----- "Matt Kowske" jmkowske@gmail.com wrote:
Hello,
I have been searching google trying to find an answer to this, but have only things dated 2001 and prior. Question: Does openldap (client) support the use of SRV records to determine the availability of an ldap server? In this particular case, the openldap libraries are compiled into another unix executable and 1 of 8 AD servers is contacted via round robin DNS aliasing. Is it possible for openldap to reference the SRV record in DNS rather than the A record?
2.4 does, 2.3 doesn't.
Thanks. Where can I find some documentation on configuring that in 2.4?
On Wed, Dec 17, 2008 at 8:31 AM, Gavin Henry ghenry@suretecsystems.comwrote:
----- "Matt Kowske" jmkowske@gmail.com wrote:
Hello,
I have been searching google trying to find an answer to this, but have only things dated 2001 and prior. Question: Does openldap (client) support the use of SRV records to determine the availability of an ldap server? In this particular case, the openldap libraries are compiled into another unix executable and 1 of 8 AD servers is contacted via round robin DNS aliasing. Is it possible for openldap to reference the SRV record in DNS rather than the A record?
2.4 does, 2.3 doesn't.
-- Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
I apologize, but I did find a reference on how to do this in the man page for ldapsearch:
.BI -H \ ldapuri Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
My question then, is this also possible when not using the ldapsearch tool, but using the ldap library calls/API or is this change in 2.4 exclusive to the command line tools?
On Wed, Dec 17, 2008 at 1:06 PM, Matt Kowske jmkowske@gmail.com wrote:
Thanks. Where can I find some documentation on configuring that in 2.4?
On Wed, Dec 17, 2008 at 8:31 AM, Gavin Henry ghenry@suretecsystems.comwrote:
----- "Matt Kowske" jmkowske@gmail.com wrote:
Hello,
I have been searching google trying to find an answer to this, but have only things dated 2001 and prior. Question: Does openldap (client) support the use of SRV records to determine the availability of an ldap server? In this particular case, the openldap libraries are compiled into another unix executable and 1 of 8 AD servers is contacted via round robin DNS aliasing. Is it possible for openldap to reference the SRV record in DNS rather than the A record?
2.4 does, 2.3 doesn't.
-- Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
----- "Matt Kowske" jmkowske@gmail.com wrote:
I apologize, but I did find a reference on how to do this in the man page for ldapsearch:
.BI -H \ ldapuri Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
My question then, is this also possible when not using the ldapsearch tool, but using the ldap library calls/API or is this change in 2.4 exclusive to the command line tools?
The client tools all use libldap.
Thanks.
Thank you. could you provide an example of this functionality with ldapsearch?
ldapsearch -x -v -H "dc%3Ddomain%2Cdc%3Dcom" -b "CN=Users,DC=domain,DC=com" -D "CN=Matt Kowske,CN=Users,DC=domain,DC=com" -W "samaccountname=mkowske"
Could not parse LDAP URI(s)=dc%3Ddomain%2Cdc%3Dcom (3)
This is ldap version 2.4.11. I (tried) to look at the code, and and found the section of code in common.c where it is erroring out, but couldn't determine much beyond that. Why is the above not being recognized as a DN? It should not be parsed as a URI according to the man page.
-Matt
On Wed, Dec 17, 2008 at 3:14 PM, Gavin Henry ghenry@openldap.org wrote:
----- "Matt Kowske" jmkowske@gmail.com wrote:
I apologize, but I did find a reference on how to do this in the man page for ldapsearch:
.BI -H \ ldapuri Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
My question then, is this also possible when not using the ldapsearch tool, but using the ldap library calls/API or is this change in 2.4 exclusive to the command line tools?
The client tools all use libldap.
Thanks.
-- Kind Regards,
Gavin Henry. OpenLDAP Engineering Team.
E ghenry@OpenLDAP.org
Community developed LDAP software.
