, and whether the use of this
+list is mandatory.  If the initial boolean value is true, the SLP
+agent should only use the list of scopes provided in this option;
+otherwise, it may use its own static configuration in preference to
+the list provided in this option.
+.PP
+The text string should be a comma-separated list of scopes that the
+SLP agent should use.   It may be omitted, in which case the SLP Agent
+will use the aggregated list of scopes of all directory agents known
+to the SLP agent.
+.RE
+.PP
+.B option \fBsmtp-server\fR \fIip-address\fR [\fB,\fR
+\fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The SMTP server option specifies a list of SMTP servers available to
+the client.  Servers should be listed in order of preference.
+.RE
+.PP
+.nf
+.B option \fBstatic-routes\fR \fIip-address ip-address\fR
+                  [\fB,\fR \fIip-address ip-address\fR...]\fB;\fR
+.fi
+.RS 0.25i
+.PP
+This option specifies a list of static routes that the client should
+install in its routing cache.  If multiple routes to the same
+destination are specified, they are listed in descending order of
+priority.
+.PP
+The routes consist of a list of IP address pairs.  The first address
+is the destination address, and the second address is the router for
+the destination.
+.PP
+The default route (0.0.0.0) is an illegal destination for a static
+route.  To specify the default route, use the
+.B routers
+option.   Also, please note that this option is not intended for
+classless IP routing - it does not include a subnet mask.   Since
+classless IP routing is now the most widely deployed routing standard,
+this option is virtually useless, and is not implemented by any of the
+popular DHCP clients, for example the Microsoft DHCP client.
+.PP
+NOTE to @PRODUCTNAME@ dhclient users:
+.br
+dhclient-script interprets trailing 0 octets of the target
+as indicating the subnet class of the route - so for this
+static-routes value:
+.br
+        option static-routes 172.0.0.0 172.16.2.254,
+.br
+                             192.168.0.0 192.168.2.254;
+.br
+dhclient-script will create routes:
+.br
+        172/8 via 172.16.2.254 dev $interface
+.br
+        192.168/16 via 192.168.2.254 dev $interface
+.br
+which slightly increases the usefulness of the static-routes option.
+.RE
+.PP
+.nf
+.B option \fBstreettalk-directory-assistance-server\fR \fIip-address\fR
+                                           [\fB,\fR \fIip-address\fR...]\fB;\fR
+.fi
+.RS 0.25i
+.PP
+The StreetTalk Directory Assistance (STDA) server option specifies a
+list of STDA servers available to the client.  Servers should be
+listed in order of preference.
+.RE
+.PP
+.B option \fBstreettalk-server\fR \fIip-address\fR [\fB,\fR \fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The StreetTalk server option specifies a list of StreetTalk servers
+available to the client.  Servers should be listed in order of
+preference.
+.RE
+.PP
+.B option subnet-mask \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+The subnet mask option specifies the client's subnet mask as per RFC
+950.  If no subnet mask option is provided anywhere in scope, as a
+last resort dhcpd will use the subnet mask from the subnet declaration
+for the network on which an address is being assigned.  However,
+.I any
+subnet-mask option declaration that is in scope for the address being
+assigned will override the subnet mask specified in the subnet
+declaration.
+.RE
+.PP
+.B option \fBsubnet-selection\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+Sent by the client if an address is required in a subnet other than the one
+that would normally be selected (based on the relaying address of the
+connected subnet the request is obtained from). See RFC3011. Note that the
+option number used by this server is 118; this has not always been the
+defined number, and some clients may use a different value. Use of this
+option should be regarded as slightly experimental!
+.RE
+.PP
+This option is not user configurable in the server.
+.PP
+.PP
+.B option \fBswap-server\fR \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+This specifies the IP address of the client's swap server.
+.RE
+.PP
+.B option \fBtcp-keepalive-garbage\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether or not the client should send TCP
+keepalive messages with an octet of garbage for compatibility with
+older implementations.  A value of false indicates that a garbage octet
+should not be sent. A value of true indicates that a garbage octet
+should be sent.
+.RE
+.PP
+.B option \fBtcp-keepalive-interval\fR \fIuint32\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies the interval (in seconds) that the client TCP
+should wait before sending a keepalive message on a TCP connection.
+The time is specified as a 32-bit unsigned integer.  A value of zero
+indicates that the client should not generate keepalive messages on
+connections unless specifically requested by an application.
+.RE
+.PP
+.B option \fBtftp-server-name\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used to identify a TFTP server and, if supported by the
+client, should have the same effect as the \fBserver-name\fR
+declaration.   BOOTP clients are unlikely to support this option.
+Some DHCP clients will support it, and others actually require it.
+.RE
+.PP
+.B option time-offset \fIint32\fR\fB;\fR
+.RS 0.25i
+.PP
+The time-offset option specifies the offset of the client's subnet in
+seconds from Coordinated Universal Time (UTC).
+.RE
+.PP
+.B option time-servers \fIip-address\fR [, \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+The time-server option specifies a list of RFC 868 time servers
+available to the client.  Servers should be listed in order of
+preference.
+.RE
+.PP
+.B option \fBtrailer-encapsulation\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies whether or not the client should negotiate the
+use of trailers (RFC 893 [14]) when using the ARP protocol.  A value
+of false indicates that the client should not attempt to use trailers.  A
+value of true means that the client should attempt to use trailers.
+.RE
+.PP
+.B option \fBuap-servers\fR \fItext\fR\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a list of URLs, each pointing to a user
+authentication service that is capable of processing authentication
+requests encapsulated in the User Authentication Protocol (UAP).  UAP
+servers can accept either HTTP 1.1 or SSLv3 connections.  If the list
+includes a URL that does not contain a port component, the normal
+default port is assumed (i.e., port 80 for http and port 443 for
+https).  If the list includes a URL that does not contain a path
+component, the path /uap is assumed.   If more than one URL is
+specified in this list, the URLs are separated by spaces.
+.RE
+.PP
+.B option \fBuser-class\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used by some DHCP clients as a way for users to
+specify identifying information to the client.   This can be used in a
+similar way to the vendor-class-identifier option, but the value of
+the option is specified by the user, not the vendor.   Most recent
+DHCP clients have a way in the user interface to specify the value for
+this identifier, usually as a text string.
+.RE
+.PP
+.B option \fBvendor-class-identifier\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+This option is used by some DHCP clients to identify the vendor
+type and possibly the configuration of a DHCP client.  The information
+is a string of bytes whose contents are specific to the vendor and are
+not specified in a standard.   To see what vendor class identifier
+clients are sending, you can write the following in your DHCP server
+configuration file:
+.nf
+.PP
+set vendor-string = option vendor-class-identifier;
+.fi
+.PP
+This will result in all entries in the DHCP server lease database file
+for clients that sent vendor-class-identifier options having a set
+statement that looks something like this:
+.nf
+.PP
+set vendor-string = "SUNW.Ultra-5_10";
+.fi
+.PP
+The vendor-class-identifier option is normally used by the DHCP server
+to determine the options that are returned in the
+.B vendor-encapsulated-options
+option.   Please see the VENDOR ENCAPSULATED OPTIONS section later in this
+manual page for further information.
+.RE
+.PP
+.B option \fBvendor-encapsulated-options\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The \fBvendor-encapsulated-options\fR option can contain either a
+single vendor-specific value or one or more vendor-specific
+suboptions.   This option is not normally specified in the DHCP server
+configuration file - instead, a vendor class is defined for each
+vendor, vendor class suboptions are defined, values for those
+suboptions are defined, and the DHCP server makes up a response on
+that basis.
+.PP
+Some default behaviours for well-known DHCP client vendors (currently,
+the Microsoft Windows 2000 DHCP client) are configured automatically,
+but otherwise this must be configured manually - see the VENDOR
+ENCAPSULATED OPTIONS section later in this manual page for details.
+.RE
+.PP
+.B option \fBwww-server\fR \fIip-address\fR [\fB,\fR
+\fIip-address\fR... ]\fB;\fR
+.RS 0.25i
+.PP
+The WWW server option specifies a list of WWW servers available
+to the client.  Servers should be listed in order of preference.
+.RE
+.PP
+.B option \fBx-display-manager\fR \fIip-address\fR [\fB,\fR \fIip-address\fR...
+]\fB;\fR
+.RS 0.25i
+.PP
+This option specifies a list of systems that are running the X Window
+System Display Manager and are available to the client.  Addresses
+should be listed in order of preference.
+.RE
+.SH RELAY AGENT INFORMATION OPTION
+An IETF draft, draft-ietf-dhc-agent-options-11.txt, defines a series
+of encapsulated options that a relay agent can add to a DHCP packet
+when relaying it to the DHCP server.   The server can then make
+address allocation decisions (or whatever other decisions it wants)
+based on these options.   The server also returns these options in any
+replies it sends through the relay agent, so that the relay agent can
+use the information in these options for delivery or accounting
+purposes.
+.PP
+The current draft defines two options.   To reference
+these options in the dhcp server, specify the option space name,
+"agent", followed by a period, followed by the option name.   It is
+not normally useful to define values for these options in the server,
+although it is permissible.   These options are not supported in the
+client.
+.PP
+.B option \fBagent.circuit-id\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The circuit-id suboption encodes an agent-local identifier of the
+circuit from which a DHCP client-to-server packet was received.  It is
+intended for use by agents in relaying DHCP responses back to the
+proper circuit.   The format of this option is currently defined to be
+vendor-dependent, and will probably remain that way, although the
+current draft allows for for the possibility of standardizing the
+format in the future.
+.RE
+.PP
+.B option \fBagent.remote-id\fR \fIstring\fR\fB;\fR
+.RS 0.25i
+.PP
+The remote-id suboption encodes information about the remote host end
+of a circuit.   Examples of what it might contain include caller ID
+information, username information, remote ATM address, cable modem ID,
+and similar things.   In principal, the meaning is not well-specified,
+and it should generally be assumed to be an opaque object that is
+administratively guaranteed to be unique to a particular remote end of
+a circuit.
+.RE
+.PP
+.B option \fBagent.DOCSIS-device-class\fR \fIuint32\fR\fB;\fR
+.RS 0.25i
+.PP
+The DOCSIS-device-class suboption is intended to convey information about
+the host endpoint, hardware, and software, that either the host operating
+system or the DHCP server may not otherwise be aware of (but the relay is
+able to distinguish).  This is implemented as a 32-bit field (4 octets),
+each bit representing a flag describing the host in one of these ways.
+So far, only bit zero (being the least significant bit) is defined in
+RFC3256.  If this bit is set to one, the host is considered a CPE
+Controlled Cable Modem (CCCM).  All other bits are reserved.
+.RE
+.PP
+.B option \fBagent.link-selection\fR \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+The link-selection suboption is provided by relay agents to inform servers
+what subnet the client is actually attached to.  This is useful in those
+cases where the giaddr (where responses must be sent to the relay agent)
+is not on the same subnet as the client.  When this option is present in
+a packet from a relay agent, the DHCP server will use its contents to find
+a subnet declared in configuration, and from here take one step further
+backwards to any shared-network the subnet may be defined within...the
+client may be given any address within that shared network, as normally
+appropriate.
+.RE
+.SH THE CLIENT FQDN SUBOPTIONS
+The Client FQDN option, currently defined in the Internet Draft
+draft-ietf-dhc-fqdn-option-00.txt is not a standard yet, but is in
+sufficiently wide use already that we have implemented it.   Due to
+the complexity of the option format, we have implemented it as a
+suboption space rather than a single option.   In general this
+option should not be configured by the user - instead it should be
+used as part of an automatic DNS update system.
+.PP
+.B option fqdn.no-client-update \fIflag\fB;
+.RS 0.25i
+.PP
+When the client sends this, if it is true, it means the client will not
+attempt to update its A record.   When sent by the server to the client,
+it means that the client \fIshould not\fR update its own A record.
+.RE
+.PP
+.B option fqdn.server-update \fIflag\fB;
+.RS 0.25i
+.PP
+When the client sends this to the server, it is requesting that the server
+update its A record.   When sent by the server, it means that the server
+has updated (or is about to update) the client's A record.
+.RE
+.PP
+.B option fqdn.encoded \fIflag\fB;
+.RS 0.25i
+.PP
+If true, this indicates that the domain name included in the option is
+encoded in DNS wire format, rather than as plain ASCII text.   The client
+normally sets this to false if it doesn't support DNS wire format in the
+FQDN option.   The server should always send back the same value that the
+client sent.   When this value is set on the configuration side, it controls
+the format in which the \fIfqdn.fqdn\fR suboption is encoded.
+.RE
+.PP
+.B option fqdn.rcode1 \fIflag\fB;
+.PP
+.B option fqdn.rcode2 \fIflag\fB;
+.RS 0.25i
+.PP
+These options specify the result of the updates of the A and PTR records,
+respectively, and are only sent by the DHCP server to the DHCP client.
+The values of these fields are those defined in the DNS protocol specification.
+.RE
+.PP
+.B option fqdn.fqdn \fItext\fB;
+.RS 0.25i
+.PP
+Specifies the domain name that the client wishes to use.   This can be a
+fully-qualified domain name, or a single label.   If there is no trailing
+'.' character in the name, it is not fully-qualified, and the server will
+generally update that name in some locally-defined domain.
+.RE
+.PP
+.B option fqdn.hostname \fI--never set--\fB;
+.RS 0.25i
+.PP
+This option should never be set, but it can be read back using the \fBoption\fR
+and \fBconfig-option\fR operators in an expression, in which case it returns
+the first label in the \fBfqdn.fqdn\fR suboption - for example, if
+the value of \fBfqdn.fqdn\fR is "foo.example.com.", then \fBfqdn.hostname\fR
+will be "foo".
+.RE
+.PP
+.B option fqdn.domainname \fI--never set--\fB;
+.RS 0.25i
+.PP
+This option should never be set, but it can be read back using the \fBoption\fR
+and \fBconfig-option\fR operators in an expression, in which case it returns
+all labels after the first label in the \fBfqdn.fqdn\fR suboption - for
+example, if the value of \fBfqdn.fqdn\fR is "foo.example.com.",
+then \fBfqdn.hostname\fR will be "example.com.".   If this suboption value
+is not set, it means that an unqualified name was sent in the fqdn option,
+or that no fqdn option was sent at all.
+.RE
+.PP
+If you wish to use any of these suboptions, we strongly recommend that you
+refer to the Client FQDN option draft (or standard, when it becomes a
+standard) - the documentation here is sketchy and incomplete in comparison,
+and is just intended for reference by people who already understand the
+Client FQDN option specification.
+.SH THE NETWARE/IP SUBOPTIONS
+RFC2242 defines a set of encapsulated options for Novell NetWare/IP
+clients.  To use these options in the dhcp server, specify the option
+space name, "nwip", followed by a period, followed by the option name.
+The following options can be specified:
+.PP
+.B option \fBnwip.nsq-broadcast\fR \fIflag\fR\fB;\fR
+.RS 0.25i
+.PP
+If true, the client should use the NetWare Nearest Server Query to
+locate a NetWare/IP server.   The behaviour of the Novell client if
+this suboption is false, or is not present, is not specified.
+.PP
+.RE
+.B option \fBnwip.preferred-dss\fR \fIip-address\fR [\fB,\fR \fIip-address\fR... ]\fR\fB;\fR
+.RS 0.25i
+.PP
+This suboption specifies a list of up to five IP addresses, each of
+which should be the IP address of a NetWare Domain SAP/RIP server
+(DSS).
+.RE
+.PP
+.B option \fBnwip.nearest-nwip-server\fR \fI\fIip-address\fR
+                             [\fB,\fR \fIip-address\fR...]\fR\fB;\fR
+.RS 0.25i
+.PP
+This suboption specifies a list of up to five IP addresses, each of
+which should be the IP address of a Nearest NetWare IP server.
+.RE
+.PP
+.B option \fBnwip.autoretries\fR \fIuint8\fR\fB;\fR
+.RS 0.25i
+.PP
+Specifies the number of times that a NetWare/IP client should attempt
+to communicate with a given DSS server at startup.
+.RE
+.PP
+.B option \fBnwip.autoretry-secs\fR \fIuint8\fR\fB;\fR
+.RS 0.25i
+.PP
+Specifies the number of seconds that a Netware/IP client should wait
+between retries when attempting to establish communications with a DSS
+server at startup.
+.RE
+.PP
+.B option \fBnwip.nwip-1-1\fR \fIuint8\fR\fB;\fR
+.RS 0.25i
+.PP
+If true, the NetWare/IP client should support NetWare/IP version 1.1
+compatibility.   This is only needed if the client will be contacting
+Netware/IP version 1.1 servers.
+.RE
+.PP
+.B option \fBnwip.primary-dss\fR \fIip-address\fR\fB;\fR
+.RS 0.25i
+.PP
+Specifies the IP address of the Primary Domain SAP/RIP Service server
+(DSS) for this NetWare/IP domain.   The NetWare/IP administration
+utility uses this value as Primary DSS server when configuring a
+secondary DSS server.
+.RE
+.SH DEFINING NEW OPTIONS
+The Internet Systems Consortium DHCP client and server provide the
+capability to define new options.   Each DHCP option has a name, a
+code, and a structure.   The name is used by you to refer to the
+option.   The code is a number, used by the DHCP server and client to
+refer to an option.   The structure describes what the contents of an
+option looks like.
+.PP
+To define a new option, you need to choose a name for it that is not
+in use for some other option - for example, you can't use "host-name"
+because the DHCP protocol already defines a host-name option, which is
+documented earlier in this manual page.   If an option name doesn't
+appear in this manual page, you can use it, but it's probably a good
+idea to put some kind of unique string at the beginning so you can be
+sure that future options don't take your name.   For example, you
+might define an option, "local-host-name", feeling some confidence
+that no official DHCP option name will ever start with "local".
+.PP
+Once you have chosen a name, you must choose a code.  All codes between
+224 and 254 are reserved as 'site-local' DHCP options, so you can pick
+any one of these for your site (not for your product/application).  In
+RFC3942, site-local space was moved from starting at 128 to starting at
+224.  In practice, some vendors have interpreted the protocol rather
+loosely and have used option code values greater than 128 themselves.
+There's no real way to avoid this problem, and it was thought to be
+unlikely to cause too much trouble in practice.  If you come across
+a vendor-documented option code in either the new or old site-local
+spaces, please contact your vendor and inform them about rfc3942.
+.PP
+The structure of an option is simply the format in which the option
+data appears.   The ISC DHCP server currently supports a few simple
+types, like integers, booleans, strings and IP addresses, and it also
+supports the ability to define arrays of single types or arrays of
+fixed sequences of types.
+.PP
+New options are declared as follows:
+.PP
+.B option
+.I new-name
+.B code
+.I new-code
+.B =
+.I definition
+.B ;
+.PP
+The values of
+.I new-name
+and
+.I new-code
+should be the name you have chosen for the new option and the code you
+have chosen.   The
+.I definition
+should be the definition of the structure of the option.
+.PP
+The following simple option type definitions are supported:
+.PP
+.B BOOLEAN
+.PP
+.B option
+.I new-name
+.B code
+.I new-code
+.B =
+.B boolean
+.B ;
+.PP
+An option of type boolean is a flag with a value of either on or off
+(or true or false).   So an example use of the boolean type would be:
+.nf
+
+option use-zephyr code 180 = boolean;
+option use-zephyr on;
+
+.fi
+.B INTEGER
+.PP
+.B option
+.I new-name
+.B code
+.I new-code
+.B =
+.I sign
+.B integer
+.I width
+.B ;
+.PP
+The \fIsign\fR token should either be blank, \fIunsigned\fR
+or \fIsigned\fR.   The width can be either 8, 16 or 32, and refers to
+the number of bits in the integer.   So for example, the following two
+lines show a definition of the sql-connection-max option and its use:
+.nf
+
+option sql-connection-max code 192 = unsigned integer 16;
+option sql-connection-max 1536;
+
+.fi
+.B IP-ADDRESS
+.PP
+.B option
+.I new-name
+.B code
+.I new-code
+.B =
+.B ip-address
+.B ;
+.PP
+An option whose structure is an IP address can be expressed either as
+a domain name or as a dotted quad.  So the following is an example use
+of the ip-address type:
+.nf
+
+option sql-server-address code 193 = ip-address;
+option sql-server-address sql.example.com;
+
+.fi
+.PP
+.B TEXT
+.PP
+.B option
+.I new-name
+.B code
+.I new-code
+.B =
+.B text
+.B ;
+.PP
+An option whose type is text will encode an ASCII text string.   For
+example:
+.nf
+
+option sql-default-connection-name code 194 = text;
+option sql-default-connection-name "PRODZA";
+
+.fi
+.PP
+.B DATA STRING
+.PP
+.B option
+.I new-name
+.B code
+.I new-code
+.B =
+.B string
+.B ;
+.PP
+An option whose type is a data string is essentially just a collection
+of bytes, and can be specified either as quoted text, like the text
+type, or as a list of hexadecimal contents separated by colons whose
+values must be between 0 and FF.   For example:
+.nf
+
+option sql-identification-token code 195 = string;
+option sql-identification-token 17:23:19:a6:42:ea:99:7c:22;
+
+.fi
+.PP
+.B ENCAPSULATION
+.PP
+.B option
+.I new-name
+.B code
+.I new-code
+.B =
+.B encapsulate
+.I identifier
+.B ;
+.PP
+An option whose type is \fBencapsulate\fR will encapsulate the
+contents of the option space specified in \fIidentifier\fR.   Examples
+of encapsulated options in the DHCP protocol as it currently exists
+include the vendor-encapsulated-options option, the netware-suboptions
+option and the relay-agent-information option.
+.nf
+
+option space local;
+option local.demo code 1 = text;
+option local-encapsulation code 197 = encapsulate local;
+option local.demo "demo";
+
+.fi
+.PP
+.B ARRAYS
+.PP
+Options can contain arrays of any of the above types except for the
+text and data string types, which aren't currently supported in
+arrays.   An example of an array definition is as follows:
+.nf
+
+option kerberos-servers code 200 = array of ip-address;
+option kerberos-servers 10.20.10.1, 10.20.11.1;
+
+.fi
+.B RECORDS
+.PP
+Options can also contain data structures consisting of a sequence of
+data types, which is sometimes called a record type.   For example:
+.nf
+
+option contrived-001 code 201 = { boolean, integer 32, text };
+option contrived-001 on 1772 "contrivance";
+
+.fi
+It's also possible to have options that are arrays of records, for
+example:
+.nf
+
+option new-static-routes code 201 = array of {
+	ip-address, ip-address, ip-address, integer 8 };
+option static-routes
+	10.0.0.0 255.255.255.0 net-0-rtr.example.com 1,
+	10.0.1.0 255.255.255.0 net-1-rtr.example.com 1,
+	10.2.0.0 255.255.224.0 net-2-0-rtr.example.com 3;
+
+.fi	
+.SH VENDOR ENCAPSULATED OPTIONS
+The DHCP protocol defines the \fB vendor-encapsulated-options\fR
+option, which allows vendors to define their own options that will be
+sent encapsulated in a standard DHCP option.   The format of the
+.B vendor-encapsulated-options
+option is either a series of bytes whose format is not specified, or
+a sequence of options, each of which consists of a single-byte
+vendor-specific option code, followed by a single-byte length,
+followed by as many bytes of data as are specified in the length (the
+length does not include itself or the option code).
+.PP
+The value of this option can be set in one of two ways.   The first
+way is to simply specify the data directly, using a text string or a
+colon-separated list of hexadecimal values.   For example:
+.PP
+.nf
+option vendor-encapsulated-options
+    2:4:AC:11:41:1:
+    3:12:73:75:6e:64:68:63:70:2d:73:65:72:76:65:72:31:37:2d:31:
+    4:12:2f:65:78:70:6f:72:74:2f:72:6f:6f:74:2f:69:38:36:70:63;
+.fi
+.PP
+The second way of setting the value of this option is to have the DHCP
+server generate a vendor-specific option buffer.   To do this, you
+must do four things: define an option space, define some options in
+that option space, provide values for them, and specify that that 
+option space should be used to generate the
+.B vendor-encapsulated-options
+option.
+.PP
+To define a new option space in which vendor options can be stored,
+use the \fRoption space\fP statement:
+.PP
+.B option
+.B space
+.I name
+.B [ [ code width
+.I number
+.B ] [ length width
+.I number
+.B ] [ hash size
+.I number
+.B ] ] ;
+.PP
+Where the numbers following \fBcode width\fR, \fBlength width\fR,
+and \fBhash size\fR respectively identify the number of bytes used to
+describe option codes, option lengths, and the size in buckets of the
+hash tables to hold options in this space.
+.PP
+The code and length widths are used in DHCP protocol - you must configure
+these numbers to match the applicable option space you are configuring.
+They each default to 1.  Valid values for code widths are 1, 2 or 4.
+Valid values for length widths are 1 or 2.
+.PP
+The hash size defaults depend upon the \fBcode width\fR selected, and
+may be 254 or 1009.  Valid values range between 1 and 65535.  Note
+that the higher you configure this value, the more memory will be used.  It
+is considered good practice to configure a value that is slightly larger
+than the estimated number of options you plan to configure within the
+space.  Due to limitations in previous versions of ISC DHCP (up to and
+including DHCP 3.0.*), this value was fixed at 9973.
+.PP
+The name can then be used in option definitions, as described earlier in
+this document.   For example:
+.nf
+
+option space SUNW code width 1 length width 1 hash size 3;
+option SUNW.server-address code 2 = ip-address;
+option SUNW.server-name code 3 = text;
+option SUNW.root-path code 4 = text;
+
+.fi
+Once you have defined an option space and the format of some options,
+you can set up scopes that define values for those options, and you
+can say when to use them.   For example, suppose you want to handle
+two different classes of clients.   Using the option space definition
+shown in the previous example, you can send different option values to
+different clients based on the vendor-class-identifier option that the
+clients send, as follows:
+.PP
+.nf
+class "vendor-classes" {
+  match option vendor-class-identifier;
+}
+
+option SUNW.server-address 172.17.65.1;
+option SUNW.server-name "sundhcp-server17-1";
+
+subclass "vendor-classes" "SUNW.Ultra-5_10" {
+  vendor-option-space SUNW;
+  option SUNW.root-path "/export/root/sparc";
+}
+
+subclass "vendor-classes" "SUNW.i86pc" {
+  vendor-option-space SUNW;
+  option SUNW.root-path "/export/root/i86pc";
+}
+.fi
+.PP
+As you can see in the preceding example, regular scoping rules apply,
+so you can define values that are global in the global scope, and only
+define values that are specific to a particular class in the local
+scope.   The \fBvendor-option-space\fR declaration tells the DHCP
+server to use options in the SUNW option space to construct the
+.B vendor-encapsulated-options
+option.
+.SH SEE ALSO
+dhcpd.conf(5), dhcpd.leases(5), dhclient.conf(5), dhcp-eval(5), dhcpd(8),
+dhclient(8), RFC2132, RFC2131, draft-ietf-dhc-agent-options-??.txt.
+.SH AUTHOR
+The Internet Systems Consortium DHCP Distribution was written by Ted
+Lemon under a contract with Vixie Labs.  Funding for
+this project was provided through Internet Systems Consortium.
+Information about Internet Systems Consortium can be found at
+.B http://www.isc.org.
diff --git a/dhcp.schema b/dhcp.schema
index 7cc96b0..c5ed6c7 100644
--- a/dhcp.schema
+++ b/dhcp.schema
@@ -82,7 +82,8 @@ attributetype ( 2.16.840.1.113719.1.203.4.14
 	DESC 'The distinguished name of a client address.' 
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
 
