[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#9080) Feature request: support DNS SRV lookups in ldap.conf

To: openldap-its@OpenLDAP.org
Subject: (ITS#9080) Feature request: support DNS SRV lookups in ldap.conf
From: gray@nxg.name
Date: Sat, 14 Sep 2019 10:29:50 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Norman Gray
Version: 2.4.47
OS: FreeBSD 12.0 (but not OS-soecific)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:8b0:df5:af53:c1a5:cbb2:6a6a:3390)


Feature request: support specification of DNS SRV records in ldap.conf, matching
ldapsearch -H

The `ldapsearch` tools supports specifying lookups of SRV records via
a special case syntax in the argument to the `-H` option.  A URI such
as ldap:///dc=ldap,dc=example,dc=com (with the commas and equals signs
suitably escaped) prompts ldapsearch to do a lookup of an SRV record
for ldap.example.com.

However the URI synatx in ldap.conf doesn't have a corresponding
special case, so it's not possible to put such a spec in a ldap.conf
file.

The ldap.conf documentation doesn't claim any support for SRV records,
so there isn't a bug here, but on a Principle of Least Astonishment it
would be very useful if the same syntax that -H respects were
respected by ldap.conf as well.

Other LDAP clients have different ways of specifying this (eg,
nslcd.conf supports a `DNS:<domain>` syntax; Linux automount's
`autofs.conf` has a `ldap_uri` attribute which supports a very similar
dc=xxx syntax), so an alternative ldap.conf syntax would be a good
second best.

As an auxiliary point, when `ldapsearch` sees `URI ldap:///dc%3D...`
in the ldap.conf file, it silently ignores it, rather than producing
an error.  It doesn't even produce a warning when `ldapsearch` is
invoked with `-d-1`.  I had to use strace to reassure myself that the
config file was actually being read.  I feel that a library should
make a _lot_ more noise about an attribute in a configuration file
being seen but ignored (I can see that the `ldap://dc...` URI, which
is of course syntactically OK, _might_ be inadvertently meaningful,
and thus not necessarily a detectable error, but even in that case
`-d-1` should produce _something_).

A scan through ITS reports found the following:

  * ITS#5919 (2009, still open) discusses a similar request, and
    discusses a variety of issues with it.  This is a useful cross-reference.
  * ITS#6462 (2010, open) and ITS#8610 (2017, open) both touch on SRV records,
    but aren't particularly relevant, since they're both about the
    handling of ldaps:// URIs specifying a SRV record.
  * ITS#7027 (2011, closed) and ITS#8196 (open) are concerned with
    the internal handling of SRV records, but not their configuration


$ ldapsearch -VV
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.47 (Jul 25 2019 01:30:14) $
	root@120amd64-quarterly-job-16:/wrkdirs/usr/ports/net/openldap24-sasl-client/work/openldap-2.4.47/clients/tools
	(LDAP library: OpenLDAP 20447)

Prev by Date: Re: (ITS#9079 documentation: slapo-unique syntax explanation unclear
Next by Date: ITS#9080 a further relevant ITS
Index(es):
- Chronological
- Thread