Full_Name: Norman Gray Version: 2.4.47 OS: FreeBSD 12.0 (but not OS-soecific) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:8b0:df5:af53:c1a5:cbb2:6a6a:3390) Feature request: support specification of DNS SRV records in ldap.conf, matching ldapsearch -H The `ldapsearch` tools supports specifying lookups of SRV records via a special case syntax in the argument to the `-H` option. A URI such as ldap:///dc=ldap,dc=example,dc=com (with the commas and equals signs suitably escaped) prompts ldapsearch to do a lookup of an SRV record for ldap.example.com. However the URI synatx in ldap.conf doesn't have a corresponding special case, so it's not possible to put such a spec in a ldap.conf file. The ldap.conf documentation doesn't claim any support for SRV records, so there isn't a bug here, but on a Principle of Least Astonishment it would be very useful if the same syntax that -H respects were respected by ldap.conf as well. Other LDAP clients have different ways of specifying this (eg, nslcd.conf supports a `DNS:<domain>` syntax; Linux automount's `autofs.conf` has a `ldap_uri` attribute which supports a very similar dc=xxx syntax), so an alternative ldap.conf syntax would be a good second best. As an auxiliary point, when `ldapsearch` sees `URI ldap:///dc%3D...` in the ldap.conf file, it silently ignores it, rather than producing an error. It doesn't even produce a warning when `ldapsearch` is invoked with `-d-1`. I had to use strace to reassure myself that the config file was actually being read. I feel that a library should make a _lot_ more noise about an attribute in a configuration file being seen but ignored (I can see that the `ldap://dc...` URI, which is of course syntactically OK, _might_ be inadvertently meaningful, and thus not necessarily a detectable error, but even in that case `-d-1` should produce _something_). A scan through ITS reports found the following: * ITS#5919 (2009, still open) discusses a similar request, and discusses a variety of issues with it. This is a useful cross-reference. * ITS#6462 (2010, open) and ITS#8610 (2017, open) both touch on SRV records, but aren't particularly relevant, since they're both about the handling of ldaps:// URIs specifying a SRV record. * ITS#7027 (2011, closed) and ITS#8196 (open) are concerned with the internal handling of SRV records, but not their configuration $ ldapsearch -VV ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.47 (Jul 25 2019 01:30:14) $ root@120amd64-quarterly-job-16:/wrkdirs/usr/ports/net/openldap24-sasl-client/work/openldap-2.4.47/clients/tools (LDAP library: OpenLDAP 20447)
I should also note that ITS#4996 (2007, closed) appears to be the issue which resulted in the support for `-H "<proto>:///DN"` being added to the command-line clients. -- Norman Gray : https://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK
Created attachment 730 [details] openldap clients/tools honor config files ldap.conf ldaprc URI setting It seems all the client tools needlessly overwrite the URI setting with the default ldap://localhost, which gets used anyhow if there is no URI at all given in config files or on commandline. The attached patch is a first attempt, it has had little testing other than putting a DNS SRV URI in /etc/ldap/ldap.conf, but it should help move the conversation along. It seemed to me that 'ldapsearch (uid=me) homeDirectory' should just work vs Samba AD DC's ldap, and now it does for me. I am happy to contribute this under whatever opensource license OpenLDAP uses.
(In reply to jerj from comment #2) > I am happy to contribute this under whatever opensource license OpenLDAP > uses. Please see https://www.openldap.org/devel/contributing.html, particularly the IPR section.