-attributetype ( 2.16.840.1.113719.1.203.4.15 NAME 'dhcpLeasesDN' 
+attributetype ( 2.16.840.1.113719.1.203.4.15 
+	NAME 'dhcpLeasesDN' 
 	DESC 'The distinguished name(s) client addresses.' 
 	EQUALITY distinguishedNameMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
@@ -112,7 +113,8 @@ attributetype ( 2.16.840.1.113719.1.203.4.19
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
 attributetype ( 2.16.840.1.113719.1.203.4.20 
-	NAME 'dhcpVersion' DESC 'The version attribute of this object.' 
+	NAME 'dhcpVersion'
+	DESC 'The version attribute of this object.'
 	EQUALITY caseIgnoreIA5Match
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
@@ -130,27 +132,27 @@ attributetype ( 2.16.840.1.113719.1.203.4.22
 
 attributetype ( 2.16.840.1.113719.1.203.4.23 
 	NAME 'dhcpExpirationTime' 
-	EQUALITY integerMatch
+	EQUALITY generalizedTimeMatch 
 	DESC 'This is the time the current lease for an address expires.' 
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
 
 attributetype ( 2.16.840.1.113719.1.203.4.24 
 	NAME 'dhcpStartTimeOfState' 
-	EQUALITY integerMatch
+	EQUALITY generalizedTimeMatch 
 	DESC 'This is the time of the last state change for a leased address.' 
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
 
 attributetype ( 2.16.840.1.113719.1.203.4.25 
 	NAME 'dhcpLastTransactionTime' 
-	EQUALITY integerMatch
+	EQUALITY generalizedTimeMatch 
 	DESC 'This is the last time a valid DHCP packet was received from the client.'
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
 
 attributetype ( 2.16.840.1.113719.1.203.4.26 
 	NAME 'dhcpBootpFlag' 
-	EQUALITY integerMatch
+	EQUALITY booleanMatch 
 	DESC 'This indicates whether the address was assigned via BOOTP.' 
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 
 attributetype ( 2.16.840.1.113719.1.203.4.27 
 	NAME 'dhcpDomainName' 
@@ -190,9 +192,9 @@ attributetype ( 2.16.840.1.113719.1.203.4.32
 
 attributetype ( 2.16.840.1.113719.1.203.4.33 
 	NAME 'dhcpRelayAgentInfo' 
-	EQUALITY caseIgnoreIA5Match
+	EQUALITY octetStringMatch
 	DESC 'If the client request was received via a relay agent, this contains information about the relay agent that was available from the DHCP request.  This is a hex-encoded option value.' 
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
 
 attributetype ( 2.16.840.1.113719.1.203.4.34 
 	NAME 'dhcpHWAddress' 
@@ -202,9 +204,9 @@ attributetype ( 2.16.840.1.113719.1.203.4.34
 
 attributetype ( 2.16.840.1.113719.1.203.4.35 
 	NAME 'dhcpHashBucketAssignment' 
-	EQUALITY caseIgnoreIA5Match
+	EQUALITY octetStringMatch
 	DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in DHC Load Balancing Algorithm [RFC 3074].' 
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
 
 attributetype ( 2.16.840.1.113719.1.203.4.36 
 	NAME 'dhcpDelayedServiceParameter' 
@@ -220,9 +222,9 @@ attributetype ( 2.16.840.1.113719.1.203.4.37
 
 attributetype ( 2.16.840.1.113719.1.203.4.38 
 	NAME 'dhcpFailOverEndpointState' 
-	EQUALITY integerMatch
+	EQUALITY caseIgnoreIA5Match
 	DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover Protocol [FAILOVR]' 
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
 attributetype ( 2.16.840.1.113719.1.203.4.39 
 	NAME 'dhcpErrorLog' 
@@ -230,41 +232,137 @@ attributetype ( 2.16.840.1.113719.1.203.4.39
 	DESC 'Generic error log attribute that allows logging error conditions within a dhcpService or a dhcpSubnet, like no IP addresses available for lease.'
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
+attributetype ( 2.16.840.1.113719.1.203.4.40 
+	NAME 'dhcpLocatorDN' 
+	EQUALITY distinguishedNameMatch 
+	DESC 'The DN of dhcpLocator object which contain the DNs of all DHCP configuration objects. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributetype  ( 2.16.840.1.113719.1.203.4.41 
+	NAME 'dhcpKeyAlgorithm' 
+	EQUALITY caseIgnoreIA5Match 
+	DESC 'Algorithm to generate TSIG Key' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype  ( 2.16.840.1.113719.1.203.4.42 
+	NAME 'dhcpKeySecret' 
+	EQUALITY octetStringMatch 
+	DESC 'Secret to generate TSIG Key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
+
+attributetype ( 2.16.840.1.113719.1.203.4.43 
+	NAME 'dhcpDnsZoneServer' 
+	EQUALITY caseIgnoreIA5Match 
+	DESC 'Master server of the DNS Zone' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 2.16.840.1.113719.1.203.4.44 
+	NAME 'dhcpKeyDN' 
+	EQUALITY distinguishedNameMatch 
+	DESC 'The DNs of TSIG Key to use in secure dynamic updates. In case of locator object, this will be list of TSIG keys.  In case of DHCP Service, Shared Network, Subnet and DNS Zone, it will be a single key.' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+
+attributetype ( 2.16.840.1.113719.1.203.4.45 
+	NAME 'dhcpZoneDN' 
+	EQUALITY distinguishedNameMatch 
+	DESC 'The DNs of DNS Zone. In case of locator object, this will be list of DNS Zones in the tree. In case of DHCP Service, Shared Network and Subnet, it will be a single DNS Zone.' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+
+attributetype ( 2.16.840.1.113719.1.203.4.46 
+	NAME 'dhcpFailOverPrimaryServer' 
+	EQUALITY caseIgnoreIA5Match 
+	DESC 'IP address or DNS name of the server playing primary role in DHC Load Balancing and Fail over.' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26  )
+
+attributetype ( 2.16.840.1.113719.1.203.4.47 
+	NAME 'dhcpFailOverSecondaryServer' 
+	EQUALITY caseIgnoreIA5Match 
+	DESC 'IP address or DNS name of the server playing secondary role in DHC Load Balancing and Fail over.' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26  )
+
+attributetype ( 2.16.840.1.113719.1.203.4.48
+	NAME 'dhcpFailOverPrimaryPort' 
+	EQUALITY integerMatch 
+	DESC 'Port on which primary server listens for connections from its fail over peer (secondary server)' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
+	
+attributetype ( 2.16.840.1.113719.1.203.4.49
+	NAME 'dhcpFailOverSecondaryPort' 
+	EQUALITY integerMatch 
+	DESC 'Port on which secondary server listens for connections from its fail over peer (primary server)' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
+
+attributetype ( 2.16.840.1.113719.1.203.4.50
+	NAME 'dhcpFailOverResponseDelay' 
+	EQUALITY integerMatch 
+	DESC 'Maximum response time in seconds, before Server assumes that connection to fail over peer has failed' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
+
+attributetype ( 2.16.840.1.113719.1.203.4.51
+	NAME 'dhcpFailOverUnackedUpdates' 
+	EQUALITY integerMatch 
+	DESC 'Number of BNDUPD messages that server can send before it receives BNDACK from its fail over peer' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
+
+attributetype ( 2.16.840.1.113719.1.203.4.52
+	NAME 'dhcpFailOverSplit' 
+	EQUALITY integerMatch 
+	DESC 'Split between the primary and secondary servers for fail over purpose' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
+
+attributetype ( 2.16.840.1.113719.1.203.4.53
+	NAME 'dhcpFailOverLoadBalanceTime' 
+	EQUALITY integerMatch 
+	DESC 'Cutoff time in seconds, after which load balance is disabled' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
+
+attributetype ( 2.16.840.1.113719.1.203.4.54
+	NAME 'dhcpFailOverPeerDN' 
+	EQUALITY distinguishedNameMatch 
+	DESC 'The DNs of Fail over peers. In case of locator object, this will be list of fail over peers in the tree. In case of Subnet and pool, it will be a single Fail Over Peer' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 
+
+#List of all servers in the tree
+attributetype ( 2.16.840.1.113719.1.203.4.55
+	NAME 'dhcpServerDN' 
+	EQUALITY distinguishedNameMatch 
+	DESC 'List of all  DHCP Servers in the tree. Used by dhcpLocatorObject' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributetype ( 2.16.840.1.113719.1.203.4.56
+	NAME 'dhcpComments' 
+	EQUALITY caseIgnoreIA5Match 
+	DESC 'Generic attribute that allows coments  within any DHCP object' 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
 # Classes
 
 objectclass ( 2.16.840.1.113719.1.203.6.1 
 	NAME 'dhcpService' 
 	DESC 'Service object that represents the actual DHCP Service configuration. This is a container object.' 
 	SUP top 
-	MUST (cn $ dhcpPrimaryDN) 
-	MAY ( dhcpSecondaryDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ 
-		dhcpGroupDN $ dhcpHostDN $  dhcpClassesDN $ dhcpOptionsDN $ 
-		dhcpStatements ) )
+	MUST (cn) 
+	MAY ( dhcpPrimaryDN $ dhcpSecondaryDN $ dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $  dhcpClassesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $dhcpComments $ dhcpOption) )
 
 objectclass ( 2.16.840.1.113719.1.203.6.2 
 	NAME 'dhcpSharedNetwork' 
 	DESC 'This stores configuration information for a shared network.' 
 	SUP top 
 	MUST cn 
-	MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpStatements) 
-	X-NDS_CONTAINMENT ('dhcpService' ) )
+	MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpStatements $dhcpComments $ dhcpOption) X-NDS_CONTAINMENT ('dhcpService' ) )
 
 objectclass ( 2.16.840.1.113719.1.203.6.3 
 	NAME 'dhcpSubnet' 
 	DESC 'This class defines a subnet. This is a container object.' 
 	SUP top 
 	MUST ( cn $ dhcpNetMask ) 
-	MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ 
-		dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpStatements) 
-	X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork') )
+	MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption ) X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork') )
 
 objectclass ( 2.16.840.1.113719.1.203.6.4 
 	NAME 'dhcpPool' 
 	DESC 'This stores configuration information about a pool.' 
 	SUP top 
 	MUST ( cn $ dhcpRange ) 
-	MAY (dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptionsDN $ 
-		dhcpStatements) 
+	MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $dhcpKeyDN $ dhcpStatements $ dhcpComments $ dhcpOption ) 
 	X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpSharedNetwork') )
 
 objectclass ( 2.16.840.1.113719.1.203.6.5 
@@ -272,7 +370,7 @@ objectclass ( 2.16.840.1.113719.1.203.6.5
 	DESC 'Group object that lists host DNs and parameters. This is a container object.' 
 	SUP top 
 	MUST cn 
-	MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements ) 
+	MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption )
 	X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpService' ) )
 
 objectclass ( 2.16.840.1.113719.1.203.6.6 
@@ -280,7 +378,7 @@ objectclass ( 2.16.840.1.113719.1.203.6.6
 	DESC 'This represents information about a particular client' 
 	SUP top 
 	MUST cn 
-	MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements) 
+	MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) 
 	X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
 
 objectclass ( 2.16.840.1.113719.1.203.6.7 
@@ -288,7 +386,7 @@ objectclass ( 2.16.840.1.113719.1.203.6.7
 	DESC 'Represents information about a collection of related clients.' 
 	SUP top 
 	MUST cn 
-	MAY (dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements) 
+	MAY (dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) 
 	X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' ) )
 
 objectclass ( 2.16.840.1.113719.1.203.6.8 
@@ -296,29 +394,22 @@ objectclass ( 2.16.840.1.113719.1.203.6.8
 	DESC 'Represents information about a collection of related classes.' 
 	SUP top 
 	MUST cn 
-	MAY (dhcpClassData $ dhcpOptionsDN $ dhcpStatements) 
-	X-NDS_CONTAINMENT 'dhcpClass' ) 
+	MAY (dhcpClassData $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) X-NDS_CONTAINMENT 'dhcpClass' )
 
 objectclass ( 2.16.840.1.113719.1.203.6.9 
 	NAME 'dhcpOptions' 
 	DESC 'Represents information about a collection of options defined.' 
-	SUP top 
-        AUXILIARY
+	SUP top AUXILIARY
 	MUST cn 
-	MAY ( dhcpOption ) 
-	X-NDS_CONTAINMENT  ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet' 
-			'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) )
+	MAY ( dhcpOption $ dhcpComments ) 
+	X-NDS_CONTAINMENT  ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) )
 
 objectclass ( 2.16.840.1.113719.1.203.6.10 
 	NAME 'dhcpLeases' 
 	DESC 'This class represents an IP Address, which may or may not have been leased.' 
 	SUP top 
 	MUST ( cn $ dhcpAddressState ) 
-	MAY ( dhcpExpirationTime $ dhcpStartTimeOfState $ 
-		dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ 
-		dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ 
-		dhcpReservedForClient $ dhcpAssignedToClient $ 
-		dhcpRelayAgentInfo $ dhcpHWAddress ) 
+	MAY ( dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) 
 	X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool') )
 
 objectclass ( 2.16.840.1.113719.1.203.6.11 
@@ -326,19 +417,46 @@ objectclass ( 2.16.840.1.113719.1.203.6.11
 	DESC 'This is the object that holds past information about the IP address. The cn is the time/date stamp when the address was assigned or released, the address state at the time, if the address was assigned or released.' 
 	SUP top 
 	MUST ( cn ) 
-	MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ 
-		dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ 
-		dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ 
-		dhcpReservedForClient $ dhcpAssignedToClient $ 
-		dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog) 
-	X-NDS_CONTAINMENT ('dhcpLeases' 'dhcpPool' 'dhcpSubnet' 
-					'dhcpSharedNetwork' 'dhcpService' ) )
+	MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog) 
+	X-NDS_CONTAINMENT ('dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpService' ) )
 
 objectclass ( 2.16.840.1.113719.1.203.6.12 
 	NAME 'dhcpServer' 
 	DESC 'DHCP Server Object' 
 	SUP top 
-	MUST (cn $ dhcpServiceDN) 
-	MAY (dhcpVersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServiceParameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements)
-	X-NDS_CONTAINMENT ('o' 'ou' 'dc') )
+	MUST ( cn ) 
+	MAY (dhcpServiceDN  $ dhcpLocatorDN $ dhcpVersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServiceParameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements $ dhcpComments $ dhcpOption) 
+	X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') )
+
+objectclass ( 2.16.840.1.113719.1.203.6.13 
+	NAME 'dhcpTSigKey' 
+	DESC 'TSIG key for secure dynamic updates' 
+	SUP top 
+	MUST (cn $ dhcpKeyAlgorithm $ dhcpKeySecret ) 
+	MAY ( dhcpComments ) 
+	X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
+
+objectclass ( 2.16.840.1.113719.1.203.6.14 
+	NAME 'dhcpDnsZone' 
+	DESC 'DNS Zone for updating leases' 
+	SUP top 
+	MUST (cn $ dhcpDnsZoneServer ) 
+	MAY (dhcpKeyDN $ dhcpComments) 
+	X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
+
+objectclass ( 2.16.840.1.113719.1.203.6.15 
+	NAME 'dhcpFailOverPeer' 
+	DESC 'This class defines the Fail over peer' 
+	SUP top 
+  MUST ( cn $ dhcpFailOverPrimaryServer $ dhcpFailOverSecondaryServer $ dhcpFailoverPrimaryPort $ dhcpFailOverSecondaryPort) MAY (dhcpFailOverResponseDelay  $ dhcpFailOverUnackedUpdates $ dhcpMaxClientLeadTime $ dhcpFailOverSplit $ dhcpHashBucketAssignment $ dhcpFailOverLoadBalanceTime $ dhcpComments ) 
+	X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
+
+objectclass ( 2.16.840.1.113719.1.203.6.16 
+	NAME 'dhcpLocator' 
+	DESC 'Locator object for DHCP configuration in the tree. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree' 
+	SUP top 
+	MUST ( cn ) 
+	MAY ( dhcpServiceDN $dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $  dhcpClassesDN $ dhcpKeyDN $ dhcpZoneDN $ dhcpFailOverPeerDN $ dhcpOption $ dhcpComments) 
+	X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') )
+
 
diff --git a/dhcp.spec b/dhcp.spec
index 9d408a6..f426b5e 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -13,7 +13,7 @@
 Summary:  DHCP (Dynamic Host Configuration Protocol) server and relay agent
 Name:     dhcp
 Version:  3.1.0
-Release:  7%{?dist}
+Release:  8%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer made
 # incorrect use of the epoch and that's why it is at 12 now.  It should have
 # never been used, but it was.  So we are stuck with it.
@@ -35,6 +35,13 @@ Source10: Makefile.libdhcp4client
 Source11: dhcp4client.h
 Source12: libdhcp_control.h
 Source13: dhcp.schema
+Source14: dhclient-script.8
+Source15: dhclient.8
+Source16: dhclient.conf.5
+Source17: dhcp-options.5
+Source18: dhcpctl.3
+Source19: dhcpd.conf.5
+Source20: get-ldap-patch.sh
 
