[Date Prev][Date Next]
Re: DNS discovery for OpenLDAP?
On Sunday, 7 March 2010 05:12:13 Jaap Winius wrote:
> Quoting Howard Chu <email@example.com>:
> > Russ Allbery wrote:
> >> I'm not sure if this is also available directly in the library or if the
> >> client has to implement it.
> > This feature is implemented in the OpenLDAP client code, not in libldap.
> Okay, so I created these DNS records in my example.com zone file:
> _ldap._tcp IN SRV 10 0 389 server1
> _ldap._tcp IN SRV 20 0 389 server2
> ... and I got this to work:
> ldapsearch -H ldap:///dc%3Dexample%2Cdc%3Dcom uid=jsmith
> (That's "dc=example,dc=com" escaped according to RFC 2396).
> However, if /etc/ldap/ldap.conf could be configured like this:
> BASE dc=example,dc=com
> URI ldap:///dc%3Dexample%2Cdc%3Dcom
> ... and /etc/libnss-ldap.conf and /etc/pam_ldap.conf could support
> about the same, now that would be more like it! Unfortunately, that
> doesn't work.
IIRC nss_ldap by supports DNS discovery, if you omit the URI. However,
pam_ldap does not, and IMHO, shouldn't by default (as it would be too easy to
trick a client to send a clear-text password - I believe Mac OS X had such a
vulnerability ...). I think Red Hat may have a patch on pam_ldap to add the
feature there, but I am not sure if it has gone upstream.
See the 'nss_srv_domain' option in 'man nss_ldap'.
What were you wanting to use pam_ldap for, if pam_krb5 should surely be doing
authentication? LDAP-based authorization?
> Correct me if I'm wrong, but I get the impression that none of the
> above will be possible until support for DNS SRV records is added to
Why is this a prerequisite?