Re: DNS discovery for OpenLDAP?

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Sunday, 7 March 2010 05:12:13 Jaap Winius wrote:
> Quoting Howard Chu <hyc@symas.com>:
> > Russ Allbery wrote:
> >> I'm not sure if this is also available directly in the library or if the
> >> client has to implement it.
> >
> > This feature is implemented in the OpenLDAP client code, not in libldap.
> 
> Okay, so I created these DNS records in my example.com zone file:
> 
>     _ldap._tcp   IN   SRV   10 0 389 server1
>     _ldap._tcp   IN   SRV   20 0 389 server2
> 
> ... and I got this to work:
> 
>     ldapsearch -H ldap:///dc%3Dexample%2Cdc%3Dcom uid=jsmith
> 
> (That's "dc=example,dc=com" escaped according to RFC 2396).
> 
> However, if /etc/ldap/ldap.conf could be configured like this:
> 
>     BASE    dc=example,dc=com
>     URI     ldap:///dc%3Dexample%2Cdc%3Dcom
> 
> ... and /etc/libnss-ldap.conf and /etc/pam_ldap.conf could support
> about the same, now that would be more like it! Unfortunately, that
> doesn't work.

IIRC nss_ldap by supports DNS discovery, if you omit the URI. However, 
pam_ldap does not, and IMHO, shouldn't by default (as it would be too easy to 
trick a client to send a clear-text password - I believe Mac OS X had such a 
vulnerability ...). I think Red Hat may have a patch on pam_ldap to add the 
feature there, but I am not sure if it has gone upstream.

See the 'nss_srv_domain' option in 'man nss_ldap'.

What were you wanting to use pam_ldap for, if pam_krb5 should surely be doing 
authentication? LDAP-based authorization?

> Correct me if I'm wrong, but I get the impression that none of the
> above will be possible until support for DNS SRV records is added to
> libldap.

Why is this a prerequisite?

Regards,
Buchan