 Patch0:   %{name}-3.0.5-Makefile.patch
 Patch1:   %{name}-3.0.5-errwarn-message.patch
@@ -51,17 +58,19 @@ Patch11:  %{name}-3.0.5-failover-ports.patch
 Patch12:  %{name}-3.1.0-dhclient-usage.patch
 Patch13:  %{name}-3.0.5-default-requested-options.patch
 Patch14:  %{name}-3.0.5-prototypes.patch
-Patch15:  %{name}-3.0.6-manpages.patch
-Patch16:  %{name}-3.1.0-libdhcp4client.patch
-Patch17:  %{name}-3.1.0-xen-checksum.patch
-Patch18:  %{name}-3.1.0-dhclient-anycast.patch
-Patch19:  %{name}-3.0.6-ignore-hyphen-x.patch
-Patch20:  %{name}-3.1.0-warnings.patch
+Patch15:  %{name}-3.1.0-libdhcp4client.patch
+Patch16:  %{name}-3.1.0-xen-checksum.patch
+Patch17:  %{name}-3.1.0-dhclient-anycast.patch
+Patch18:  %{name}-3.0.6-ignore-hyphen-x.patch
+Patch19:  %{name}-3.1.0-warnings.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: groff
 BuildRequires: openldap-devel
 
+# For /etc/openldap/schema (and slapd, if you're using that with dhcpd)
+Requires: openldap-servers
+
 Requires(post): /sbin/chkconfig
 Requires(preun): /sbin/chkconfig
 Requires(preun): /sbin/service
@@ -208,30 +217,20 @@ libdhcp4client.
 # in minires/res_init.c: add res_randomid()
 %patch14 -p1 -b .prototypes
 
-# Man page updates explaining new features added from the above patches.
-# Normally these man page changes would be included in the feature patch,
-# however, man page changes generate more hunk failures when applying only
-# a select set of patches.  Instead, the man page changes are grouped
-# together in one patch so changes can be made to just those more easily
-# and not affect the code changes in the other patches.  It's actually
-# pretty common to update or alter these man pages independent of the code
-# changes.
-%patch15 -p1 -b .manpages
-
 # Add the libdhcp4client target (library version of dhclient)
-%patch16 -p1 -b .libdhcp4client
+%patch15 -p1 -b .libdhcp4client
 
 # Handle Xen partial UDP checksums
-%patch17 -p1 -b .xen
+%patch16 -p1 -b .xen
 
 # Add anycast support to dhclient (for OLPC)
-%patch18 -p1 -b .anycast
+%patch17 -p1 -b .anycast
 
 # Ignore the old extended new option info command line switch (-x)
-%patch19 -p1 -b .enoi
+%patch18 -p1 -b .enoi
 
 # Fix up anything that fails -Wall -Werror
-%patch20 -p1 -b .warnings
+%patch19 -p1 -b .warnings
 
 # Copy in documentation and example scripts for LDAP patch to dhcpd
 %{__install} -p -m 0644 %{SOURCE6} .
@@ -263,6 +262,17 @@ libdhcp4client.
 %{__sed} -i -e 's/\r//' __fedora_contrib/ms2isc/Registry.perlmodule
 %{__sed} -i -e 's/\r//' __fedora_contrib/ms2isc/ms2isc.pl
 
+# Copy in our modified man pages
+%{__install} -p -m 0644 %{SOURCE14} client/dhclient-script.8
+%{__install} -p -m 0644 %{SOURCE15} client/dhclient.8
+%{__install} -p -m 0644 %{SOURCE16} client/dhclient.conf.5
+%{__install} -p -m 0644 %{SOURCE17} common/dhcp-options.5
+%{__install} -p -m 0644 %{SOURCE18} dhcpctl/dhcpctl.3
+%{__install} -p -m 0644 %{SOURCE19} server/dhcpd.conf.5
+
+# Replace @PRODUCTNAME@ in dhcp-options.5
+%{__sed} -i -e 's|@PRODUCTNAME@|%{vvendor}|g' common/dhcp-options.5
+
 %build
 %{__cp} %{SOURCE1} .
 %{__cat} <<EOF > site.conf
@@ -328,8 +338,8 @@ EOF
 %{__cp} -fp %{SOURCE4} %{buildroot}%{_sysconfdir}
 
 # Install dhcp.schema for LDAP configuration
-%{__mkdir} -p %{buildroot}%{_sysconfdir}/openldap
-%{__install} -p -m 0644 -D %{SOURCE13} %{buildroot}%{_sysconfdir}/openldap/
+%{__mkdir} -p %{buildroot}%{_sysconfdir}/openldap/schema
+%{__install} -p -m 0644 -D %{SOURCE13} %{buildroot}%{_sysconfdir}/openldap/schema
 
 %{__install} -p -m 0644 -D libdhcp4client.pc %{buildroot}%{_libdir}/pkgconfig/libdhcp4client.pc
 
@@ -377,7 +387,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/dhcpd
 %config(noreplace) %{_sysconfdir}/sysconfig/dhcrelay
 %config(noreplace) %{_sysconfdir}/dhcpd.conf
-%config(noreplace) %{_sysconfdir}/openldap/dhcp.schema
+%config(noreplace) %{_sysconfdir}/openldap/schema/dhcp.schema
 %{_initrddir}/dhcpd
 %{_initrddir}/dhcrelay
 %{_bindir}/omshell
@@ -430,6 +440,16 @@ fi
 %{_libdir}/libdhcp4client.a
 
 %changelog
+* Mon Nov 12 2007 David Cantrell <dcantrell@redhat.com> - 12:3.1.0-8
+- Put dhcp.schema in /etc/openldap/schema (#330471)
+- Remove manpages patch and keep modified man pages as Source files
+- Improve dhclient.8 man page to list options in a style consistent
+  with most other man pages on the planet
+- Upgrade to latest dhcp LDAP patch, which brings in a new dhcpd-conf-to-ldap
+  script, updated schema file, and other bug fixes including SSL support for
+  LDAP authentication (#375711)
+- Do not run dhcpd and dhcrelay services by default (#362321)
+
 * Fri Oct 26 2007 David Cantrell <dcantrell@redhat.com> - 12:3.1.0-7
 - libdhcp4client-devel requires openldap-devel
 
diff --git a/dhcpctl.3 b/dhcpctl.3
new file mode 100644
index 0000000..5e2581d
--- /dev/null
+++ b/dhcpctl.3
@@ -0,0 +1,488 @@
+.\" -*- nroff -*-
+.\"
+.\" Project:      DHCP
+.\" File:         dhcpctl.3
+.\" RCSId:        $Id$
+.\" 
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 2000-2003 by Internet Software Consortium
+.\" Copyright (c) 2000 Nominum, Inc.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\"   Internet Systems Consortium, Inc.
+.\"   950 Charter Street
+.\"   Redwood City, CA 94063
+.\"   <info@isc.org>
+.\"   http://www.isc.org/
+.\"     
+.\" Description:	dhcpctl man page.
+.\" 
+.\"
+.Dd Nov 15, 2000
+.Dt DHCPCTL 3
+.Os DHCP 3
+.ds vT DHCP Programmer's Manual
+.\"
+.\"
+.\"
+.Sh NAME
+.Nm dhcpctl_initialize
+.Nd dhcpctl library initialization.
+.\"
+.\"
+.\"
+.Sh SYNOPSIS
+.Fd #include <dhcpctl.h>
+.Ft dhcpctl_status
+.Fo dhcpctl_initialize
+.Fa void
+.Fc
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_connect
+.Fa "dhcpctl_handle *cxn"
+.Fa "const char *host"
+.Fa "int port"
+.Fa "dhcpctl_handle auth"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_wait_for_completion
+.Fa "dhcpctl_handle object"
+.Fa "dhcpctl_status *status"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_get_value
+.Fa "dhcpctl_data_string *value"
+.Fa "dhcpctl_handle object"
+.Fa "const char *name"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_get_boolean
+.Fa "int *value"
+.Fa "dhcpctl_handle object"
+.Fa "const char *name"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_set_value
+.Fa "dhcpctl_handle object"
+.Fa "dhcpctl_data_string value"
+.Fa "const char *name"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_set_string_value
+.Fa "dhcpctl_handle object"
+.Fa "const char *value"
+.Fa "const char *name"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_set_boolean_value
+.Fa "dhcpctl_handle object"
+.Fa "int value"
+.Fa "const char *name"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_set_int_value
+.Fa "dhcpctl_handle object"
+.Fa "int value"
+.Fa "const char *name"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_object_update
+.Fa "dhcpctl_handle connection"
+.Fa "dhcpctl_handle object"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_object_refresh
+.Fa "dhcpctl_handle connection"
+.Fa "dhcpctl_handle object"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_object_remove
+.Fa "dhcpctl_handle connection"
+.Fa "dhcpctl_handle object"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_set_callback
+.Fa "dhcpctl_handle object"
+.Fa "void *data"
+.Fa "void (*function) (dhcpctl_handle, dhcpctl_status, void *)"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_new_authenticator
+.Fa "dhcpctl_handle *object"
+.Fa "const char *name"
+.Fa "const char *algorithm"
+.Fa "const char *secret"
+.Fa "unsigned secret_len"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_new_object
+.Fa "dhcpctl_handle *object"
+.Fa "dhcpctl_handle connection"
+.Fa "const char *object_type"
+.Fc
+.\"
+.\"
+.\"
+.Ft dhcpctl_status
+.Fo dhcpctl_open_object
+.Fa "dhcpctl_handle object"
+.Fa "dhcpctl_handle connection"
+.Fa "int flags"
+.Fc
+.\"
+.\"
+.\"
+.Ft isc_result_t
+.Fo omapi_data_string_new
+.Fa dhcpctl_data_string *data
+.Fa unsigned int length
+.Fa const char *filename,
+.Fa int lineno
+.Fc
+.\"
+.\"
+.\"
+.Ft isc_result_t
+.Fo dhcpctl_data_string_dereference
+.Fa "dhcpctl_data_string *"
+.Fa "const char *"
+.Fa "int"
+.Fc
+.Sh DESCRIPTION
+The dhcpctl set of functions provide an API that can be used to communicate
+with and manipulate a running ISC DHCP server. All functions return a value of
+.Dv isc_result_t .
+The return values reflects the result of operations to local data
+structures. If an operation fails on the server for any reason, then the error
+result will be returned through the
+second parameter of the 
+.Fn dhcpctl_wait_for_completion 
+call.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_initialize
+sets up the data structures the library needs to do its work. This function
+must be called once before any other.
+.Pp
+.Fn dhcpctl_connect
+opens a connection to the DHCP server at the given host and port. If an
+authenticator has been created for the connection, then it is given as the 4th
+argument. On a successful return the address pointed at by the first
+argument will have a new connection object assigned to it.
+.Pp
+For example:
+.Bd -literal -offset indent
+s = dhcpctl_connect(&cxn, "127.0.0.1", 7911, NULL);
+.Ed
+.Pp
+connects to the DHCP server on the localhost via port 7911 (the standard
+OMAPI port). No authentication is used for the connection.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_wait_for_completion
+flushes a pending message to the server and waits for the response. The result
+of the request as processed on the server is returned via the second
+parameter.
+.Bd -literal -offset indent
+s = dhcpctl_wait_for_completion(cxn, &wv);
+if (s != ISC_R_SUCCESS) 
+	local_failure(s);
+else if (wv != ISC_R_SUCCESS)
+	server_failure(wc);
+.Ed
+.Pp
+The call to 
+.Fn dhcpctl_wait_for_completion
+won't return until the remote message processing completes or the connection
+to the server is lost.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_get_value
+extracts a value of an attribute from the handle. The value can be of any
+length and is treated as a sequence of bytes.  The handle must have been
+created first with
+.Fn dhcpctl_new_object
+and opened with
+.Fn dhcpctl_open_object .
+The value is returned via the parameter named
+.Dq value .
+The last parameter is the name of attribute to retrieve.
+.Bd -literal -offset indent
+dhcpctl_data_string value = NULL;
+dhcpctl_handle lease;
+time_t thetime;
+
+s = dhcpctl_get_value (&value, lease, "ends");
+assert(s == ISC_R_SUCCESS && value->len == sizeof(thetime));
+memcpy(&thetime, value->value, value->len);
+.Ed
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_get_boolean
+extracts a boolean valued attribute from the object handle.
+.\"
+.\"
+.\"
+.Pp
+The
+.Fn dhcpctl_set_value ,
+.Fn dhcpctl_set_string_value ,
+.Fn dhcpctl_set_boolean_value ,
+and
+.Fn dhcpctl_set_int_value
+functions all set a value on the object handle. 
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_object_update
+function queues a request for
+all the changes made to the object handle be be sent to the remote
+for processing. The changes made to the atributes on the handle will be
+applied to remote object if permitted.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_object_refresh
+queues up a request for a fresh copy of all the attribute values to be sent
+from the remote to
+refresh the values in the local object handle.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_object_remove
+queues a request for the removal on the server of the object referenced by the
+handle.
+.\"
+.\"
+.\"
+.Pp
+The 
+.Fn dhcpctl_set_callback
+function sets up a user-defined function to be called when an event completes
+on the given object handle. This is needed for asynchronous handling of
+events, versus the synchronous handling given by
+.Fn dhcpctl_wait_for_completion .
+When the function is called the first parameter is the object the event
+arrived for, the second is the status of the message that was processed, the
+third is the same value as the second parameter given to 
+.Fn dhcpctl_set_callback .
+.\"
+.\"
+.\"
+.Pp
+The 
+.Fn dhcpctl_new_authenticator
+creates a new authenticator object to be used for signing the messages
+that cross over the network. The 
+.Dq name ,
+.Dq algorithm ,
+and 
+.Dq secret
+values must all match what the server uses and are defined in its
+configuration file. The created object is returned through the first parameter
+and must be used as the 4th parameter to 
+.Fn dhcpctl_connect .
+Note that the 'secret' value must not be base64 encoded, which is different
+from how the value appears in the dhcpd.conf file.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_new_object
+creates a local handle for an object on the the server. The 
+.Dq object_type
+parameter is the ascii name of the type of object being accessed. e.g. 
+.Qq lease .
+This function only sets up local data structures, it does not queue any 
+messages
+to be sent to the remote side,
+.Fn dhcpctl_open_object
+does that.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_open_object
+builds and queues the request to the remote side. This function is used with
+handle created via
+.Fn dhcpctl_new_object .
+The flags argument is a bit mask with the following values available for
+setting:
+.Bl -tag -offset indent -width 20
+.It DHCPCTL_CREATE
+if the object does not exist then the remote will create it
+.It DHCPCTL_UPDATE
+update the object on the remote side using the
+attributes already set in the handle.
+.It DHCPCTL_EXCL
+return and error if the object exists and DHCPCTL_CREATE
+was also specified
+.El
+.\"
+.\"
+.\"
+.Pp
+The 
+.Fn omapi_data_string_new
+function allocates a new
+.Ft dhcpctl_data_string
+object. The data string will be large enough to hold 
+.Dq length
+bytes of data. The
+.Dq file 
+and
+.Dq lineno
+arguments are the source file location the call is made from, typically by
+using the 
+.Dv __FILE__
+and
+.Dv __LINE__
+macros or the 
+.Dv MDL
+macro defined in
+.
+.\"
+.\"
+.\"
+.Pp
+.Fn dhcpctl_data_string_dereference
+deallocates a data string created by
+.Fn omapi_data_string_new .
+The memory for the object won't be freed until the last reference is
+released.
+.Sh EXAMPLES
+.Pp 
+The following program will connect to the DHCP server running on the local
+host and will get the details of the existing lease for IP address
+10.0.0.101. It will then print out the time the lease is due to expire. Note
+that most error checking has been ommitted for brevity.
+.Bd -literal -offset indent
+#include <stdarg.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+
+#include <isc/result.h>
+#include <dhcpctl.h>
+
+int main (int argc, char **argv) {
+	dhcpctl_data_string ipaddrstring = NULL;
+	dhcpctl_data_string value = NULL;
+	dhcpctl_handle connection = NULL;
+	dhcpctl_handle lease = NULL;
+	isc_result_t waitstatus;
+	struct in_addr convaddr;
+	time_t thetime;
+
+        dhcpctl_initialize ();
+
+        dhcpctl_connect (&connection, "127.0.0.1",
+			 7911, 0);
+	
+        dhcpctl_new_object (&lease, connection,
+			    "lease");
+
+        memset (&ipaddrstring, 0, sizeof
+		ipaddrstring);
+
+        inet_pton(AF_INET, "10.0.0.101",
+		  &convaddr);
+
+	omapi_data_string_new (&ipaddrstring,
+			       4, MDL);
+	memcpy(ipaddrstring->value, &convaddr.s_addr, 4);
+
+	dhcpctl_set_value (lease, ipaddrstring,
+			   "ip-address");
+
+	dhcpctl_open_object (lease, connection, 0);
+
+	dhcpctl_wait_for_completion (lease,
+				     &waitstatus);
+        if (waitstatus != ISC_R_SUCCESS) {
+		/* server not authoritative */
+		exit (0);
+        }
+
+	dhcpctl_data_string_dereference(&ipaddrstring,
+					MDL);
+
+        dhcpctl_get_value (&value, lease, "ends");
+
+	memcpy(&thetime, value->value, value->len);
+
+	dhcpctl_data_string_dereference(&value, MDL);
+
+	fprintf (stdout, "ending time is %s",
+		 ctime(&thetime));
+}
+.Ed
+.Sh SEE ALSO
+omapi(3), omshell(3), dhcpd(8), dhclient(8), dhcpd.conf(5), dhclient.conf(5).
+.Sh AUTHOR
+.Em dhcpctl
+was written by Ted Lemon of Nominum, Inc.
+This preliminary documentation was written by James Brister of Nominum, Inc.
diff --git a/dhcpd-conf-to-ldap b/dhcpd-conf-to-ldap
index d68d41a..d3b80f3 100755
--- a/dhcpd-conf-to-ldap
+++ b/dhcpd-conf-to-ldap
@@ -11,9 +11,59 @@
 # This script does not do much error checking. Make sure before you run this
 # that the DHCP server doesn't give any errors about your config file
 
-use Sys::Hostname;
+# FailOver notes:
+#   Failover is disabled by default, since it may need manually intervention.
+#   You can try the '--use=failover' option to see what happens :-)
+#
+#   If enabled, the failover pool references will be written to LDIF output.
+#   The failover configs itself will be added to the dhcpServer statements
+#   and not to the dhcpService object (since this script uses only one and
+#   it may be usefull to have multiple service containers in failover mode).
+#   Further, this script does not check if primary or secondary makes sense,
+#   it simply converts what it gets...
+
+use Net::Domain qw(hostname hostfqdn hostdomain);
+use Getopt::Long;
+
+my $domain = hostdomain();           # your.domain
+my $basedn = "dc=".$domain;
+   $basedn =~ s/\./,dc=/g;           # dc=your,dc=domain
+my $server = hostname();             # hostname (nodename)
+my $dhcpcn = 'DHCP Config';          # CN of DHCP config tree
+my $dhcpdn = "cn=$dhcpcn, $basedn";  # DHCP config tree DN
+my $second = '';                     # secondary server DN / hostname
+my $i_conf = '';                     # dhcp.conf file to read or stdin
+my $o_ldif = '';                     # output ldif file name or stdout
+my @use    = ();                     # extended flags (failover)
+
+sub usage($;$)
+{
+  my $rc = shift;
+  my $err= shift;
+
+  print STDERR "Error: $err\n\n" if(defined $err);
+  print STDERR <<__EOF_USAGE__;
+usage: 
+  $0 [options] < dhcpd.conf > dhcpd.ldif
+
+options:
+
+  --basedn  "dc=your,dc=domain"        ("$basedn")
+
+  --dhcpdn  "dhcp config DN"           ("$dhcpdn")
+
+  --server  "dhcp server name"         ("$server")
+
+  --second  "secondary server or DN"   ("$second")
+
+  --conf    "/path/to/dhcpd.conf"      (default is stdin)
+  --ldif    "/path/to/output.ldif"     (default is stdout)
+
+  --use     "extended features"        (see source comments)
+__EOF_USAGE__
+  exit($rc);
+}
 
-my $basedn = "dc=ntelos, dc=net";
 
 sub next_token
 {
@@ -39,6 +89,14 @@ sub next_token
 
   if (($token, $newline) = $line =~ /^(.*?)\s+(.*)/)
     {
+      if ($token =~ /^"/) {
+       #handle quoted token
+       if ($token !~ /"\s*$/)
+       {
+         ($tok, $newline)  = $newline =~ /([^"]+")(.*)/;
+         $token .= " $tok";
+        }
+      }
       $line = $newline;
     }
   else
@@ -56,14 +114,16 @@ sub next_token
 
 sub remaining_line
 {
+  local ($block) = shift || 0;
   local ($tmp, $str);
 
   $str = "";
-  while (($tmp = next_token (0)))
+  while (defined($tmp = next_token (0)))
     {
       $str .= ' ' if !($str eq "");
       $str .= $tmp;
       last if $tmp =~ /;\s*$/;
+      last if($block and $tmp =~ /\s*[}{]\s*$/);
     }
 
   $str =~ s/;$//;
@@ -102,16 +162,25 @@ print_entry
 
   if (!defined ($curentry{'type'}))
     {
-      $host = hostname ();
-      $hostdn = "cn=$host, $basedn";
+      $hostdn = "cn=$server, $basedn";
       print "dn: $hostdn\n";
+      print "cn: $server\n";
       print "objectClass: top\n";
       print "objectClass: dhcpServer\n";
-      print "cn: $host\n";
-      print "dhcpServiceDN: $current_dn\n\n";
+      print "dhcpServiceDN: $current_dn\n";
+      if(grep(/FaIlOvEr/i, @use))
+        {
+          foreach my $fo_peer (keys %failover)
+            {
+              next if(scalar(@{$failover{$fo_peer}}) <= 1);
+              print "dhcpStatements: failover peer $fo_peer { ",
+                    join('; ', @{$failover{$fo_peer}}), "; }\n";
+            }
+        }
+      print "\n";
 
       print "dn: $current_dn\n";
-      print "cn: DHCP Config\n";
+      print "cn: $dhcpcn\n";
       print "objectClass: top\n";
       print "objectClass: dhcpService\n";
       if (defined ($curentry{'options'}))
@@ -119,6 +188,10 @@ print_entry
           print "objectClass: dhcpOptions\n";
         }
       print "dhcpPrimaryDN: $hostdn\n";
+      if(grep(/FaIlOvEr/i, @use) and ($second ne ''))
+        {
+          print "dhcpSecondaryDN: $second\n";
+        }
     }
   elsif ($curentry{'type'} eq 'subnet')
     {
@@ -132,9 +205,12 @@ print_entry
         }
       
       print "dhcpNetMask: " . $curentry{'netmask'} . "\n";
-      if (defined ($curentry{'range'}))
+      if (defined ($curentry{'ranges'}))
         {
-          print "dhcpRange: " . $curentry{'range'} . "\n";
+          foreach $statement (@{$curentry{'ranges'}})
+            {
+              print "dhcpRange: $statement\n";
+            }
         }
     }
   elsif ($curentry{'type'} eq 'shared-network')
@@ -151,7 +227,7 @@ print_entry
   elsif ($curentry{'type'} eq 'group')
     {
       print "dn: $current_dn\n";
-      print "cn: group\n";
+      print "cn: group", $curentry{'idx'}, "\n";
       print "objectClass: top\n";
       print "objectClass: dhcpGroup\n";
       if (defined ($curentry{'options'}))
@@ -172,13 +248,14 @@ print_entry
 
       if (defined ($curentry{'hwaddress'}))
         {
+          $curentry{'hwaddress'} =~ y/[A-Z]/[a-z]/;
           print "dhcpHWAddress: " . $curentry{'hwaddress'} . "\n";
         }
     }
   elsif ($curentry{'type'} eq 'pool')
     {
       print "dn: $current_dn\n";
-      print "cn: pool\n";
+      print "cn: pool", $curentry{'idx'}, "\n";
       print "objectClass: top\n";
       print "objectClass: dhcpPool\n";
       if (defined ($curentry{'options'}))
@@ -186,9 +263,12 @@ print_entry
           print "objectClass: dhcpOptions\n";
         }
 
