Quoting Buchan Milne <bgmilne@staff.telkomsa.net>:
IIRC nss_ldap by supports DNS discovery, if you omit the URI. ...
Did you mean to say that nss_ldap uses DNS discovery "by default"? Indeed, that is the way it seems to behave; I just ran some more tests, and apparently the nss_srv_domain option is not even necessary.
However, pam_ldap does not, and IMHO, shouldn't by default ...
Indeed, I can also omit the LDAP URI from /etc/pam_ldap.conf and still the users have no problem logging in. Kerberos is doing its job.
Now the only thing left is /etc/ldap/ldap.conf. Unfortunately, if no LDAP URI is included in this configuration file, most of the usual LDAP utilities will not work. If it includes an option like "URI ldap:///dc%3Dexample%2Cdc%3Dcom", not even ldapsearch will understand. What's the problem here... libldap?
Thanks, Jaap