Disregard, I've figured out it needs to be of the form:
ldap:///dc%3Ddomain%2Cdc%3Dcom
On Wed, Dec 17, 2008 at 4:38 PM, Matt Kowske jmkowske@gmail.com wrote:
Thank you. could you provide an example of this functionality with ldapsearch?
ldapsearch -x -v -H "dc%3Ddomain%2Cdc%3Dcom" -b "CN=Users,DC=domain,DC=com" -D "CN=Matt Kowske,CN=Users,DC=domain,DC=com" -W "samaccountname=mkowske"
Could not parse LDAP URI(s)=dc%3Ddomain%2Cdc%3Dcom (3)
This is ldap version 2.4.11. I (tried) to look at the code, and and found the section of code in common.c where it is erroring out, but couldn't determine much beyond that. Why is the above not being recognized as a DN? It should not be parsed as a URI according to the man page.
-Matt
On Wed, Dec 17, 2008 at 3:14 PM, Gavin Henry ghenry@openldap.org wrote:
----- "Matt Kowske" jmkowske@gmail.com wrote:
I apologize, but I did find a reference on how to do this in the man page for ldapsearch:
.BI -H \ ldapuri Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
My question then, is this also possible when not using the ldapsearch tool, but using the ldap library calls/API or is this change in 2.4 exclusive to the command line tools?
The client tools all use libldap.
Thanks.
-- Kind Regards,
Gavin Henry. OpenLDAP Engineering Team.
E ghenry@OpenLDAP.org
Community developed LDAP software.
Thanks for following up for others and the archives.
Gavin.
Matt Kowske wrote:
Thank you. could you provide an example of this functionality with ldapsearch?
ldapsearch -x -v -H "dc%3Ddomain%2Cdc%3Dcom" -b "CN=Users,DC=domain,DC=com" -D "CN=Matt Kowske,CN=Users,DC=domain,DC=com" -W "samaccountname=mkowske"
Could not parse LDAP URI(s)=dc%3Ddomain%2Cdc%3Dcom (3)
This is ldap version 2.4.11. I (tried) to look at the code, and and found the section of code in common.c where it is erroring out, but couldn't determine much beyond that. Why is the above not being recognized as a DN? It should not be parsed as a URI according to the man page.
The man page says: "if no host/port is specified, but a DN is...". It means that:
- you must provide a(n RFC 45) LDAP URI
- it must contain no host/port
- it must contain a DN
yours is not a LDAP URI. Try something like "ldap:///dc=domain,dc=com".
The 2.4 client tools have been modified to support this feature. However, they use libldap to perform this. See clients/tools/common.c, the calls to ldap_dn2domain(3) and ldap_domain2hostlist(3) calls (I don't think they actually have a man page...). Those calls are available in libldap since 2.0, I believe, in 2000.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote:
Matt Kowske wrote:
Thank you. could you provide an example of this functionality with ldapsearch?
ldapsearch -x -v -H "dc%3Ddomain%2Cdc%3Dcom" -b "CN=Users,DC=domain,DC=com" -D "CN=Matt Kowske,CN=Users,DC=domain,DC=com" -W "samaccountname=mkowske"
Could not parse LDAP URI(s)=dc%3Ddomain%2Cdc%3Dcom (3)
This is ldap version 2.4.11. I (tried) to look at the code, and and found the section of code in common.c where it is erroring out, but couldn't determine much beyond that. Why is the above not being recognized as a DN? It should not be parsed as a URI according to the man page.
The man page says: "if no host/port is specified, but a DN is...". It means that:
- you must provide a(n RFC 45) LDAP URI
RFC 4516 :)
it must contain no host/port
it must contain a DN
yours is not a LDAP URI. Try something like "ldap:///dc=domain,dc=com".