-      if (defined ($curentry{'range'}))
+      if (defined ($curentry{'ranges'}))
         {
-          print "dhcpRange: " . $curentry{'range'} . "\n";
+          foreach $statement (@{$curentry{'ranges'}})
+            {
+              print "dhcpRange: $statement\n";
+            }
         }
     }
   elsif ($curentry{'type'} eq 'class')
@@ -285,6 +365,8 @@ sub parse_subnet
   $curentry{'type'} = 'subnet';
   $curentry{'ip'} = $ip;
   $curentry{'netmask'} = $netmask;
+  $cursubnet = $ip;
+  $curcounter{$ip} = { pool  => 0, group => 0 };
 }
 
 
@@ -336,8 +418,16 @@ sub parse_group
   parse_error () if !defined ($tmp);
   parse_error () if !($tmp eq '{');
 
-  add_dn_to_stack ("cn=group");
+  my $idx;
+  if(exists($curcounter{$cursubnet})) {
+    $idx = ++$curcounter{$cursubnet}->{'group'};
+  } else {
+    $idx = ++$curcounter{''}->{'group'};
+  }
+
+  add_dn_to_stack ("cn=group".$idx);
   $curentry{'type'} = 'group';
+  $curentry{'idx'} = $idx;
 }
 
 
@@ -351,8 +441,16 @@ sub parse_pool
   parse_error () if !defined ($tmp);
   parse_error () if !($tmp eq '{');
 
-  add_dn_to_stack ("cn=pool");
+  my $idx;
+  if(exists($curcounter{$cursubnet})) {
+    $idx = ++$curcounter{$cursubnet}->{'pool'};
+  } else {
+    $idx = ++$curcounter{''}->{'pool'};
+  }
+
+  add_dn_to_stack ("cn=pool".$idx);
   $curentry{'type'} = 'pool';
+  $curentry{'idx'} = $idx;
 }
 
 
@@ -403,10 +501,10 @@ sub parse_hwaddress
 {
   local ($type, $hw, $tmp);
 
-  $type = next_token (0);
+  $type = next_token (1);
   parse_error () if !defined ($type);
 
-  $hw = next_token (0);
+  $hw = next_token (1);
   parse_error () if !defined ($hw);
   $hw =~ s/;$//;
 
@@ -423,7 +521,7 @@ sub parse_range
   if (!($str eq ''))
     {
       $str =~ s/;$//;
-      $curentry{'range'} = $str;
+      push (@{$curentry{'ranges'}}, $str);
     }
 }
 
@@ -438,6 +536,65 @@ sub parse_statement
       $str = remaining_line ();
       push (@{$curentry{'options'}}, $str);
     }
+  elsif($token eq 'failover')
+    {
+      $str = remaining_line (1); # take care on block
+      if($str =~ /[{]/)
+        {
+          my ($peername, @statements);
+
+          parse_error() if($str !~ /^\s*peer\s+(.+?)\s+[{]\s*$/);
+          parse_error() if(($peername = $1) !~ /^\"?[^\"]+\"?$/);
+
+          #
+          # failover config block found:
+          # e.g. 'failover peer "some-name" {'
+          #
+          if(not grep(/FaIlOvEr/i, @use))
+            {
+              print STDERR "Warning: Failover config 'peer $peername' found!\n";
+              print STDERR "         Skipping it, since failover disabled!\n";
+              print STDERR "         You may try out --use=failover option.\n";
+            }
+
+          until($str =~ /[}]/ or $str eq "")
+            {
+                $str = remaining_line (1);
+                # collect all statements, except ending '}'
+                push(@statements, $str) if($str !~ /[}]/);
+            }
+          $failover{$peername} = [@statements];
+        }
+      else
+        {
+          #
+          # pool reference to failover config is fine
+          # e.g. 'failover peer "some-name";'
+          #
+          if(not grep(/FaIlOvEr/i, @use))
+            {
+              print STDERR "Warning: Failover reference '$str' found!\n";
+              print STDERR "         Skipping it, since failover disabled!\n";
+              print STDERR "         You may try out --use=failover option.\n";
+            }
+          else
+            {
+              push (@{$curentry{'statements'}}, $token. " " . $str);
+            }
+        }
+    }
+  elsif($token eq 'zone')
+    {
+      $str = $token;
+      while($str !~ /}$/) {
+        $str .= ' ' . next_token (0);
+      }
+      push (@{$curentry{'statements'}}, $str);
+    }
+  elsif($token =~ /^(authoritative)[;]*$/)
+    {
+      push (@{$curentry{'statements'}}, $1);
+    }
   else
     {
       $str = $token . " " . remaining_line ();
@@ -446,21 +603,103 @@ sub parse_statement
 }
 
 
+my $ok = GetOptions(
+    'basedn=s'      => \$basedn,
+    'dhcpdn=s'      => \$dhcpdn,
+    'server=s'      => \$server,
+    'second=s'      => \$second,
+    'conf=s'        => \$i_conf,
+    'ldif=s'        => \$o_ldif,
+    'use=s'         => \@use,
+    'h|help|usage'  => sub { usage(0); },
+);
+
+unless($server =~ /^\w+/)
+  {
+    usage(1, "invalid server name '$server'");
+  }
+unless($basedn =~ /^\w+=[^,]+/)
+  {
+    usage(1, "invalid base dn '$basedn'");
+  }
+
+if($dhcpdn =~ /^cn=([^,]+)/i)
+  {
+    $dhcpcn = "$1";
+  }
+$second = '' if not defined $second;
+unless($second eq '' or $second =~ /^cn=[^,]+\s*,\s*\w+=[^,]+/i)
+  {
+    if($second =~ /^cn=[^,]+$/i)
+      {
+        # relative DN 'cn=name'
+        $second = "$second, $basedn";
+      }
+    elsif($second =~ /^\w+/)
+      {
+        # assume hostname only
+        $second = "cn=$second, $basedn";
+      }
+    else
+      {
+        usage(1, "invalid secondary '$second'")
+      }
+  }
+
+usage(1) unless($ok);
+
+if($i_conf ne "" and -f $i_conf)
+  {
+    if(not open(STDIN, '<', $i_conf))
+      {
+        print STDERR "Error: can't open conf file '$i_conf': $!\n";
+        exit(1);
+      }
+  }
+if($o_ldif ne "")
+  {
+    if(-e $o_ldif)
+      {
+        print STDERR "Error: output ldif name '$o_ldif' already exists!\n";
+        exit(1);
+      }
+    if(not open(STDOUT, '>', $o_ldif))
+      {
+        print STDERR "Error: can't open ldif file '$o_ldif': $!\n";
+        exit(1);
+      }
+  }
+
+
+print STDERR "Creating LDAP Configuration with the following options:\n";
+print STDERR "\tBase DN: $basedn\n";
+print STDERR "\tDHCP DN: $dhcpdn\n";
+print STDERR "\tServer DN: cn=$server, $basedn\n";
+print STDERR "\tSecondary DN: $second\n"
+             if(grep(/FaIlOvEr/i, @use) and $second ne '');
+print STDERR "\n";
+
 my $token;
 my $token_number = 0;
 my $line_number = 0;
 my %curentry;
+my $cursubnet = '';
+my %curcounter = ( '' => { pool => 0, group => 0 } );
 
-$current_dn = "cn=DHCP Config, $basedn";
-$curentry{'descr'} = 'DHCP Config';
+$current_dn = "$dhcpdn";
+$curentry{'descr'} = $dhcpcn;
 $line = '';
+%failover = ();
 
 while (($token = next_token (1)))
   {
     if ($token eq '}')
       {
         print_entry () if %curentry;
-        remove_dn_from_stack ();
+        if($current_dn =~ /.+?,\s*${dhcpdn}$/) {
+          # don't go below dhcpdn ...
+          remove_dn_from_stack ();
+        }
       }
     elsif ($token eq 'subnet')
       {
@@ -514,4 +753,8 @@ while (($token = next_token (1)))
       }
   }
 
+close(STDIN)  if($i_conf);
+close(STDOUT) if($o_ldif);
+
+print STDERR "Done.\n";
 
