On Jun 2, 2007, at 5:31 AM, rra@stanford.edu wrote:
Full_Name: Russ Allbery Version: 2.3.35 OS: Debian URL: Submission from: (NULL) (171.66.157.14)
A user of the Debian OpenLDAP package requested support in the command-line utilities for using SRV entries to locate the local LDAP server. My understanding of the suggestion is that if one didn't specify -h or -H, a SRV record lookup would be tried before falling back to localhost. (You may not want to change the default behavior, though, and add another switch.)
One could use DNS SRV on the domain provided by -H, or by ldap.conf (5), and use it present, with (likely best) or without an option to enable the behavior.
One could also use DNS SRV on the domain associated with the baseObject/target DN with an option to enable this behavior. That is, ldapsearch -b "dc=example,dc=org" would cause a DNS SRV lookup on example.org. This is what the DNSSRV backend does.
Not sure adding to the command line tools would be especially useful. That is, I don't think DNS SRV fits well in the common use pattern of command line tools. But someone implements this behind an option, it shouldn't do any harm.
Lastly I note that the domain to use DNS SRV should come from the user (or application entity), not the local host. Using the local resolver configuration is a really bad idea.
-- Kurt
For the full suggestion, see:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=221173
It looks like much of the necessary code is already there in libldap, and looking at the libldap code, you could also intuit the correct server based on any search base provided.
-
kurt@OpenLDAP.org