diff --git a/dhcpd.conf.5 b/dhcpd.conf.5
new file mode 100644
index 0000000..50c2382
--- /dev/null
+++ b/dhcpd.conf.5
@@ -0,0 +1,2682 @@
+.\"	dhcpd.conf.5
+.\"
+.\" Copyright (c) 2004-2007 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1996-2003 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\"   Internet Systems Consortium, Inc.
+.\"   950 Charter Street
+.\"   Redwood City, CA 94063
+.\"   <info@isc.org>
+.\"   http://www.isc.org/
+.\"
+.\" This software has been written for Internet Systems Consortium
+.\" by Ted Lemon in cooperation with Vixie Enterprises and Nominum, Inc.
+.\" To learn more about Internet Systems Consortium, see
+.\" ``http://www.isc.org/''.  To learn more about Vixie Enterprises,
+.\" see ``http://www.vix.com''.   To learn more about Nominum, Inc., see
+.\" ``http://www.nominum.com''.
+.\"
+.\" $Id: dhcpd.conf.5,v 1.80.4.5 2007/05/23 23:30:33 each Exp $
+.\"
+.TH dhcpd.conf 5
+.SH NAME
+dhcpd.conf - dhcpd configuration file
+.SH DESCRIPTION
+The dhcpd.conf file contains configuration information for
+.IR dhcpd,
+the Internet Systems Consortium DHCP Server.
+.PP
+The dhcpd.conf file is a free-form ASCII text file.   It is parsed by
+the recursive-descent parser built into dhcpd.   The file may contain
+extra tabs and newlines for formatting purposes.  Keywords in the file
+are case-insensitive.   Comments may be placed anywhere within the
+file (except within quotes).   Comments begin with the # character and
+end at the end of the line.
+.PP
+The file essentially consists of a list of statements.   Statements
+fall into two broad categories - parameters and declarations.
+.PP
+Parameter statements either say how to do something (e.g., how long a
+lease to offer), whether to do something (e.g., should dhcpd provide
+addresses to unknown clients), or what parameters to provide to the
+client (e.g., use gateway 220.177.244.7).
+.PP
+Declarations are used to describe the topology of the
+network, to describe clients on the network, to provide addresses that
+can be assigned to clients, or to apply a group of parameters to a
+group of declarations.   In any group of parameters and declarations,
+all parameters must be specified before any declarations which depend
+on those parameters may be specified.
+.PP
+Declarations about network topology include the \fIshared-network\fR
+and the \fIsubnet\fR declarations.   If clients on a subnet are to be
+assigned addresses
+dynamically, a \fIrange\fR declaration must appear within the
+\fIsubnet\fR declaration.   For clients with statically assigned
+addresses, or for installations where only known clients will be
+served, each such client must have a \fIhost\fR declaration.   If
+parameters are to be applied to a group of declarations which are not
+related strictly on a per-subnet basis, the \fIgroup\fR declaration
+can be used.
+.PP
+For every subnet which will be served, and for every subnet
+to which the dhcp server is connected, there must be one \fIsubnet\fR
+declaration, which tells dhcpd how to recognize that an address is on
+that subnet.  A \fIsubnet\fR declaration is required for each subnet
+even if no addresses will be dynamically allocated on that subnet.
+.PP
+Some installations have physical networks on which more than one IP
+subnet operates.   For example, if there is a site-wide requirement
+that 8-bit subnet masks be used, but a department with a single
+physical ethernet network expands to the point where it has more than
+254 nodes, it may be necessary to run two 8-bit subnets on the same
+ethernet until such time as a new physical network can be added.   In
+this case, the \fIsubnet\fR declarations for these two networks must be
+enclosed in a \fIshared-network\fR declaration.
+.PP
+Some sites may have departments which have clients on more than one
+subnet, but it may be desirable to offer those clients a uniform set
+of parameters which are different than what would be offered to
+clients from other departments on the same subnet.   For clients which
+will be declared explicitly with \fIhost\fR declarations, these
+declarations can be enclosed in a \fIgroup\fR declaration along with
+the parameters which are common to that department.   For clients
+whose addresses will be dynamically assigned, class declarations and
+conditional declarations may be used to group parameter assignments
+based on information the client sends.
+.PP
+When a client is to be booted, its boot parameters are determined by
+consulting that client's \fIhost\fR declaration (if any), and then
+consulting any \fIclass\fR declarations matching the client,
+followed by the \fIpool\fR, \fIsubnet\fR and \fIshared-network\fR
+declarations for the IP address assigned to the client.   Each of
+these declarations itself appears within a lexical scope, and all
+declarations at less specific lexical scopes are also consulted for
+client option declarations.   Scopes are never considered
+twice, and if parameters are declared in more than one scope, the
+parameter declared in the most specific scope is the one that is
+used.
+.PP
+When dhcpd tries to find a \fIhost\fR declaration for a client, it
+first looks for a \fIhost\fR declaration which has a
+\fIfixed-address\fR declaration that lists an IP address that is valid
+for the subnet or shared network on which the client is booting.   If
+it doesn't find any such entry, it tries to find an entry which has
+no \fIfixed-address\fR declaration.
+.SH EXAMPLES
+.PP
+A typical dhcpd.conf file will look something like this:
+.nf
+
+.I global parameters...
+
+subnet 204.254.239.0 netmask 255.255.255.224 {
+  \fIsubnet-specific parameters...\fR
+  range 204.254.239.10 204.254.239.30;
+}
+
+subnet 204.254.239.32 netmask 255.255.255.224 {
+  \fIsubnet-specific parameters...\fR
+  range 204.254.239.42 204.254.239.62;
+}
+
+subnet 204.254.239.64 netmask 255.255.255.224 {
+  \fIsubnet-specific parameters...\fR
+  range 204.254.239.74 204.254.239.94;
+}
+
+group {
+  \fIgroup-specific parameters...\fR
+  host zappo.test.isc.org {
+    \fIhost-specific parameters...\fR
+  }
+  host beppo.test.isc.org {
+    \fIhost-specific parameters...\fR
+  }
+  host harpo.test.isc.org {
+    \fIhost-specific parameters...\fR
+  }
+}
+
+.ce 1
+Figure 1
+
+.fi
+.PP
+Notice that at the beginning of the file, there's a place
+for global parameters.   These might be things like the organization's
+domain name, the addresses of the name servers (if they are common to
+the entire organization), and so on.   So, for example:
+.nf
+
+	option domain-name "isc.org";
+	option domain-name-servers ns1.isc.org, ns2.isc.org;
+
+.ce 1
+Figure 2
+.fi
+.PP
+As you can see in Figure 2, you can specify host addresses in
+parameters using their domain names rather than their numeric IP
+addresses.  If a given hostname resolves to more than one IP address
+(for example, if that host has two ethernet interfaces), then where
+possible, both addresses are supplied to the client.
+.PP
+The most obvious reason for having subnet-specific parameters as
+shown in Figure 1 is that each subnet, of necessity, has its own
+router.   So for the first subnet, for example, there should be
+something like:
+.nf
+
+	option routers 204.254.239.1;
+.fi
+.PP
+Note that the address here is specified numerically.   This is not
+required - if you have a different domain name for each interface on
+your router, it's perfectly legitimate to use the domain name for that
+interface instead of the numeric address.   However, in many cases
+there may be only one domain name for all of a router's IP addresses, and
+it would not be appropriate to use that name here.
+.PP
+In Figure 1 there is also a \fIgroup\fR statement, which provides
+common parameters for a set of three hosts - zappo, beppo and harpo.
+As you can see, these hosts are all in the test.isc.org domain, so it
+might make sense for a group-specific parameter to override the domain
+name supplied to these hosts:
+.nf
+
+	option domain-name "test.isc.org";
+.fi
+.PP
+Also, given the domain they're in, these are probably test machines.
+If we wanted to test the DHCP leasing mechanism, we might set the
+lease timeout somewhat shorter than the default:
+
+.nf
+	max-lease-time 120;
+	default-lease-time 120;
+.fi
+.PP
+You may have noticed that while some parameters start with the
+\fIoption\fR keyword, some do not.   Parameters starting with the
+\fIoption\fR keyword correspond to actual DHCP options, while
+parameters that do not start with the option keyword either control
+the behavior of the DHCP server (e.g., how long a lease dhcpd will
+give out), or specify client parameters that are not optional in the
+DHCP protocol (for example, server-name and filename).
+.PP
+In Figure 1, each host had \fIhost-specific parameters\fR.   These
+could include such things as the \fIhostname\fR option, the name of a
+file to upload (the \fIfilename\fR parameter) and the address of the
+server from which to upload the file (the \fInext-server\fR
+parameter).   In general, any parameter can appear anywhere that
+parameters are allowed, and will be applied according to the scope in
+which the parameter appears.
+.PP
+Imagine that you have a site with a lot of NCD X-Terminals.   These
+terminals come in a variety of models, and you want to specify the
+boot files for each model.   One way to do this would be to have host
+declarations for each server and group them by model:
+.nf
+
+group {
+  filename "Xncd19r";
+  next-server ncd-booter;
+
+  host ncd1 { hardware ethernet 0:c0:c3:49:2b:57; }
+  host ncd4 { hardware ethernet 0:c0:c3:80:fc:32; }
+  host ncd8 { hardware ethernet 0:c0:c3:22:46:81; }
+}
+
+group {
+  filename "Xncd19c";
+  next-server ncd-booter;
+
+  host ncd2 { hardware ethernet 0:c0:c3:88:2d:81; }
+  host ncd3 { hardware ethernet 0:c0:c3:00:14:11; }
+}
+
+group {
+  filename "XncdHMX";
+  next-server ncd-booter;
+
+  host ncd1 { hardware ethernet 0:c0:c3:11:90:23; }
+  host ncd4 { hardware ethernet 0:c0:c3:91:a7:8; }
+  host ncd8 { hardware ethernet 0:c0:c3:cc:a:8f; }
+}
+.fi
+.SH ADDRESS POOLS
+.PP
+The
+.B pool
+declaration can be used to specify a pool of addresses that will be
+treated differently than another pool of addresses, even on the same
+network segment or subnet.   For example, you may want to provide a
+large set of addresses that can be assigned to DHCP clients that are
+registered to your DHCP server, while providing a smaller set of
+addresses, possibly with short lease times, that are available for
+unknown clients.   If you have a firewall, you may be able to arrange
+for addresses from one pool to be allowed access to the Internet,
+while addresses in another pool are not, thus encouraging users to
+register their DHCP clients.   To do this, you would set up a pair of
+pool declarations:
+.PP
+.nf
+subnet 10.0.0.0 netmask 255.255.255.0 {
+  option routers 10.0.0.254;
+
+  # Unknown clients get this pool.
+  pool {
+    option domain-name-servers bogus.example.com;
+    max-lease-time 300;
+    range 10.0.0.200 10.0.0.253;
+    allow unknown-clients;
+  }
+
+  # Known clients get this pool.
+  pool {
+    option domain-name-servers ns1.example.com, ns2.example.com;
+    max-lease-time 28800;
+    range 10.0.0.5 10.0.0.199;
+    deny unknown-clients;
+  }
+}
+.fi
+.PP
+It is also possible to set up entirely different subnets for known and
+unknown clients - address pools exist at the level of shared networks,
+so address ranges within pool declarations can be on different
+subnets.
+.PP
+As you can see in the preceding example, pools can have permit lists
+that control which clients are allowed access to the pool and which
+aren't.  Each entry in a pool's permit list is introduced with the
+.I allow
+or \fIdeny\fR keyword.   If a pool has a permit list, then only those
+clients that match specific entries on the permit list will be
+eligible to be assigned addresses from the pool.   If a pool has a
+deny list, then only those clients that do not match any entries on
+the deny list will be eligible.    If both permit and deny lists exist
+for a pool, then only clients that match the permit list and do not
+match the deny list will be allowed access.
+.SH DYNAMIC ADDRESS ALLOCATION
+Address allocation is actually only done when a client is in the INIT
+state and has sent a DHCPDISCOVER message.  If the client thinks it
+has a valid lease and sends a DHCPREQUEST to initiate or renew that
+lease, the server has only three choices - it can ignore the
+DHCPREQUEST, send a DHCPNAK to tell the client it should stop using
+the address, or send a DHCPACK, telling the client to go ahead and use
+the address for a while.
+.PP
+If the server finds the address the client is requesting, and that
+address is available to the client, the server will send a DHCPACK.
+If the address is no longer available, or the client isn't permitted
+to have it, the server will send a DHCPNAK.  If the server knows
+nothing about the address, it will remain silent, unless the address
+is incorrect for the network segment to which the client has been
+attached and the server is authoritative for that network segment, in
+which case the server will send a DHCPNAK even though it doesn't know
+about the address.
+.PP
+There may be a host declaration matching the client's identification.
+If that host declaration contains a fixed-address declaration that 
+lists an IP address that is valid for the network segment to which the
+client is connected.  In this case, the DHCP server will never do
+dynamic address allocation.  In this case, the client is \fIrequired\fR
+to take the address specified in the host declaration.   If the
+client sends a DHCPREQUEST for some other address, the server will respond
+with a DHCPNAK.
+.PP
+When the DHCP server allocates a new address for a client (remember,
+this only happens if the client has sent a DHCPDISCOVER), it first
+looks to see if the client already has a valid lease on an IP address,
+or if there is an old IP address the client had before that hasn't yet
+been reassigned.  In that case, the server will take that address and
+check it to see if the client is still permitted to use it.  If the
+client is no longer permitted to use it, the lease is freed if the
+server thought it was still in use - the fact that the client has sent
+a DHCPDISCOVER proves to the server that the client is no longer using
+the lease.
+.PP
+If no existing lease is found, or if the client is forbidden to
+receive the existing lease, then the server will look in the list of
+address pools for the network segment to which the client is attached
+for a lease that is not in use and that the client is permitted to
+have.   It looks through each pool declaration in sequence (all
+.I range
+declarations that appear outside of pool declarations are grouped into
+a single pool with no permit list).   If the permit list for the pool
+allows the client to be allocated an address from that pool, the pool
+is examined to see if there is an address available.   If so, then the
+client is tentatively assigned that address.   Otherwise, the next
+pool is tested.   If no addresses are found that can be assigned to
+the client, no response is sent to the client.
+.PP
+If an address is found that the client is permitted to have, and that
+has never been assigned to any client before, the address is
+immediately allocated to the client.   If the address is available for
+allocation but has been previously assigned to a different client, the
+server will keep looking in hopes of finding an address that has never
+before been assigned to a client.
+.PP
+The DHCP server generates the list of available IP addresses from a
+hash table.   This means that the addresses are not sorted in any
+particular order, and so it is not possible to predict the order in
+which the DHCP server will allocate IP addresses.   Users of previous
+versions of the ISC DHCP server may have become accustomed to the DHCP
+server allocating IP addresses in ascending order, but this is no
+longer possible, and there is no way to configure this behavior with
+version 3 of the ISC DHCP server.
+.SH IP ADDRESS CONFLICT PREVENTION
+The DHCP server checks IP addresses to see if they are in use before
+allocating them to clients.   It does this by sending an ICMP Echo
+request message to the IP address being allocated.   If no ICMP Echo
+reply is received within a second, the address is assumed to be free.
+This is only done for leases that have been specified in range
+statements, and only when the lease is thought by the DHCP server to
+be free - i.e., the DHCP server or its failover peer has not listed
+the lease as in use.
+.PP
+If a response is received to an ICMP Echo request, the DHCP server
+assumes that there is a configuration error - the IP address is in use
+by some host on the network that is not a DHCP client.   It marks the
+address as abandoned, and will not assign it to clients.
+.PP
+If a DHCP client tries to get an IP address, but none are available,
+but there are abandoned IP addresses, then the DHCP server will
+attempt to reclaim an abandoned IP address.   It marks one IP address
+as free, and then does the same ICMP Echo request check described
+previously.   If there is no answer to the ICMP Echo request, the
+address is assigned to the client.
+.PP
+The DHCP server does not cycle through abandoned IP addresses if the
+first IP address it tries to reclaim is free.   Rather, when the next
+DHCPDISCOVER comes in from the client, it will attempt a new
+allocation using the same method described here, and will typically
+try a new IP address.
+.SH DHCP FAILOVER
+This version of the ISC DHCP server supports the DHCP failover
+protocol as documented in draft-ietf-dhc-failover-07.txt.   This is
+not a final protocol document, and we have not done interoperability
+testing with other vendors' implementations of this protocol, so you
+must not assume that this implementation conforms to the standard.
+If you wish to use the failover protocol, make sure that both failover
+peers are running the same version of the ISC DHCP server.
+.PP
+The failover protocol allows two DHCP servers (and no more than two)
+to share a common address pool.   Each server will have about half of
+the available IP addresses in the pool at any given time for
+allocation.   If one server fails, the other server will continue to
+renew leases out of the pool, and will allocate new addresses out of
+the roughly half of available addresses that it had when
+communications with the other server were lost.
+.PP
+It is possible during a prolonged failure to tell the remaining server
+that the other server is down, in which case the remaining server will
+(over time) reclaim all the addresses the other server had available
+for allocation, and begin to reuse them.   This is called putting the
+server into the PARTNER-DOWN state.
+.PP
+You can put the server into the PARTNER-DOWN state either by using the
+.B omshell (1)
+command or by stopping the server, editing the last peer state
+declaration in the lease file, and restarting the server.   If you use
+this last method, be sure to leave the date and time of the start of
+the state blank:
+.PP
+.nf
+.B failover peer "\fIname\fB" state {
+.B   my   state partner-down;
+.B   peer state \fIstate\fB at \fIdate\fB;
+.B }
+.fi
+.PP
+When the other server comes back online, it should automatically
+detect that it has been offline and request a complete update from the
+server that was running in the PARTNER-DOWN state, and then both
+servers will resume processing together.
+.PP
+It is possible to get into a dangerous situation: if you put one
+server into the PARTNER-DOWN state, and then *that* server goes down,
+and the other server comes back up, the other server will not know
+that the first server was in the PARTNER-DOWN state, and may issue
+addresses previously issued by the other server to different clients,
+resulting in IP address conflicts.   Before putting a server into
+PARTNER-DOWN state, therefore, make
+.I sure
+that the other server will not restart automatically.
+.PP
+The failover protocol defines a primary server role and a secondary
+server role.   There are some differences in how primaries and
+secondaries act, but most of the differences simply have to do with
+providing a way for each peer to behave in the opposite way from the
+other.   So one server must be configured as primary, and the other
+must be configured as secondary, and it doesn't matter too much which
+one is which.
+.SH FAILOVER STARTUP
+When a server starts that has not previously communicated with its
+failover peer, it must establish communications with its failover peer
+and synchronize with it before it can serve clients.   This can happen
+either because you have just configured your DHCP servers to perform
+failover for the first time, or because one of your failover servers
+has failed catastrophically and lost its database.
+.PP
+The initial recovery process is designed to ensure that when one
+failover peer loses its database and then resynchronizes, any leases
+that the failed server gave out before it failed will be honored.
+When the failed server starts up, it notices that it has no saved
+failover state, and attempts to contact its peer.
+.PP
+When it has established contact, it asks the peer for a complete copy
+its peer's lease database.  The peer then sends its complete database,
+and sends a message indicating that it is done.  The failed server
+then waits until MCLT has passed, and once MCLT has passed both
+servers make the transition back into normal operation.  This waiting
+period ensures that any leases the failed server may have given out
+while out of contact with its partner will have expired.
+.PP
+While the failed server is recovering, its partner remains in the
+partner-down state, which means that it is serving all clients.  The
+failed server provides no service at all to DHCP clients until it has
+made the transition into normal operation.
+.PP
+In the case where both servers detect that they have never before
+communicated with their partner, they both come up in this recovery
+state and follow the procedure we have just described.   In this case,
+no service will be provided to DHCP clients until MCLT has expired.
+.SH CONFIGURING FAILOVER
+In order to configure failover, you need to write a peer declaration
+that configures the failover protocol, and you need to write peer
+references in each pool declaration for which you want to do
+failover.   You do not have to do failover for all pools on a given
+network segment.    You must not tell one server it's doing failover
+on a particular address pool and tell the other it is not.   You must
+not have any common address pools on which you are not doing
+failover.  A pool declaration that utilizes failover would look like this:
+.PP
+.nf
+pool {
+	failover peer "foo";
+	deny dynamic bootp clients;
+	\fIpool specific parameters\fR
+};
+.fi
+.PP
+Dynamic BOOTP leases are not compatible with failover, and, as such,
+you need to disallow BOOTP in pools that you are using failover for.
+.PP
+The  server currently  does very  little  sanity checking,  so if  you
+configure it wrong, it will just  fail in odd ways.  I would recommend
+therefore that you either do  failover or don't do failover, but don't
+do any mixed pools.  Also,  use the same master configuration file for
+both  servers,  and  have  a  separate file  that  contains  the  peer
+declaration and includes the master file.  This will help you to avoid
+configuration  mismatches.  As our  implementation evolves,  this will
+become  less of  a  problem.  A  basic  sample dhcpd.conf  file for  a
+primary server might look like this:
+.PP
+.nf
+failover peer "foo" {
+  primary;
+  address anthrax.rc.vix.com;
+  port 647;
+  peer address trantor.rc.vix.com;
+  peer port 847;
+  max-response-delay 60;
+  max-unacked-updates 10;
+  mclt 3600;
+  split 128;
+  load balance max seconds 3;
+}
+
+include "/etc/dhcpd.master";
+.fi
+.PP
+The statements in the peer declaration are as follows:
+.PP
+The 
+.I primary
+and
+.I secondary
+statements
+.RS 0.25i
+.PP
+[ \fBprimary\fR | \fBsecondary\fR ]\fB;\fR
+.PP
+This determines whether the server is primary or secondary, as
+described earlier under DHCP FAILOVER.
+.RE
+.PP
+The 
+.I address
+statement
+.RS 0.25i
+.PP
+.B address \fIaddress\fR\fB;\fR
+.PP
+The \fBaddress\fR statement declares the IP address or DNS name on which the
+server should listen for connections from its failover peer, and also the
+value to use for the DHCP Failover Protocol server identifier.  Because this
+value is used as an identifier, it may not be omitted.
+.RE
+.PP
+The 
+.I peer address
+statement
+.RS 0.25i
+.PP
+.B peer address \fIaddress\fR\fB;\fR
+.PP
+The \fBpeer address\fR statement declares the IP address or DNS name to
+which the server should connect to reach its failover peer for failover
+messages.
+.RE
+.PP
+The 
+.I port
+statement
+.RS 0.25i
+.PP
+.B port \fIport-number\fR\fB;\fR
+.PP
+The \fBport\fR statement declares the TCP port on which the server
+should listen for connections from its failover peer.
+.RE
+.PP
+The 
+.I peer port
+statement
+.RS 0.25i
+.PP
+.B peer port \fIport-number\fR\fB;\fR
+.PP
+The \fBpeer port\fR statement declares the TCP port to which the
+server should connect to reach its failover peer for failover
+messages. The port number declared in the \fBpeer port\fR statement
+may be the same as the port number declared in the \fBport\fR statement.
+.RE
+.PP
+The
+.I max-response-delay
+statement
+.RS 0.25i
+.PP
+.B max-response-delay \fIseconds\fR\fB;\fR
+.PP
+The \fBmax-response-delay\fR statement tells the DHCP server how
+many seconds may pass without receiving a message from its failover
+peer before it assumes that connection has failed.   This number
+should be small enough that a transient network failure that breaks
+the connection will not result in the servers being out of
+communication for a long time, but large enough that the server isn't
+constantly making and breaking connections.   This parameter must be
+specified.
+.RE
+.PP
+The
+.I max-unacked-updates
+statement
+.RS 0.25i
+.PP
+.B max-unacked-updates \fIcount\fR\fB;\fR
+.PP
+The \fBmax-unacked-updates\fR statement tells the remote DHCP server how
+many BNDUPD messages it can send before it receives a BNDACK
+from the local system.   We don't have enough operational experience
+to say what a good value for this is, but 10 seems to work.   This
+parameter must be specified.
+.RE
+.PP
+The 
+.I mclt
+statement
+.RS 0.25i
+.PP
+.B mclt \fIseconds\fR\fB;\fR
+.PP
+The \fBmclt\fR statement defines the Maximum Client Lead Time.   It
+must be specified on the primary, and may not be specified on the
+secondary.   This is the length of time for which a lease may be
+renewed by either failover peer without contacting the other.   The
+longer you set this, the longer it will take for the running server to
+recover IP addresses after moving into PARTNER-DOWN state.   The
+shorter you set it, the more load your servers will experience when
+they are not communicating.   A value of something like 3600 is
+probably reasonable, but again bear in mind that we have no real
+operational experience with this.
+.RE
+.PP
+The 
+.I split
+statement
+.RS 0.25i
+.PP
+.B split \fIindex\fR\fB;\fR
+.PP
+The split statement specifies the split between the primary and
+secondary for the purposes of load balancing.   Whenever a client
+makes a DHCP request, the DHCP server runs a hash on the client
+identification, resulting in value from 0 to 255.  This is used as
+an index into a 256 bit field.  If the bit at that index is set,
+the primary is responsible.  If the bit at that index is not set,
+the secondary is responsible.  The \fBsplit\fR value determines
+how many of the leading bits are set to one.  So, in practice, higher
+split values will cause the primary to serve more clients than the
+secondary.  Lower split values, the converse.  Legal values are between
+0 and 255, of which the most reasonable is 128.
+.RE
+.PP
+The 
+.I hba
+statement
+.RS 0.25i
+.PP
+.B hba \fIcolon-separated-hex-list\fB;\fR
+.PP
+The hba statement specifies the split between the primary and
+secondary as a bitmap rather than a cutoff, which theoretically allows
+for finer-grained control.   In practice, there is probably no need
+for such fine-grained control, however.   An example hba statement:
+.PP
+.nf
+  hba ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
+      00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00;
+.fi
+.PP
+This is equivalent to a \fBsplit 128;\fR statement, and identical.  The
+following two examples are also equivalent to a \fBsplit\fR of 128, but 
+are not identical:
+.PP
+.nf
+  hba aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:
+      aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa;
+
+  hba 55:55:55:55:55:55:55:55:55:55:55:55:55:55:55:55:
+      55:55:55:55:55:55:55:55:55:55:55:55:55:55:55:55;
+.fi
+.PP
+They are equivalent, because half the bits are set to 0, half are set to
+1 (0xa and 0x5 are 1010 and 0101 binary respectively) and consequently this
+would roughly divide the clients equally between the servers.  They are not
+identical, because the actual peers this would load balance to each server
+are different for each example.
+.PP
+You must only have \fBsplit\fR or \fBhba\fR defined, never both.  For most
+cases, the fine-grained control that \fBhba\fR offers isn't necessary, and
+\fBsplit\fR should be used.
+.RE
+.PP
+The 
+.I load balance max seconds
+statement
+.RS 0.25i
+.PP
+.B load balance max seconds \fIseconds\fR\fB;\fR
+.PP
+This statement allows you to configure a cutoff after which load
+balancing is disabled.  The cutoff is based on the number of seconds
+since the client sent its first DHCPDISCOVER or DHCPREQUEST message,
+and only works with clients that correctly implement the \fIsecs\fR
+field - fortunately most clients do.  We recommend setting this to
+something like 3 or 5.  The effect of this is that if one of the
+failover peers gets into a state where it is responding to failover
+messages but not responding to some client requests, the other
+failover peer will take over its client load automatically as the
+clients retry.
+.RE
+.PP
+The Failover pool balance statements.
+.RS 0.25i
+.PP
+ \fBmax-lease-misbalance \fIpercentage\fR\fB;\fR
+ \fBmax-lease-ownership \fIpercentage\fR\fB;\fR
+ \fBmin-balance \fIseconds\fR\fB;\fR
+ \fBmax-balance \fIseconds\fR\fB;\fR
+.PP
+This version of the DHCP Server evaluates pool balance on a schedule,
+rather than on demand as leases are allocated.  The latter approach
+proved to be slightly klunky when pool misbalanced reach total
+saturation...when any server ran out of leases to assign, it also lost
+its ability to notice it had run dry.
+.PP
+In order to understand pool balance, some elements of its operation
+first need to be defined.  First, there are 'free' and 'backup' leases.
+Both of these are referred to as 'free state leases'.  'free' and 'backup'
+are 'the free states' for the purpose of this document.  The difference
+is that only the primary may allocate from 'free' leases unless under
+special circumstances, and only the secondary may allocate 'backup' leases.
+.PP
+When pool balance is performed, the only plausible expectation is to
+provide a 50/50 split of the free state leases between the two servers.
+This is because no one can predict which server will fail, regardless
+of the relative load placed upon the two servers, so giving each server
+half the leases gives both servers the same amount of 'failure endurance'.
+Therefore, there is no way to configure any different behaviour, outside of
+some very small windows we will describe shortly.
+.PP
+The first thing calculated on any pool balance run is a value referred to
+as 'lts', or "Leases To Send".  This, simply, is the difference in the
+count of free and backup leases, divided by two.  For the secondary,
+it is the difference in the backup and free leases, divided by two.
+The resulting value is signed: if it is positive, the local server is
+expected to hand out leases to retain a 50/50 balance.  If it is negative,
+the remote server would need to send leases to balance the pool.  Once
+the lts value reaches zero, the pool is perfectly balanced (give or take
+one lease in the case of an odd number of total free state leases).
+.PP
+The current approach is still something of a hybrid of the old approach,
+marked by the presence of the \fBmax-lease-misbalance\fR statement.  This
+parameter configures what used to be a 10% fixed value in previous versions:
+if lts is less than free+backup * \fBmax-lease-misbalance\fR percent, then
+the server will skip balancing a given pool (it won't bother moving any
+leases, even if some leases "should" be moved).  The meaning of this value
+is also somewhat overloaded, however, in that it also governs the estimation
+of when to attempt to balance the pool (which may then also be skipped over).
+The oldest leases in the free and backup states are examined.  The time
+they have resided in their respective queues is used as an estimate to
+indicate how much time it is probable it would take before the leases at
+the top of the list would be consumed (and thus, how long it would take
+to use all leases in that state).  This percentage is directly multiplied
+by this time, and fit into the schedule if it falls within
+the \fBmin-balance\fR and \fBmax-balance\fR configured values.  The
+scheduled pool check time is only moved in a downwards direction, it is
+never increased.  Lastly, if the lts is more than double this number in
+the negative direction, the local server will 'panic' and transmit a
+Failover protocol POOLREQ message, in the hopes that the remote system
+will be woken up into action.
+.PP
+Once the lts value exceeds the \fBmax-lease-misbalance\fR percentage of
+total free state leases as described above, leases are moved to the remote
+server.  This is done in two passes.
+.PP
+In the first pass, only leases whose most recent bound client would have
+been served by the remote server - according to the Load Balance Algorithm
+(see above \fBsplit\fR and \fBhba\fR configuration statements) - are given
+away to the peer.  This first pass will happily continue to give away leases,
+decrementing the lts value by one for each, until the lts value has reached
+the negative of the total number of leases multiplied by
+the \fBmax-lease-ownership\fR percentage.  So it is through this value that
+you can permit a small misbalance of the lease pools - for the purpose of
+giving the peer more than a 50/50 share of leases in the hopes that their
+clients might some day return and be allocated by the peer (operating
+normally).  This process is referred to as 'MAC Address Affinity', but this
+is somewhat misnamed: it applies equally to DHCP Client Identifier options.
+Note also that affinity is applied to leases when they enter the state
+'free' from 'expired' or 'released'.  In this case also, leases will not
+be moved from free to backup if the secondary already has more than its
+share.
+.PP
+The second pass is only entered into if the first pass fails to reduce
+the lts underneath the total number of free state leases multiplied by
+the \fBmax-lease-ownership\fR percentage.  In this pass, the oldest
+leases are given over to the peer without second thought about the Load
+Balance Algorithm, and this continues until the lts falls under this
+value.  In this way, the local server will also happily keep a small
+percentage of the leases that would normally load balance to itself.
+.PP
+So, the \fBmax-lease-misbalance\fR value acts as a behavioural gate.
+Smaller values will cause more leases to transition states to balance
+the pools over time, higher values will decrease the amount of change
+(but may lead to pool starvation if there's a run on leases).
+.PP
+The \fBmax-lease-ownership\fR value permits a small (percenatge) skew
+in the lease balance of a percentage of the total number of free state
+leases.
+.PP
+Finally, the \fBmin-balance\fR and \fBmax-balance\fR make certain that a
+scheduled rebalance event happens within a reasonable timeframe (not
+to be thrown off by, for example, a 7 year old free lease).
+.PP
+Plausible values for the percentages lie between 0 and 100, inclusive, but
+values over 50 are indistinguishable from one another (once lts exceeds
+50% of the free state leases, one server must therefore have 100% of the
+leases in its respective free state).  It is recommended to select
+a \fBmax-lease-ownership\fR value that is lower than the value selected
+for the \fBmax-lease-misbalance\fR value.  \fBmax-lease-ownership\fR
+defaults to 10, and \fBmax-lease-misbalance\fR defaults to 15.
+.PP
+Plausible values for the \fBmin-balance\fR and \fBmax-balance\fR times also
+range from 0 to (2^32)-1 (or the limit of your local time_t value), but
+default to values 60 and 3600 respectively (to place balance events between
+1 minute and 1 hour).
+.RE
+.SH CLIENT CLASSING
+Clients can be separated into classes, and treated differently
+depending on what class they are in.   This separation can be done
+either with a conditional statement, or with a match statement within
+the class declaration.   It is possible to specify a limit on the
+total number of clients within a particular class or subclass that may
+hold leases at one time, and it is possible to specify automatic
+subclassing based on the contents of the client packet.
+.PP
+To add clients to classes based on conditional evaluation, you can
+specify a matching expression in the class statement:
+.PP
+.nf
+class "ras-clients" {
+  match if substring (option dhcp-client-identifier, 1, 3) = "RAS";
+}
+.fi
+.PP
+Note that whether you use matching expressions or add statements (or
+both) to classify clients, you must always write a class declaration
+for any class that you use.   If there will be no match statement and
+no in-scope statements for a class, the declaration should look like
+this:
+.PP
+.nf
+class "ras-clients" {
+}
+.fi
+.SH SUBCLASSES
+.PP
+In addition to classes, it is possible to declare subclasses.   A
+subclass is a class with the same name as a regular class, but with a
+specific submatch expression which is hashed for quick matching.
+This is essentially a speed hack - the main difference between five
+classes with match expressions and one class with five subclasses is
+that it will be quicker to find the subclasses.   Subclasses work as
+follows:
+.PP
+.nf
+class "allocation-class-1" {
+  match pick-first-value (option dhcp-client-identifier, hardware);
+}
+
+class "allocation-class-2" {
+  match pick-first-value (option dhcp-client-identifier, hardware);
+}
+
+subclass "allocation-class-1" 1:8:0:2b:4c:39:ad;
+subclass "allocation-class-2" 1:8:0:2b:a9:cc:e3;
+subclass "allocation-class-1" 1:0:0:c4:aa:29:44;
+
+subnet 10.0.0.0 netmask 255.255.255.0 {
+  pool {
+    allow members of "allocation-class-1";
+    range 10.0.0.11 10.0.0.50;
+  }
+  pool {
+    allow members of "allocation-class-2";
+    range 10.0.0.51 10.0.0.100;
+  }
+}
+.fi
+.PP
+The data following the class name in the subclass declaration is a
+constant value to use in matching the match expression for the class.
+When class matching is done, the server will evaluate the match
+expression and then look the result up in the hash table.   If it
+finds a match, the client is considered a member of both the class and
+the subclass.
+.PP
+Subclasses can be declared with or without scope.   In the above
+example, the sole purpose of the subclass is to allow some clients
+access to one address pool, while other clients are given access to
+the other pool, so these subclasses are declared without scopes.   If
+part of the purpose of the subclass were to define different parameter
+values for some clients, you might want to declare some subclasses
+with scopes.
+.PP
+In the above example, if you had a single client that needed some
+configuration parameters, while most didn't, you might write the
+following subclass declaration for that client:
+.PP
+.nf
+subclass "allocation-class-2" 1:08:00:2b:a1:11:31 {
+  option root-path "samsara:/var/diskless/alphapc";
+  filename "/tftpboot/netbsd.alphapc-diskless";
+}
+.fi
+.PP
+In this example, we've used subclassing as a way to control address
+allocation on a per-client basis.  However, it's also possible to use
+subclassing in ways that are not specific to clients - for example, to
+use the value of the vendor-class-identifier option to determine what
+values to send in the vendor-encapsulated-options option.  An example
+of this is shown under the VENDOR ENCAPSULATED OPTIONS head in the
+.B dhcp-options(5)
+manual page.
+.SH PER-CLASS LIMITS ON DYNAMIC ADDRESS ALLOCATION
+.PP
+You may specify a limit to the number of clients in a class that can
+be assigned leases.   The effect of this will be to make it difficult
+for a new client in a class to get an address.   Once a class with
+such a limit has reached its limit, the only way a new client in that
+class can get a lease is for an existing client to relinquish its
+lease, either by letting it expire, or by sending a DHCPRELEASE
+packet.   Classes with lease limits are specified as follows:
+.PP
+.nf
+class "limited-1" {
+  lease limit 4;
+}
+.fi
+.PP
+This will produce a class in which a maximum of four members may hold
+a lease at one time.
+.SH SPAWNING CLASSES
+.PP
+It is possible to declare a
+.I spawning class\fR.
+A spawning class is a class that automatically produces subclasses
+based on what the client sends.   The reason that spawning classes
+were created was to make it possible to create lease-limited classes
+on the fly.   The envisioned application is a cable-modem environment
+where the ISP wishes to provide clients at a particular site with more
+than one IP address, but does not wish to provide such clients with
+their own subnet, nor give them an unlimited number of IP addresses
+from the network segment to which they are connected.
+.PP
+Many cable modem head-end systems can be configured to add a Relay
+Agent Information option to DHCP packets when relaying them to the
+DHCP server.   These systems typically add a circuit ID or remote ID
+option that uniquely identifies the customer site.   To take advantage
+of this, you can write a class declaration as follows:
+.PP
+.nf
+class "customer" {
+  spawn with option agent.circuit-id;
+  lease limit 4;
+}
+.fi
+.PP
+Now whenever a request comes in from a customer site, the circuit ID
+option will be checked against the class's hash table.   If a subclass
+is found that matches the circuit ID, the client will be classified in
+that subclass and treated accordingly.   If no subclass is found
+matching the circuit ID, a new one will be created and logged in the
+.B dhcpd.leases
+file, and the client will be classified in this new class.   Once the
+client has been classified, it will be treated according to the rules
+of the class, including, in this case, being subject to the per-site
+limit of four leases.
+.PP
+The use of the subclass spawning mechanism is not restricted to relay
+agent options - this particular example is given only because it is a
+fairly straightforward one.
+.SH COMBINING MATCH, MATCH IF AND SPAWN WITH
+.PP
+In some cases, it may be useful to use one expression to assign a
+client to a particular class, and a second expression to put it into a
+subclass of that class.   This can be done by combining the \fBmatch
+if\fR and \fBspawn with\fR statements, or the \fBmatch if\fR and
+\fBmatch\fR statements.   For example:
+.PP
+.nf
+class "jr-cable-modems" {
+  match if option dhcp-vendor-identifier = "jrcm";
+  spawn with option agent.circuit-id;
+  lease limit 4;
+}
+
+class "dv-dsl-modems" {
+  match if opton dhcp-vendor-identifier = "dvdsl";
+  spawn with option agent.circuit-id;
+  lease limit 16;
+}
+.fi
+.PP
+This allows you to have two classes that both have the same \fBspawn
+with\fR expression without getting the clients in the two classes
+confused with each other.
+.SH DYNAMIC DNS UPDATES
+.PP
+The DHCP server has the ability to dynamically update the Domain Name
+System.  Within the configuration files, you can define how you want
+the Domain Name System to be updated.  These updates are RFC 2136
+compliant so any DNS server supporting RFC 2136 should be able to
+accept updates from the DHCP server.
+.PP
+Two DNS update schemes are currently implemented, and another is
+planned.   The two that are currently available are the ad-hoc DNS
+update mode and the interim DHCP-DNS interaction draft update mode.
+If and when the DHCP-DNS interaction draft and the DHCID draft make it
+through the IETF standards process, there will be a third mode, which
+will be the standard DNS update method.   The DHCP server must be
+configured to use one of the two currently-supported methods, or not
+to do dns updates.   This can be done with the
+.I ddns-update-style
+configuration parameter.
+.SH THE AD-HOC DNS UPDATE SCHEME
+The ad-hoc Dynamic DNS update scheme is
+.B now deprecated
+and
+.B
+does not work.
+In future releases of the ISC DHCP server, this scheme will not likely be
+available.  The interim scheme works, allows for failover, and should now be
+used.  The following description is left here for informational purposes
+only.
+.PP
+The ad-hoc Dynamic DNS update scheme implemented in this version of
+the ISC DHCP server is a prototype design, which does not
+have much to do with the standard update method that is being
+standardized in the IETF DHC working group, but rather implements some
+very basic, yet useful, update capabilities.   This mode
+.B does not work
+with the
+.I failover protocol
+because it does not account for the possibility of two different DHCP
+servers updating the same set of DNS records.
+.PP
+For the ad-hoc DNS update method, the client's FQDN is derived in two
+parts.   First, the hostname is determined.   Then, the domain name is
+determined, and appended to the hostname.
+.PP
+The DHCP server determines the client's hostname by first looking for
+a \fIddns-hostname\fR configuration option, and using that if it is
+present.  If no such option is present, the server looks for a
+valid hostname in the FQDN option sent by the client.  If one is
+found, it is used; otherwise, if the client sent a host-name option,
+that is used.  Otherwise, if there is a host declaration that applies
+to the client, the name from that declaration will be used.  If none
+of these applies, the server will not have a hostname for the client,
+and will not be able to do a DNS update.
+.PP
+The domain name is determined from the
+.I ddns-domainname
+configuration option.  The default configuration for this option is:
+.nf
+.sp 1
+  option server.ddns-domainname = config-option domain-name;
+
+.fi
+So if this configuration option is not configured to a different
+value (over-riding the above default), or if a domain-name option
+has not been configured for the client's scope, then the server will
+not attempt to perform a DNS update.
+.PP
+The client's fully-qualified domain name, derived as we have
+described, is used as the name on which an "A" record will be stored.
+The A record will contain the IP address that the client was assigned
+in its lease.   If there is already an A record with the same name in
+the DNS server, no update of either the A or PTR records will occur -
+this prevents a client from claiming that its hostname is the name of
+some network server.   For example, if you have a fileserver called
+"fs.sneedville.edu", and the client claims its hostname is "fs", no
+DNS update will be done for that client, and an error message will be
+logged.
+.PP
+If the A record update succeeds, a PTR record update for the assigned
+IP address will be done, pointing to the A record.   This update is
+unconditional - it will be done even if another PTR record of the same
+name exists.   Since the IP address has been assigned to the DHCP
+server, this should be safe.
+.PP
+Please note that the current implementation assumes clients only have
+a single network interface.   A client with two network interfaces
+will see unpredictable behavior.   This is considered a bug, and will
+be fixed in a later release.   It may be helpful to enable the
+.I one-lease-per-client
+parameter so that roaming clients do not trigger this same behavior.
+.PP
+The DHCP protocol normally involves a four-packet exchange - first the
+client sends a DHCPDISCOVER message, then the server sends a
+DHCPOFFER, then the client sends a DHCPREQUEST, then the server sends
+a DHCPACK.   In the current version of the server, the server will do
+a DNS update after it has received the DHCPREQUEST, and before it has
+sent the DHCPACK.   It only sends the DNS update if it has not sent
+one for the client's address before, in order to minimize the impact
+on the DHCP server.
+.PP
+When the client's lease expires, the DHCP server (if it is operating
+at the time, or when next it operates) will remove the client's A and
+PTR records from the DNS database.   If the client releases its lease
+by sending a DHCPRELEASE message, the server will likewise remove the
+A and PTR records.
+.SH THE INTERIM DNS UPDATE SCHEME
+The interim DNS update scheme operates mostly according to several
+drafts that are being considered by the IETF and are expected to
+become standards, but are not yet standards, and may not be
+standardized exactly as currently proposed.   These are:
+.PP
+.nf
+.ce 3
+draft-ietf-dhc-ddns-resolution-??.txt
+draft-ietf-dhc-fqdn-option-??.txt
+draft-ietf-dnsext-dhcid-rr-??.txt
+.fi
+.PP
+Because our implementation is slightly different than the standard, we
+will briefly document the operation of this update style here.
+.PP
+The first point to understand about this style of DNS update is that
+unlike the ad-hoc style, the DHCP server does not necessarily
+always update both the A and the PTR records.   The FQDN option
+includes a flag which, when sent by the client, indicates that the
+client wishes to update its own A record.   In that case, the server
+can be configured either to honor the client's intentions or ignore
+them.   This is done with the statement \fIallow client-updates;\fR or
+the statement \fIignore client-updates;\fR.   By default, client
+updates are allowed.
+.PP
+If the server is configured to allow client updates, then if the
+client sends a fully-qualified domain name in the FQDN option, the
+server will use that name the client sent in the FQDN option to update
+the PTR record.   For example, let us say that the client is a visitor
+from the "radish.org" domain, whose hostname is "jschmoe".   The
+server is for the "example.org" domain.   The DHCP client indicates in
+the FQDN option that its FQDN is "jschmoe.radish.org.".   It also
+indicates that it wants to update its own A record.   The DHCP server
+therefore does not attempt to set up an A record for the client, but
+does set up a PTR record for the IP address that it assigns the
+client, pointing at jschmoe.radish.org.   Once the DHCP client has an
+IP address, it can update its own A record, assuming that the
+"radish.org" DNS server will allow it to do so.
+.PP
+If the server is configured not to allow client updates, or if the
+client doesn't want to do its own update, the server will simply
+choose a name for the client from either the fqdn option (if present)
+or the hostname option (if present).  It will use its own
+domain name for the client, just as in the ad-hoc update scheme.
+It will then update both the A and PTR record, using the name that it
+chose for the client.   If the client sends a fully-qualified domain
+name in the fqdn option, the server uses only the leftmost part of the
+domain name - in the example above, "jschmoe" instead of
+"jschmoe.radish.org".
+.PP
+Further, if the \fIignore client-updates;\fR directive is used, then
+the server will in addition send a response in the DHCP packet, using
+the FQDN Option, that implies to the client that it should perform its
+own updates if it chooses to do so.  With \fIdeny client-updates;\fR, a
+response is sent which indicates the client may not perform updates.
+.PP
+Also, if the
+.I use-host-decl-names
+configuration option is enabled, then the host declaration's
+.I hostname
+will be used in place of the
+.I hostname
+option, and the same rules will apply as described above.
+.PP
+The other difference between the ad-hoc scheme and the interim
+scheme is that with the interim scheme, a method is used that
+allows more than one DHCP server to update the DNS database without
+accidentally deleting A records that shouldn't be deleted nor failing
+to add A records that should be added.   The scheme works as follows:
+.PP
+When the DHCP server issues a client a new lease, it creates a text
+string that is an MD5 hash over the DHCP client's identification (see
+draft-ietf-dnsext-dhcid-rr-??.txt for details).   The update adds an A
+record with the name the server chose and a TXT record containing the
+hashed identifier string (hashid).   If this update succeeds, the
+server is done.
+.PP
+If the update fails because the A record already exists, then the DHCP
+server attempts to add the A record with the prerequisite that there
+must be a TXT record in the same name as the new A record, and that
+TXT record's contents must be equal to hashid.   If this update
+succeeds, then the client has its A record and PTR record.   If it
+fails, then the name the client has been assigned (or requested) is in
+use, and can't be used by the client.   At this point the DHCP server
+gives up trying to do a DNS update for the client until the client
+chooses a new name.
+.PP
+The interim DNS update scheme is called interim for two reasons.
+First, it does not quite follow the drafts.   The current versions of
+the drafts call for a new DHCID RRtype, but this is not yet
+available.   The interim DNS update scheme uses a TXT record
+instead.   Also, the existing ddns-resolution draft calls for the DHCP
+server to put a DHCID RR on the PTR record, but the \fIinterim\fR
+update method does not do this.   It is our position that this is not
+useful, and we are working with the author in hopes of removing it
+from the next version of the draft, or better understanding why it is
+considered useful.
+.PP
+In addition to these differences, the server also does not update very
+aggressively.  Because each DNS update involves a round trip to the
+DNS server, there is a cost associated with doing updates even if they
+do not actually modify the DNS database.   So the DHCP server tracks
+whether or not it has updated the record in the past (this information
+is stored on the lease) and does not attempt to update records that it
+thinks it has already updated.
+.PP
+This can lead to cases where the DHCP server adds a record, and then
+the record is deleted through some other mechanism, but the server
+never again updates the DNS because it thinks the data is already
+there.   In this case the data can be removed from the lease through
+operator intervention, and once this has been done, the DNS will be
+updated the next time the client renews.
+.SH DYNAMIC DNS UPDATE SECURITY
+.PP
+When you set your DNS server up to allow updates from the DHCP server,
+you may be exposing it to unauthorized updates.  To avoid this, you
+should use TSIG signatures - a method of cryptographically signing
+updates using a shared secret key.   As long as you protect the
+secrecy of this key, your updates should also be secure.   Note,
+however, that the DHCP protocol itself provides no security, and that
+clients can therefore provide information to the DHCP server which the
+DHCP server will then use in its updates, with the constraints
+described previously.
+.PP
+The DNS server must be configured to allow updates for any zone that
+the DHCP server will be updating.  For example, let us say that
+clients in the sneedville.edu domain will be assigned addresses on the
+10.10.17.0/24 subnet.  In that case, you will need a key declaration
+for the TSIG key you will be using, and also two zone declarations -
+one for the zone containing A records that will be updates and one for
+the zone containing PTR records - for ISC BIND, something like this:
+.PP
+.nf
+key DHCP_UPDATER {
+  algorithm hmac-md5;
+  secret pRP5FapFoJ95JEL06sv4PQ==;
+};
+
+zone "example.org" {
+	type master;
+	file "example.org.db";
+	allow-update { key DHCP_UPDATER; };
+};
+
+zone "17.10.10.in-addr.arpa" {
+	type master;
+	file "10.10.17.db";
+	allow-update { key DHCP_UPDATER; };
+};
+.fi
+.PP
+You will also have to configure your DHCP server to do updates to
+these zones.   To do so, you need to add something like this to your
+dhcpd.conf file:
+.PP
+.nf
+key DHCP_UPDATER {
+  algorithm hmac-md5;
+  secret pRP5FapFoJ95JEL06sv4PQ==;
+};
+
+zone EXAMPLE.ORG. {
+  primary 127.0.0.1;
+  key DHCP_UPDATER;
+}
+
+zone 17.127.10.in-addr.arpa. {
+  primary 127.0.0.1;
+  key DHCP_UPDATER;
+}
+.fi
+.PP
+The \fIprimary\fR statement specifies the IP address of the name
+server whose zone information is to be updated.
+.PP
+Note that the zone declarations have to correspond to authority
+records in your name server - in the above example, there must be an
+SOA record for "example.org." and for "17.10.10.in-addr.arpa.".   For
+example, if there were a subdomain "foo.example.org" with no separate
+SOA, you could not write a zone declaration for "foo.example.org."  
+Also keep in mind that zone names in your DHCP configuration should end in a
+"."; this is the preferred syntax.  If you do not end your zone name in a
+".", the DHCP server will figure it out.  Also note that in the DHCP
+configuration, zone names are not encapsulated in quotes where there are in
+the DNS configuration.
+.PP
+You should choose your own secret key, of course.  The ISC BIND 8 and
+9 distributions come with a program for generating secret keys called
+dnssec-keygen.  The version that comes with BIND 9 is likely to produce a
+substantially more random key, so we recommend you use that one even
+if you are not using BIND 9 as your DNS server.  If you are using BIND 9's
+dnssec-keygen, the above key would be created as follows:
+.PP
+.nf
+	dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
+.fi
+.PP
+If you are using the BIND 8 dnskeygen program, the following command will
+generate a key as seen above:
+.PP
+.nf
+	dnskeygen -H 128 -u -c -n DHCP_UPDATER
+.fi
+.PP
+You may wish to enable logging of DNS updates on your DNS server.
+To do so, you might write a logging statement like the following:
+.PP
+.nf
+logging {
+	channel update_debug {
+		file "/var/log/update-debug.log";
+		severity	debug 3;
+		print-category	yes;
+		print-severity	yes;
+		print-time	yes;
+	};
+	channel security_info	{
+		file	"/var/log/named-auth.info";
+		severity	info;
+		print-category	yes;
+		print-severity	yes;
+		print-time	yes;
+	};
+
+	category update { update_debug; };
+	category security { security_info; };
+};
+.fi
+.PP
+You must create the /var/log/named-auth.info and
+/var/log/update-debug.log files before starting the name server.   For
+more information on configuring ISC BIND, consult the documentation
+that accompanies it.
+.SH REFERENCE: EVENTS
+.PP
+There are three kinds of events that can happen regarding a lease, and
+it is possible to declare statements that occur when any of these
+events happen.   These events are the commit event, when the server
+has made a commitment of a certain lease to a client, the release
+event, when the client has released the server from its commitment,
+and the expiry event, when the commitment expires.
+.PP
+To declare a set of statements to execute when an event happens, you
+must use the \fBon\fR statement, followed by the name of the event,
+followed by a series of statements to execute when the event happens,
+enclosed in braces.   Events are used to implement DNS
+updates, so you should not define your own event handlers if you are
+using the built-in DNS update mechanism.
+.PP
+The built-in version of the DNS update mechanism is in a text
+string towards the top of server/dhcpd.c.   If you want to use events
+for things other than DNS updates, and you also want DNS updates, you
+will have to start out by copying this code into your dhcpd.conf file
+and modifying it.
+.SH REFERENCE: DECLARATIONS
+.PP
+.B The
+.I include
+.B statement
+.PP
+.nf
+ \fBinclude\fR \fI"filename"\fR\fB;\fR
+.fi
+.PP
+The \fIinclude\fR statement is used to read in a named file, and process
+the contents of that file as though it were entered in place of the
+include statement.
+.PP
+.B The 
+.I shared-network
+.B statement
+.PP
+.nf
+ \fBshared-network\fR \fIname\fR \fB{\fR
+   [ \fIparameters\fR ]
+   [ \fIdeclarations\fR ]
+ \fB}\fR
+.fi
+.PP
+The \fIshared-network\fR statement is used to inform the DHCP server
+that some IP subnets actually share the same physical network.  Any
+subnets in a shared network should be declared within a
+\fIshared-network\fR statement.  Parameters specified in the
+\fIshared-network\fR statement will be used when booting clients on
+those subnets unless parameters provided at the subnet or host level
+override them.  If any subnet in a shared network has addresses
+available for dynamic allocation, those addresses are collected into a
+common pool for that shared network and assigned to clients as needed.
+There is no way to distinguish on which subnet of a shared network a
+client should boot.
+.PP
+.I Name
+should be the name of the shared network.   This name is used when
+printing debugging messages, so it should be descriptive for the
+shared network.   The name may have the syntax of a valid domain name
+(although it will never be used as such), or it may be any arbitrary
+name, enclosed in quotes.
+.PP
+.B The 
+.I subnet
+.B statement
+.PP
+.nf
+ \fBsubnet\fR \fIsubnet-number\fR \fBnetmask\fR \fInetmask\fR \fB{\fR
+   [ \fIparameters\fR ]
+   [ \fIdeclarations\fR ]
+ \fB}\fR
+.fi
+.PP
+The \fIsubnet\fR statement is used to provide dhcpd with enough
+information to tell whether or not an IP address is on that subnet.
+It may also be used to provide subnet-specific parameters and to
+specify what addresses may be dynamically allocated to clients booting
+on that subnet.   Such addresses are specified using the \fIrange\fR
+declaration.
+.PP
+The
+.I subnet-number
+should be an IP address or domain name which resolves to the subnet
+number of the subnet being described.   The 
+.I netmask
+should be an IP address or domain name which resolves to the subnet mask
+of the subnet being described.   The subnet number, together with the
+netmask, are sufficient to determine whether any given IP address is
+on the specified subnet.
+.PP
+Although a netmask must be given with every subnet declaration, it is
+recommended that if there is any variance in subnet masks at a site, a
+subnet-mask option statement be used in each subnet declaration to set
+the desired subnet mask, since any subnet-mask option statement will
+override the subnet mask declared in the subnet statement.
+.PP
+.B The
+.I range
+.B statement
+.PP
+.nf
+.B range\fR [ \fBdynamic-bootp\fR ] \fIlow-address\fR [ \fIhigh-address\fR]\fB;\fR
+.fi
+.PP
+For any subnet on which addresses will be assigned dynamically, there
+must be at least one \fIrange\fR statement.   The range statement
+gives the lowest and highest IP addresses in a range.   All IP
+addresses in the range should be in the subnet in which the
+\fIrange\fR statement is declared.   The \fIdynamic-bootp\fR flag may
+be specified if addresses in the specified range may be dynamically
+assigned to BOOTP clients as well as DHCP clients.   When specifying a
+single address, \fIhigh-address\fR can be omitted.
+.PP
+.B The
+.I host
+.B statement
+.PP
+.nf
+ \fBhost\fR \fIhostname\fR {
+   [ \fIparameters\fR ]
+   [ \fIdeclarations\fR ]
+ \fB}\fR
+.fi
+.PP
+The
+.B host
+declaration provides a scope in which to provide configuration information about
+a specific client, and also provides a way to assign a client a fixed address.
+The host declaration provides a way for the DHCP server to identify a DHCP or
+BOOTP client, and also a way to assign the client a static IP address.
+.PP
+If it is desirable to be able to boot a DHCP or BOOTP client on more than one
+subnet with fixed addresses, more than one address may be specified in the
+.I fixed-address
+declaration, or more than one
+.B host
+statement may be specified matching the same client.
+.PP
+If client-specific boot parameters must change based on the network
+to which the client is attached, then multiple 
+.B host
+declarations should be used.  The
+.B host
+declarations will only match a client if one of their
+.I fixed-address
+statements is viable on the subnet (or shared network) where the client is
+attached.  Conversely, for a
+.B host
+declaration to match a client being allocated a dynamic address, it must not
+have any
+.I fixed-address
+statements.  You may therefore need a mixture of
+.B host
+declarations for any given client...some having
+.I fixed-address
+statements, others without.
+.PP
+.I hostname
+should be a name identifying the host.  If a \fIhostname\fR option is
+not specified for the host, \fIhostname\fR is used.
+.PP
+\fIHost\fR declarations are matched to actual DHCP or BOOTP clients
+by matching the \fRdhcp-client-identifier\fR option specified in the
+\fIhost\fR declaration to the one supplied by the client, or, if the
+\fIhost\fR declaration or the client does not provide a
+\fRdhcp-client-identifier\fR option, by matching the \fIhardware\fR
+parameter in the \fIhost\fR declaration to the network hardware
+address supplied by the client.   BOOTP clients do not normally
+provide a \fIdhcp-client-identifier\fR, so the hardware address must
+be used for all clients that may boot using the BOOTP protocol.
+.PP
+Please be aware that
+.B only
+the \fIdhcp-client-identifier\fR option and the hardware address can be
+used to match a host declaration.   For example, it is not possible to match
+a host declaration to a \fIhost-name\fR option.   This is because the
+host-name option cannot be guaranteed to be unique for any given client,
+whereas both the hardware address and \fIdhcp-client-identifier\fR option
+are at least theoretically guaranteed to be unique to a given client.
+.PP
+.B The
+.I group
+.B statement
+.PP
+.nf
+ \fBgroup\fR {
+   [ \fIparameters\fR ]
+   [ \fIdeclarations\fR ]
+ \fB}\fR
+.fi
+.PP
+The group statement is used simply to apply one or more parameters to
+a group of declarations.   It can be used to group hosts, shared
+networks, subnets, or even other groups.
+.SH REFERENCE: ALLOW AND DENY
+The
+.I allow
+and
+.I deny
+statements can be used to control the response of the DHCP server to
+various sorts of requests.  The allow and deny keywords actually have
+different meanings depending on the context.  In a pool context, these
+keywords can be used to set up access lists for address allocation
+pools.  In other contexts, the keywords simply control general server
+behavior with respect to clients based on scope.   In a non-pool
+context, the
+.I ignore
+keyword can be used in place of the
+.I deny
+keyword to prevent logging of denied requests.
+.PP
+.SH ALLOW DENY AND IGNORE IN SCOPE
+The following usages of allow and deny will work in any scope,
+although it is not recommended that they be used in pool
+declarations.
+.PP
+.B The
+.I unknown-clients
+.B keyword
+.PP
+ \fBallow unknown-clients;\fR
+ \fBdeny unknown-clients;\fR
+ \fBignore unknown-clients;\fR
+.PP
+The \fBunknown-clients\fR flag is used to tell dhcpd whether
+or not to dynamically assign addresses to unknown clients.   Dynamic
+address assignment to unknown clients is \fBallow\fRed by default.
+An unknown client is simply a client that has no host declaration.
+.PP
+The use of this option is now \fIdeprecated\fR.  If you are trying to
+restrict access on your network to known clients, you should use \fBdeny
+unknown-clients;\fR inside of your address pool, as described under the
+heading ALLOW AND DENY WITHIN POOL DECLARAIONS.
+.PP
+.B The
+.I bootp
+.B keyword
+.PP
+ \fBallow bootp;\fR
+ \fBdeny bootp;\fR
+ \fBignore bootp;\fR
+.PP
+The \fBbootp\fR flag is used to tell dhcpd whether
+or not to respond to bootp queries.  Bootp queries are \fBallow\fRed
+by default.
+.PP
+This option does not satisfy the requirement of failover peers for denying
+dynamic bootp clients.  The \fBdeny dynamic bootp clients;\fR option should
+be used instead. See the ALLOW AND DENY WITHIN POOL DECLARATIONS section
+of this man page for more details.
+.PP
+.B The
+.I booting
+.B keyword
+.PP
+ \fBallow booting;\fR
+ \fBdeny booting;\fR
+ \fBignore booting;\fR
+.PP
+The \fBbooting\fR flag is used to tell dhcpd whether or not to respond
+to queries from a particular client.  This keyword only has meaning
+when it appears in a host declaration.   By default, booting is
+\fBallow\fRed, but if it is disabled for a particular client, then
+that client will not be able to get an address from the DHCP server.
+.PP
+.B The
+.I duplicates
+.B keyword
+.PP
+ \fBallow duplicates;\fR
+ \fBdeny duplicates;\fR
+.PP
+Host declarations can match client messages based on the DHCP Client
+Identifier option or based on the client's network hardware type and
+MAC address.   If the MAC address is used, the host declaration will
+match any client with that MAC address - even clients with different
+client identifiers.   This doesn't normally happen, but is possible
+when one computer has more than one operating system installed on it -
+for example, Microsoft Windows and NetBSD or Linux.
+.PP
+The \fBduplicates\fR flag tells the DHCP server that if a request is
+received from a client that matches the MAC address of a host
+declaration, any other leases matching that MAC address should be
+discarded by the server, even if the UID is not the same.   This is a
+violation of the DHCP protocol, but can prevent clients whose client
+identifiers change regularly from holding many leases at the same time.
+By default, duplicates are \fBallow\fRed.
+.PP
+.B The
+.I declines
+.B keyword
+.PP
+ \fBallow declines;\fR
+ \fBdeny declines;\fR
+ \fBignore declines;\fR
+.PP
+The DHCPDECLINE message is used by DHCP clients to indicate that the
+lease the server has offered is not valid.   When the server receives
+a DHCPDECLINE for a particular address, it normally abandons that
+address, assuming that some unauthorized system is using it.
+Unfortunately, a malicious or buggy client can, using DHCPDECLINE
+messages, completely exhaust the DHCP server's allocation pool.   The
+server will reclaim these leases, but while the client is running
+through the pool, it may cause serious thrashing in the DNS, and it
+will also cause the DHCP server to forget old DHCP client address
+allocations.
+.PP
+The \fBdeclines\fR flag tells the DHCP server whether or not to honor
+DHCPDECLINE messages.   If it is set to \fBdeny\fR or \fBignore\fR in
+a particular scope, the DHCP server will not respond to DHCPDECLINE
+messages.
+.PP
+.B The
+.I client-updates
+.B keyword
+.PP
+ \fBallow client-updates;\fR
+ \fBdeny client-updates;\fR
+.PP
+The \fBclient-updates\fR flag tells the DHCP server whether or not to
+honor the client's intention to do its own update of its A record.
+This is only relevant when doing \fIinterim\fR DNS updates.   See the
+documentation under the heading THE INTERIM DNS UPDATE SCHEME for
+details.
+.PP
+.B The
+.I leasequery
+.B keyword
+.PP
+ \fBallow leasequery;\fR
+ \fBdeny leasequery;\fR
+.PP
+The \fBleasequery\fR flag tells the DHCP server whether or not to
+answer DHCPLEASEQUERY packets. The answer to a DHCPLEASEQUERY packet
+includes information about a specific lease, such as when it was 
+issued and when it will expire. By default, the server will not 
+respond to these packets.
+.SH ALLOW AND DENY WITHIN POOL DECLARATIONS
+.PP
+The uses of the allow and deny keywords shown in the previous section
+work pretty much the same way whether the client is sending a
+DHCPDISCOVER or a DHCPREQUEST message - an address will be allocated
+to the client (either the old address it's requesting, or a new
+address) and then that address will be tested to see if it's okay to
+let the client have it.   If the client requested it, and it's not
+okay, the server will send a DHCPNAK message.   Otherwise, the server
+will simply not respond to the client.   If it is okay to give the
+address to the client, the server will send a DHCPACK message.
+.PP
+The primary motivation behind pool declarations is to have address
+allocation pools whose allocation policies are different.   A client
+may be denied access to one pool, but allowed access to another pool
+on the same network segment.   In order for this to work, access
+control has to be done during address allocation, not after address
+allocation is done.
+.PP
+When a DHCPREQUEST message is processed, address allocation simply
+consists of looking up the address the client is requesting and seeing
+if it's still available for the client.  If it is, then the DHCP
+server checks both the address pool permit lists and the relevant
+in-scope allow and deny statements to see if it's okay to give the
+lease to the client.  In the case of a DHCPDISCOVER message, the
+allocation process is done as described previously in the ADDRESS
+ALLOCATION section.
+.PP
+When declaring permit lists for address allocation pools, the
+following syntaxes are recognized following the allow or deny keywords:
+.PP
+ \fBknown-clients;\fR
+.PP
+If specified, this statement either allows or prevents allocation from
+this pool to any client that has a host declaration (i.e., is known).
+A client is known if it has a host declaration in \fIany\fR scope, not
+just the current scope.
+.PP
+ \fBunknown-clients;\fR
+.PP
+If specified, this statement either allows or prevents allocation from
+this pool to any client that has no host declaration (i.e., is not
+known).
+.PP
+ \fBmembers of "\fRclass\fB";\fR
+.PP
+If specified, this statement either allows or prevents allocation from
+this pool to any client that is a member of the named class.
+.PP
+ \fBdynamic bootp clients;\fR
+.PP
+If specified, this statement either allows or prevents allocation from
+this pool to any bootp client.
+.PP
+ \fBauthenticated clients;\fR
+.PP
+If specified, this statement either allows or prevents allocation from
+this pool to any client that has been authenticated using the DHCP
+authentication protocol.   This is not yet supported.
+.PP
+ \fBunauthenticated clients;\fR
+.PP
+If specified, this statement either allows or prevents allocation from
+this pool to any client that has not been authenticated using the DHCP
+authentication protocol.   This is not yet supported.
+.PP
+ \fBall clients;\fR
+.PP
+If specified, this statement either allows or prevents allocation from
+this pool to all clients.   This can be used when you want to write a
+pool declaration for some reason, but hold it in reserve, or when you
+want to renumber your network quickly, and thus want the server to
+force all clients that have been allocated addresses from this pool to
+obtain new addresses immediately when they next renew.
+.SH REFERENCE: PARAMETERS
+The
+.I adaptive-lease-time-threshold
+statement
+.RS 0.25i
+.PP
+.B adaptive-lease-time-threshold \fIpercentage\fR\fB;\fR
+.PP
+When the number of allocated leases within a pool rises above
+the \fIpercentage\fR given in this statement, the DHCP server decreases
+the lease length for new clients within this pool to \fImin-lease-time\fR
+seconds. Clients renewing an already valid (long) leases get at least the
+remaining time from the current lease. Since the leases expire faster,
+the server may either recover more quickly or avoid pool exhaustion
+entirely.  Once the number of allocated leases drop below the threshold,
+the server reverts back to normal lease times.  Valid percentages are
+between 1 and 99.
+.RE
+.PP
+The
+.I always-broadcast
+statement
+.RS 0.25i
+.PP
+.B always-broadcast \fIflag\fR\fB;\fR
+.PP
+The DHCP and BOOTP protocols both require DHCP and BOOTP clients to
+set the broadcast bit in the flags field of the BOOTP message header.
+Unfortunately, some DHCP and BOOTP clients do not do this, and
+therefore may not receive responses from the DHCP server.   The DHCP
+server can be made to always broadcast its responses to clients by
+setting this flag to 'on' for the relevant scope; relevant scopes would be
+inside a conditional statement, as a parameter for a class, or as a parameter
+for a host declaration.   To avoid creating excess broadcast traffic on your
+network, we recommend that you restrict the use of this option to as few
+clients as possible.   For example, the Microsoft DHCP client is known not
+to have this problem, as are the OpenTransport and ISC DHCP clients.
+.RE
+.PP
+The
+.I always-reply-rfc1048
+statement
+.RS 0.25i
+.PP
+.B always-reply-rfc1048 \fIflag\fR\fB;\fR
+.PP
+Some BOOTP clients expect RFC1048-style responses, but do not follow
+RFC1048 when sending their requests.   You can tell that a client is
+having this problem if it is not getting the options you have
+configured for it and if you see in the server log the message
+"(non-rfc1048)" printed with each BOOTREQUEST that is logged.
+.PP
+If you want to send rfc1048 options to such a client, you can set the
+.B always-reply-rfc1048
+option in that client's host declaration, and the DHCP server will
+respond with an RFC-1048-style vendor options field.   This flag can
+be set in any scope, and will affect all clients covered by that
+scope.
+.RE
+.PP
+The
+.I authoritative
+statement
+.RS 0.25i
+.PP
+.B authoritative;
+.PP
+.B not authoritative;
+.PP
+The DHCP server will normally assume that the configuration
+information about a given network segment is not known to be correct
+and is not authoritative.  This is so that if a naive user installs a
+DHCP server not fully understanding how to configure it, it does not
+send spurious DHCPNAK messages to clients that have obtained addresses
+from a legitimate DHCP server on the network.
+.PP
+Network administrators setting up authoritative DHCP servers for their
+networks should always write \fBauthoritative;\fR at the top of their
+configuration file to indicate that the DHCP server \fIshould\fR send
+DHCPNAK messages to misconfigured clients.   If this is not done,
+clients will be unable to get a correct IP address after changing
+subnets until their old lease has expired, which could take quite a
+long time.
+.PP
+Usually, writing \fBauthoritative;\fR at the top level of the file
+should be sufficient.   However, if a DHCP server is to be set up so
+that it is aware of some networks for which it is authoritative and
+some networks for which it is not, it may be more appropriate to
+declare authority on a per-network-segment basis.
+.PP
+Note that the most specific scope for which the concept of authority
+makes any sense is the physical network segment - either a
+shared-network statement or a subnet statement that is not contained
+within a shared-network statement.  It is not meaningful to specify
+that the server is authoritative for some subnets within a shared
+network, but not authoritative for others, nor is it meaningful to
+specify that the server is authoritative for some host declarations
+and not others.
+.RE
+.PP
+The \fIboot-unknown-clients\fR statement
+.RS 0.25i
+.PP
+.B boot-unknown-clients \fIflag\fB;\fR
+.PP
+If the \fIboot-unknown-clients\fR statement is present and has a value
+of \fIfalse\fR or \fIoff\fR, then clients for which there is no
+.I host
+declaration will not be allowed to obtain IP addresses.   If this
+statement is not present or has a value of \fItrue\fR or \fIon\fR,
+then clients without host declarations will be allowed to obtain IP
+addresses, as long as those addresses are not restricted by
+.I allow
+and \fIdeny\fR statements within their \fIpool\fR declarations.
+.RE
+.PP
+The \fIddns-hostname\fR statement
+.RS 0.25i
+.PP
+.B ddns-hostname \fIname\fB;\fR
+.PP
+The \fIname\fR parameter should be the hostname that will be used in
+setting up the client's A and PTR records.   If no ddns-hostname is
+specified in scope, then the server will derive the hostname
+automatically, using an algorithm that varies for each of the
+different update methods.
+.RE
+.PP
+The \fIddns-domainname\fR statement
+.RS 0.25i
+.PP
+.B ddns-domainname \fIname\fB;\fR
+.PP
+The \fIname\fR parameter should be the domain name that will be
+appended to the client's hostname to form a fully-qualified
+domain-name (FQDN).
+.RE
+.PP
+The \fIddns-rev-domainname\fR statement
+.RS 0.25i
+.PP
+.B ddns-rev-domainname \fIname\fB;\fR
+The \fIname\fR parameter should be the domain name that will be
+appended to the client's reversed IP address to produce a name for use
+in the client's PTR record.   By default, this is "in-addr.arpa.", but
+the default can be overridden here.
+.PP
+The reversed IP address to which this domain name is appended is
+always the IP address of the client, in dotted quad notation, reversed
+- for example, if the IP address assigned to the client is
+10.17.92.74, then the reversed IP address is 74.92.17.10.   So a
+client with that IP address would, by default, be given a PTR record
+of 10.17.92.74.in-addr.arpa.
+.RE
+.PP
+The \fIddns-update-style\fR parameter
+.RS 0.25i
+.PP
+.B ddns-update-style \fIstyle\fB;\fR
+.PP
+The
+.I style
+parameter must be one of \fBad-hoc\fR, \fBinterim\fR or \fBnone\fR.
+The \fIddns-update-style\fR statement is only meaningful in the outer
+scope - it is evaluated once after reading the dhcpd.conf file, rather
+than each time a client is assigned an IP address, so there is no way
+to use different DNS update styles for different clients.
+.RE
+.PP
+.B The  
+.I ddns-updates
+.B statement
+.RS 0.25i
+.PP
+ \fBddns-updates \fIflag\fR\fB;\fR
+.PP
+The \fIddns-updates\fR parameter controls whether or not the server will
+attempt to do a DNS update when a lease is confirmed.   Set this to \fIoff\fR
+if the server should not attempt to do updates within a certain scope.
+The \fIddns-updates\fR parameter is on by default.   To disable DNS
+updates in all scopes, it is preferable to use the
+\fIddns-update-style\fR statement, setting the style to \fInone\fR.
+.RE
+.PP
+The
+.I default-lease-time
+statement
+.RS 0.25i
+.PP
+.B default-lease-time \fItime\fR\fB;\fR
+.PP
+.I Time
+should be the length in seconds that will be assigned to a lease if
+the client requesting the lease does not ask for a specific expiration
+time.
+.RE
+.PP
+The
+.I do-forward-updates
+statement
+.RS 0.25i
+.PP
+.B do-forward-updates \fIflag\fB;\fR
+.PP
+The \fIdo-forward-updates\fR statement instructs the DHCP server as
+to whether it should attempt to update a DHCP client's A record
+when the client acquires or renews a lease.   This statement has no
+effect unless DNS updates are enabled and \fBddns-update-style\fR is
+set to \fBinterim\fR.   Forward updates are enabled by default.   If
+this statement is used to disable forward updates, the DHCP server
+will never attempt to update the client's A record, and will only ever
+attempt to update the client's PTR record if the client supplies an
+FQDN that should be placed in the PTR record using the fqdn option.
+If forward updates are enabled, the DHCP server will still honor the
+setting of the \fBclient-updates\fR flag.
+.RE
+.PP
+The
+.I dynamic-bootp-lease-cutoff
+statement
+.RS 0.25i
+.PP
+.B dynamic-bootp-lease-cutoff \fIdate\fB;\fR
+.PP
+The \fIdynamic-bootp-lease-cutoff\fR statement sets the ending time
+for all leases assigned dynamically to BOOTP clients.  Because BOOTP
+clients do not have any way of renewing leases, and don't know that
+their leases could expire, by default dhcpd assigns infinite leases
+to all BOOTP clients.  However, it may make sense in some situations
+to set a cutoff date for all BOOTP leases - for example, the end of a
+school term, or the time at night when a facility is closed and all
+machines are required to be powered off.
+.PP
+.I Date
+should be the date on which all assigned BOOTP leases will end.  The
+date is specified in the form:
+.PP
+.ce 1
+W YYYY/MM/DD HH:MM:SS
+.PP
+W is the day of the week expressed as a number
+from zero (Sunday) to six (Saturday).  YYYY is the year, including the
+century.  MM is the month expressed as a number from 1 to 12.  DD is
+the day of the month, counting from 1.  HH is the hour, from zero to
+23.  MM is the minute and SS is the second.  The time is always in
+Coordinated Universal Time (UTC), not local time.
+.RE
+.PP
+The
+.I dynamic-bootp-lease-length
+statement
+.RS 0.25i
+.PP
+.B dynamic-bootp-lease-length\fR \fIlength\fR\fB;\fR
+.PP
+The \fIdynamic-bootp-lease-length\fR statement is used to set the
+length of leases dynamically assigned to BOOTP clients.   At some
+sites, it may be possible to assume that a lease is no longer in
+use if its holder has not used BOOTP or DHCP to get its address within
+a certain time period.   The period is specified in \fIlength\fR as a
+number of seconds.   If a client reboots using BOOTP during the
+timeout period, the lease duration is reset to \fIlength\fR, so a
+BOOTP client that boots frequently enough will never lose its lease.
+Needless to say, this parameter should be adjusted with extreme
+caution.
+.RE
+.PP
+The
+.I filename
+statement
+.RS 0.25i
+.PP
+.B filename\fR \fB"\fR\fIfilename\fR\fB";\fR
+.PP
+The \fIfilename\fR statement can be used to specify the name of the
+initial boot file which is to be loaded by a client.  The
+.I filename
+should be a filename recognizable to whatever file transfer protocol
+the client can be expected to use to load the file.
+.RE
+.PP
+The
+.I fixed-address
+declaration
+.RS 0.25i
+.PP
+.B fixed-address address\fR [\fB,\fR \fIaddress\fR ... ]\fB;\fR
+.PP
+The \fIfixed-address\fR declaration is used to assign one or more fixed
+IP addresses to a client.  It should only appear in a \fIhost\fR
+declaration.  If more than one address is supplied, then when the
+client boots, it will be assigned the address that corresponds to the
+network on which it is booting.  If none of the addresses in the
+\fIfixed-address\fR statement are valid for the network to which the client
+is connected, that client will not match the \fIhost\fR declaration
+containing that \fIfixed-address\fR declaration.  Each \fIaddress\fR
+in the \fIfixed-address\fR declaration should be either an IP address or
+a domain name that resolves to one or more IP addresses.
+.RE
+.PP
+The
+.I get-lease-hostnames
+statement
+.RS 0.25i
+.PP
+.B get-lease-hostnames\fR \fIflag\fR\fB;\fR
+.PP
+The \fIget-lease-hostnames\fR statement is used to tell dhcpd whether
+or not to look up the domain name corresponding to the IP address of
+each address in the lease pool and use that address for the DHCP
+\fIhostname\fR option.  If \fIflag\fR is true, then this lookup is
+done for all addresses in the current scope.   By default, or if
+\fIflag\fR is false, no lookups are done.
+.RE
+.PP
+The 
+.I hardware
+statement
+.RS 0.25i
+.PP
+.B hardware \fIhardware-type hardware-address\fB;\fR
+.PP
+In order for a BOOTP client to be recognized, its network hardware
+address must be declared using a \fIhardware\fR clause in the
+.I host
+statement.
+.I hardware-type
+must be the name of a physical hardware interface type.   Currently,
+only the
+.B ethernet
+and
+.B token-ring
+types are recognized, although support for a
+.B fddi
+hardware type (and others) would also be desirable.
+The
+.I hardware-address
+should be a set of hexadecimal octets (numbers from 0 through ff)
+separated by colons.   The \fIhardware\fR statement may also be used
+for DHCP clients.
+.RE
+.PP
+The
+.I infinite-is-reserved
+statement
+.RS 0.25i
+.PP
+.B infinite-is-reserved \fIflag\fB;\fR
+.PP
+ISC DHCP now supports 'reserved' leases.  See the section on RESERVED LEASES
+below.  If this \fIflag\fR is on, the server will automatically reserve leases
+allocated to clients which requested an infinite (0xffffffff) lease-time.
+.PP
+The default is off.
+.RE
+.PP
+The
+.I lease-file-name
+statement
+.RS 0.25i
+.PP
+.B lease-file-name \fIname\fB;\fR
+.PP
+.I Name
+should be the name of the DHCP server's lease file.   By default, this
+is DBDIR/dhcpd.leases.   This statement \fBmust\fR appear in the outer
+scope of the configuration file - if it appears in some other scope,
+it will have no effect.
+.RE
+.PP
+The
+.I local-port
+statement
+.RS 0.25i
+.PP
+.B local-port \fIport\fB;\fR
+.PP
+This statement causes the DHCP server to listen for DHCP requests on
+the UDP port specified in \fIport\fR, rather than on port 67.
+.RE
+.PP
+The
+.I local-address
+statement
+.RS 0.25i
+.PP
+.B local-address \fIaddress\fB;\fR
+.PP
+This statement causes the DHCP server to listen for DHCP requests sent
+to the specified \fIaddress\fR, rather than requests sent to all addresses.
+Since serving directly attached DHCP clients implies that the server must
+respond to requests sent to the all-ones IP address, this option cannot be
+used if clients are on directly attached networks...it is only realistically
+useful for a server whose only clients are reached via unicasts, such as via
+DHCP relay agents.
+.PP
+Note:  This statement is only effective if the server was compiled using
+the USE_SOCKETS #define statement, which is default on a small number of
+operating systems, and must be explicitly chosen at compile-time for all
+others.  You can be sure if your server is compiled with USE_SOCKETS if
+you see lines of this format at startup:
+.PP
+ Listening on Socket/eth0
+.PP
+Note also that since this bind()s all DHCP sockets to the specified
+address, that only one address may be supported in a daemon at a given
+time.
+.RE
+.PP
+The
+.I log-facility
+statement
+.RS 0.25i
+.PP
+.B log-facility \fIfacility\fB;\fR
+.PP
+This statement causes the DHCP server to do all of its logging on the
+specified log facility once the dhcpd.conf file has been read.   By
+default the DHCP server logs to the daemon facility.   Possible log
+facilities include auth, authpriv, cron, daemon, ftp, kern, lpr, mail,
+mark, news, ntp, security, syslog, user, uucp, and local0 through
+local7.   Not all of these facilities are available on all systems,
+and there may be other facilities available on other systems.
+.PP
+In addition to setting this value, you may need to modify your
+.I syslog.conf
+file to configure logging of the DHCP server.   For example, you might
+add a line like this:
+.PP
+.nf
+	local7.debug /var/log/dhcpd.log
+.fi
+.PP
+The syntax of the \fIsyslog.conf\fR file may be different on some
+operating systems - consult the \fIsyslog.conf\fR manual page to be
+sure.  To get syslog to start logging to the new file, you must first
+create the file with correct ownership and permissions (usually, the
+same owner and permissions of your /var/log/messages or
+/usr/adm/messages file should be fine) and send a SIGHUP to syslogd.
+Some systems support log rollover using a shell script or program
+called newsyslog or logrotate, and you may be able to configure this
+as well so that your log file doesn't grow uncontrollably.
+.PP
+Because the \fIlog-facility\fR setting is controlled by the dhcpd.conf
+file, log messages printed while parsing the dhcpd.conf file or before
+parsing it are logged to the default log facility.  To prevent this,
+see the README file included with this distribution, which describes
+how to change the default log facility.  When this parameter is used,
+the DHCP server prints its startup message a second time after parsing
+the configuration file, so that the log will be as complete as
+possible.
+.RE
+.PP
+The
+.I max-lease-time
+statement
+.RS 0.25i
+.PP
+.B max-lease-time \fItime\fR\fB;\fR
+.PP
+.I Time
+should be the maximum length in seconds that will be assigned to a
+lease.   The only exception to this is that Dynamic BOOTP lease
+lengths, which are not specified by the client, are not limited by
+this maximum.
+.RE
+.PP
+The
+.I min-lease-time
+statement
+.RS 0.25i
+.PP
+.B min-lease-time \fItime\fR\fB;\fR
+.PP
+.I Time
+should be the minimum length in seconds that will be assigned to a
+lease.
+.RE
+.PP
+The
+.I min-secs
+statement
+.RS 0.25i
+.PP
+.B min-secs \fIseconds\fR\fB;\fR
+.PP
+.I Seconds
+should be the minimum number of seconds since a client began trying to
+acquire a new lease before the DHCP server will respond to its request.
+The number of seconds is based on what the client reports, and the maximum
+value that the client can report is 255 seconds.   Generally, setting this
+to one will result in the DHCP server not responding to the client's first
+request, but always responding to its second request.
+.PP
+This can be used
+to set up a secondary DHCP server which never offers an address to a client
+until the primary server has been given a chance to do so.   If the primary
+server is down, the client will bind to the secondary server, but otherwise
+clients should always bind to the primary.   Note that this does not, by
+itself, permit a primary server and a secondary server to share a pool of
+dynamically-allocatable addresses.
+.RE
+.PP
+The
+.I next-server
+statement
+.RS 0.25i
+.PP
+.B next-server\fR \fIserver-name\fR\fB;\fR
+.PP
+The \fInext-server\fR statement is used to specify the host address of
+the server from which the initial boot file (specified in the
+\fIfilename\fR statement) is to be loaded.   \fIServer-name\fR should
+be a numeric IP address or a domain name.  If no \fInext-server\fR statement
+applies to a given client, the address 0.0.0.0 is used.
+.RE
+.PP
+The
+.I omapi-port
+statement
+.RS 0.25i
+.PP
+.B omapi-port\fR \fIport\fR\fB;\fR
+.PP
+The \fIomapi-port\fR statement causes the DHCP server to listen for
+OMAPI connections on the specified port.   This statement is required
+to enable the OMAPI protocol, which is used to examine and modify the
+state of the DHCP server as it is running.
+.RE
+.PP
+The
+.I one-lease-per-client
+statement
+.RS 0.25i
+.PP
+.B one-lease-per-client \fIflag\fR\fB;\fR
+.PP
+If this flag is enabled, whenever a client sends a DHCPREQUEST for a
+particular lease, the server will automatically free any other leases
+the client holds.   This presumes that when the client sends a
+DHCPREQUEST, it has forgotten any lease not mentioned in the
+DHCPREQUEST - i.e., the client has only a single network interface
+.I and
+it does not remember leases it's holding on networks to which it is
+not currently attached.   Neither of these assumptions are guaranteed
+or provable, so we urge caution in the use of this statement.
+.RE
+.PP
+The
+.I pid-file-name
+statement
+.RS 0.25i
+.PP
+.B pid-file-name
+.I name\fR\fB;\fR
+.PP
+.I Name
+should be the name of the DHCP server's process ID file.   This is the
+file in which the DHCP server's process ID is stored when the server
+starts.   By default, this is RUNDIR/dhcpd.pid.   Like the
+lease-file-name statement, this statement must appear in the outer scope
+of the configuration file.
+.RE
+.PP
+The
+.I ping-check
+statement
+.RS 0.25i
+.PP
+.B ping-check
+.I flag\fR\fB;\fR
+.PP
+When the DHCP server is considering dynamically allocating an IP
+address to a client, it first sends an ICMP Echo request (a \fIping\fR)
+to the address being assigned.   It waits for a second, and if no
+ICMP Echo response has been heard, it assigns the address.   If a
+response \fIis\fR heard, the lease is abandoned, and the server does
+not respond to the client.
+.PP
+This \fIping check\fR introduces a default one-second delay in responding
+to DHCPDISCOVER messages, which can be a problem for some clients.   The
+default delay of one second may be configured using the ping-timeout
+parameter.  The ping-check configuration parameter can be used to control
+checking - if its value is false, no ping check is done.
+.RE
+.PP
+The
+.I ping-timeout
+statement
+.RS 0.25i
+.PP
+.B ping-timeout
+.I seconds\fR\fB;\fR
+.PP
+If the DHCP server determined it should send an ICMP echo request (a
+\fIping\fR) because the ping-check statement is true, ping-timeout allows
+you to configure how many seconds the DHCP server should wait for an
+ICMP Echo response to be heard, if no ICMP Echo response has been received
+before the timeout expires, it assigns the address.  If a response \fIis\fR
+heard, the lease is abandoned, and the server does not respond to the client.
+If no value is set, ping-timeout defaults to 1 second.
+.RE
+.PP
+The
+.I remote-port
+statement
+.RS 0.25i
+.PP
+.B remote-port \fIport\fB;\fR
+.PP
+This statement causes the DHCP server to transmit DHCP responses to DHCP
+clients upon the UDP port specified in \fIport\fR, rather than on port 68.
+In the event that the UDP response is transmitted to a DHCP Relay, the
+server generally uses the \fBlocal-port\fR configuration value.  Should the
+DHCP Relay happen to be addressed as 127.0.0.1, however, the DHCP Server
+transmits its response to the \fBremote-port\fR configuration value.  This
+is generally only useful for testing purposes, and this configuration value
+should generally not be used.
+.RE
+.PP
+The
+.I server-identifier
+statement
+.RS 0.25i
+.PP
+.B server-identifier \fIhostname\fR\fB;\fR
+.PP
+The server-identifier statement can be used to define the value that
+is sent in the DHCP Server Identifier option for a given scope.   The
+value specified \fBmust\fR be an IP address for the DHCP server, and
+must be reachable by all clients served by a particular scope.
+.PP
+The use of the server-identifier statement is not recommended - the only
+reason to use it is to force a value other than the default value to be
+sent on occasions where the default value would be incorrect.   The default
+value is the first IP address associated with the physical network interface
+on which the request arrived.
+.PP
+The usual case where the
+\fIserver-identifier\fR statement needs to be sent is when a physical
+interface has more than one IP address, and the one being sent by default
+isn't appropriate for some or all clients served by that interface.
+Another common case is when an alias is defined for the purpose of
+having a consistent IP address for the DHCP server, and it is desired
+that the clients use this IP address when contacting the server.
+.PP
+Supplying a value for the dhcp-server-identifier option is equivalent
+to using the server-identifier statement.
+.RE
+.PP
+The
+.I server-name
+statement
+.RS 0.25i
+.PP
+.B server-name "\fIname\fB";\fR
+.PP
+The \fIserver-name\fR statement can be used to inform the client of
+the name of the server from which it is booting.   \fIName\fR should
+be the name that will be provided to the client.
+.RE
+.PP
+The
+.I site-option-space
+statement
+.RS 0.25i
+.PP
+.B site-option-space "\fIname\fB";\fR
+.PP
+The \fIsite-option-space\fR statement can be used to determine from
+what option space site-local options will be taken.   This can be used
+in much the same way as the \fIvendor-option-space\fR statement.
+Site-local options in DHCP are those options whose numeric codes are
+greater than 224.   These options are intended for site-specific
+uses, but are frequently used by vendors of embedded hardware that
+contains DHCP clients.   Because site-specific options are allocated
+on an ad hoc basis, it is quite possible that one vendor's DHCP client
+might use the same option code that another vendor's client uses, for
+different purposes.   The \fIsite-option-space\fR option can be used
+to assign a different set of site-specific options for each such
+vendor, using conditional evaluation (see \fBdhcp-eval (5)\fR for
+details).
+.RE
+.PP
+The
+.I stash-agent-options
+statement
+.RS 0.25i
+.PP
+.B stash-agent-options \fIflag\fB;\fR
+.PP
+If the \fIstash-agent-options\fR parameter is true for a given client,
+the server will record the relay agent information options sent during
+the client's initial DHCPREQUEST message when the client was in the
+SELECTING state and behave as if those options are included in all
+subsequent DHCPREQUEST messages sent in the RENEWING state.   This
+works around a problem with relay agent information options, which is
+that they usually not appear in DHCPREQUEST messages sent by the
+client in the RENEWING state, because such messages are unicast
+directly to the server and not sent through a relay agent.
+.RE
+.PP
+The
+.I update-conflict-detection
+statement
+.RS 0.25i
+.PP
+.B update-conflict-detection \fIflag\fB;\fR
+.PP
+If the \fIupdate-conflict-detection\fR parameter is true, the server will
+perform standard DHCID multiple-client, one-name conflict detection.  If
+the parameter has been set false, the server will skip this check and
+instead simply tear down any previous bindings to install the new
+binding without question.  The default is true.
+.RE
+.PP
+The
+.I update-optimization
+statement
+.RS 0.25i
+.PP
+.B update-optimization \fIflag\fB;\fR
+.PP
+If the \fIupdate-optimization\fR parameter is false for a given client,
+the server will attempt a DNS update for that client each time the
+client renews its lease, rather than only attempting an update when it
+appears to be necessary.   This will allow the DNS to heal from
+database inconsistencies more easily, but the cost is that the DHCP
+server must do many more DNS updates.   We recommend leaving this option
+enabled, which is the default.  This option only affects the behavior of
+the interim DNS update scheme, and has no effect on the ad-hoc DNS update
+scheme.   If this parameter is not specified, or is true, the DHCP server
+will only update when the client information changes, the client gets a
+different lease, or the client's lease expires.
+.RE
+.PP
+The
+.I update-static-leases
+statement
+.RS 0.25i
+.PP
+.B update-static-leases \fIflag\fB;\fR
+.PP
+The \fIupdate-static-leases\fR flag, if enabled, causes the DHCP
+server to do DNS updates for clients even if those clients are being
+assigned their IP address using a \fIfixed-address\fR statement - that
+is, the client is being given a static assignment.   This can only
+work with the \fIinterim\fR DNS update scheme.   It is not
+recommended because the DHCP server has no way to tell that the update
+has been done, and therefore will not delete the record when it is not
+in use.   Also, the server must attempt the update each time the
+client renews its lease, which could have a significant performance
+impact in environments that place heavy demands on the DHCP server.
+.RE
+.PP
+The
+.I use-host-decl-names
+statement
+.RS 0.25i
+.PP
+.B use-host-decl-names \fIflag\fB;\fR
+.PP
+If the \fIuse-host-decl-names\fR parameter is true in a given scope,
+then for every host declaration within that scope, the name provided
+for the host declaration will be supplied to the client as its
+hostname.   So, for example,
+.PP
+.nf
+    group {
+      use-host-decl-names on;
+
+      host joe {
+        hardware ethernet 08:00:2b:4c:29:32;
+        fixed-address joe.fugue.com;
+      }
+    }
+
+is equivalent to
+
+      host joe {
+        hardware ethernet 08:00:2b:4c:29:32;
+        fixed-address joe.fugue.com;
+        option host-name "joe";
+      }
+.fi
+.PP
+An \fIoption host-name\fR statement within a host declaration will
+override the use of the name in the host declaration.
+.PP
+It should be noted here that most DHCP clients completely ignore the
+host-name option sent by the DHCP server, and there is no way to
+configure them not to do this.   So you generally have a choice of
+either not having any hostname to client IP address mapping that the
+client will recognize, or doing DNS updates.   It is beyond
+the scope of this document to describe how to make this
+determination.
+.RE
+.PP
+The
+.I use-lease-addr-for-default-route
+statement
+.RS 0.25i
+.PP
+.B use-lease-addr-for-default-route \fIflag\fR\fB;\fR
+.PP
+If the \fIuse-lease-addr-for-default-route\fR parameter is true in a
+given scope, then instead of sending the value specified in the
+routers option (or sending no value at all), the IP address of the
+lease being assigned is sent to the client.   This supposedly causes
+Win95 machines to ARP for all IP addresses, which can be helpful if
+your router is configured for proxy ARP.   The use of this feature is
+not recommended, because it won't work for many DHCP clients.
+.RE
+.PP
+The
+.I vendor-option-space
+statement
+.RS 0.25i
+.PP
+.B vendor-option-space \fIstring\fR\fB;\fR
+.PP
+The \fIvendor-option-space\fR parameter determines from what option
+space vendor options are taken.   The use of this configuration
+parameter is illustrated in the \fBdhcp-options(5)\fR manual page, in
+the \fIVENDOR ENCAPSULATED OPTIONS\fR section.
+.RE
+.SH SETTING PARAMETER VALUES USING EXPRESSIONS
+Sometimes it's helpful to be able to set the value of a DHCP server
+parameter based on some value that the client has sent.   To do this,
+you can use expression evaluation.   The 
+.B dhcp-eval(5)
+manual page describes how to write expressions.   To assign the result
+of an evaluation to an option, define the option as follows:
+.nf
+.sp 1
+  \fImy-parameter \fB= \fIexpression \fB;\fR
+.fi
+.PP
+For example:
+.nf
+.sp 1
+  ddns-hostname = binary-to-ascii (16, 8, "-",
+                                   substring (hardware, 1, 6));
+.fi
+.RE
+.SH RESERVED LEASES
+It's often useful to allocate a single address to a single client, in
+approximate perpetuity.  Host statements with \fBfixed-address\fR clauses
+exist to a certain extent to serve this purpose, but because host statements
+are intended to approximate 'static configuration', they suffer from not being
+referenced in a littany of other Server Services, such as dynamic DNS,
+failover, 'on events' and so forth.
+.PP
+If a standard dynamic lease, as from any range statement, is marked 'reserved',
+then the server will only allocate this lease to the client it is identified
+by (be that by client identifier or hardware address).
+.PP
+In practice, this means that the lease follows the normal state engine, enters
+ACTIVE state when the client is bound to it, expires, or is released, and any
+events or services that would normally be supplied during these events are
+processed normally, as with any other dynamic lease.  The only difference
+is that failover servers treat reserved leases as special when they enter
+the FREE or BACKUP states - each server applies the lease into the state it
+may allocate from - and the leases are not placed on the queue for allocation
+to other clients.  Instead they may only be 'found' by client identity.  The
+result is that the lease is only offered to the returning client.
+.PP
+Care should probably be taken to ensure that the client only has one lease
+within a given subnet that it is identified by.
+.PP
+Leases may be set 'reserved' either through OMAPI, or through the
+\'infinite-is-reserved' configuration option (if this is applicable to your
+environment and mixture of clients).
+.PP
+It should also be noted that leases marked 'reserved' are effectively treated
+the same as leases marked 'bootp'.
+.RE
+.SH REFERENCE: OPTION STATEMENTS
+DHCP option statements are documented in the
+.B dhcp-options(5)
+manual page.
+.SH REFERENCE: EXPRESSIONS
+Expressions used in DHCP option statements and elsewhere are
+documented in the
+.B dhcp-eval(5)
+manual page.
+.SH SEE ALSO
+dhcpd(8), dhcpd.leases(5), dhcp-options(5), dhcp-eval(5), RFC2132, RFC2131.
+.SH AUTHOR
+.B dhcpd.conf(5)
+was written by Ted Lemon
+under a contract with Vixie Labs.   Funding
+for this project was provided by Internet Systems Consortium.
+Information about Internet Systems Consortium can be found at
+.B http://www.isc.org.
diff --git a/dhcpd.init b/dhcpd.init
index ce29a5c..ef08499 100644
--- a/dhcpd.init
+++ b/dhcpd.init
@@ -2,8 +2,8 @@
 #
 ### BEGIN INIT INFO
 # Provides: dhcpd
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
+# Default-Start:
+# Default-Stop:
 # Should-Start:
 # Required-Start: $network
 # Required-Stop:
@@ -14,7 +14,7 @@
 #
 # The fields below are left around for legacy tools (will remove later).
 #
-# chkconfig: - 65 35
+# chkconfig: -
 # description: dhcpd provides the Dynamic Host Configuration Protocol (DHCP) \
 #              server
 # processname: dhcpd
@@ -30,6 +30,7 @@ prog=dhcpd
 dhcpd=/usr/sbin/dhcpd
 lockfile=/var/lock/subsys/dhcpd
 pidfile=/var/run/dhcpd.pid
+statedir=/var/lib/dhcpd
 
 [ -f /etc/sysconfig/dhcpd ] && . /etc/sysconfig/dhcpd
 
@@ -50,10 +51,10 @@ findConfig() {
 
 conf="$(findConfig "$DHCPDARGS")"
 
-if [ ! -f /var/lib/dhcpd/dhcpd.leases ] ; then
-    mkdir -p /var/lib/dhcpd
-    touch /var/lib/dhcpd/dhcpd.leases
-    [ -x /sbin/restorecon ] && [ -d /selinux ] && /sbin/restorecon /var/lib/dhcpd/dhcpd.leases >/dev/null 2>&1
+if [ ! -f $statedir/dhcpd.leases ] ; then
+    mkdir -p $statedir
+    touch $statedir/dhcpd.leases
+    [ -x /sbin/restorecon ] && [ -d /selinux ] && /sbin/restorecon $statedir/dhcpd.leases >/dev/null 2>&1
 fi
 
 configtest() {
diff --git a/dhcrelay.init b/dhcrelay.init
index 115684f..51f047e 100644
--- a/dhcrelay.init
+++ b/dhcrelay.init
@@ -2,8 +2,8 @@
 #
 ### BEGIN INIT INFO
 # Provides: dhcrelay
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
+# Default-Start:
+# Default-Stop:
 # Should-Start:
 # Required-Start: $network
 # Required-Stop:
@@ -15,7 +15,7 @@
 #
 # The fields below are left around for legacy tools (will remove later).
 #
-# chkconfig: - 66 34
+# chkconfig: -
 # description: dhcrelay provides a relay for Dynamic Host Control Protocol.
 # processname: dhcrelay
 # # pidfile: /var/run/dhcrelay.pid
diff --git a/get-ldap-patch.sh b/get-ldap-patch.sh
new file mode 100755
index 0000000..21d1691
--- /dev/null
+++ b/get-ldap-patch.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# Fetch latest version of LDAP patch.  The patch is downloaded and split in
+# the ldap/ subdirectory.  It is up to the packager to merge the updates with
+# the RPM.
+#
+# Upstream: http://home.ntelos.net/~masneyb/
+#
+# David Cantrell <dcantrell@redhat.com>
+#
+
+CWD=$(pwd)
+
+rm -f masneyb.html-$$
+wget -O masneyb.html-$$ http://home.ntelos.net/~masneyb
+p="$(grep "ldap-patch" masneyb.html-$$ | cut -d '>' -f 3 | cut -d '<' -f 1)"
+rm -f masneyb.html-$$
+
+rm -rf ldap/
+mkdir -p ldap/
+cd ldap/
+wget -N http://home.ntelos.net/~masneyb/$p
+splitdiff -a -d $p
+rm -f $p
+
+rm -f *_debian_*