The 2.4 client tools have been modified to support this feature. However, they use libldap to perform this. See clients/tools/common.c, the calls to ldap_dn2domain(3) and ldap_domain2hostlist(3) calls (I don't think they actually have a man page...). Those calls are available in libldap since 2.0, I believe, in 2000.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
On Thursday 18 December 2008 01:24:11 Pierangelo Masarati wrote:
Matt Kowske wrote:
Thank you. could you provide an example of this functionality with ldapsearch?
ldapsearch -x -v -H "dc%3Ddomain%2Cdc%3Dcom" -b "CN=Users,DC=domain,DC=com" -D "CN=Matt Kowske,CN=Users,DC=domain,DC=com" -W "samaccountname=mkowske"
Could not parse LDAP URI(s)=dc%3Ddomain%2Cdc%3Dcom (3)
This is ldap version 2.4.11. I (tried) to look at the code, and and found the section of code in common.c where it is erroring out, but couldn't determine much beyond that. Why is the above not being recognized as a DN? It should not be parsed as a URI according to the man page.
The man page says: "if no host/port is specified, but a DN is...". It means that:
you must provide a(n RFC 45) LDAP URI
it must contain no host/port
it must contain a DN
yours is not a LDAP URI. Try something like "ldap:///dc=domain,dc=com".
The 2.4 client tools have been modified to support this feature. However, they use libldap to perform this. See clients/tools/common.c, the calls to ldap_dn2domain(3) and ldap_domain2hostlist(3) calls (I don't think they actually have a man page...). Those calls are available in libldap since 2.0, I believe, in 2000.
Is there a reason this isn't implemented in the library? As far as I understand, at present only the OpenLDAP utilities will work with this URI, while if it were implemented in the library, other LDAP clients using the OpenLDAP library which don't already support a similar feature (sudo is the best example I can think of in this case, though various other desktop software could benefit) would get it for free?
(nss_ldap has it's own implementation of this feature, but the configuration is different and probably not compatible with sudo if sudo uses the nss_ldap configuration file).
Regards, Buchan
It is Buchan. See andos reply.
On 30/12/2008, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Thursday 18 December 2008 01:24:11 Pierangelo Masarati wrote:
Matt Kowske wrote:
Thank you. could you provide an example of this functionality with ldapsearch?
ldapsearch -x -v -H "dc%3Ddomain%2Cdc%3Dcom" -b "CN=Users,DC=domain,DC=com" -D "CN=Matt Kowske,CN=Users,DC=domain,DC=com" -W "samaccountname=mkowske"
Could not parse LDAP URI(s)=dc%3Ddomain%2Cdc%3Dcom (3)
This is ldap version 2.4.11. I (tried) to look at the code, and and found the section of code in common.c where it is erroring out, but couldn't determine much beyond that. Why is the above not being recognized as a DN? It should not be parsed as a URI according to the man page.
The man page says: "if no host/port is specified, but a DN is...". It means that:
you must provide a(n RFC 45) LDAP URI
it must contain no host/port
it must contain a DN
yours is not a LDAP URI. Try something like "ldap:///dc=domain,dc=com".
The 2.4 client tools have been modified to support this feature. However, they use libldap to perform this. See clients/tools/common.c, the calls to ldap_dn2domain(3) and ldap_domain2hostlist(3) calls (I don't think they actually have a man page...). Those calls are available in libldap since 2.0, I believe, in 2000.
Is there a reason this isn't implemented in the library? As far as I understand, at present only the OpenLDAP utilities will work with this URI, while if it were implemented in the library, other LDAP clients using the OpenLDAP library which don't already support a similar feature (sudo is the best example I can think of in this case, though various other desktop software could benefit) would get it for free?
(nss_ldap has it's own implementation of this feature, but the configuration is different and probably not compatible with sudo if sudo uses the nss_ldap configuration file).
Regards, Buchan
Buchan Milne wrote:
The man page says: "if no host/port is specified, but a DN is...". It means that:
you must provide a(n RFC 45) LDAP URI
it must contain no host/port
it must contain a DN
yours is not a LDAP URI. Try something like "ldap:///dc=domain,dc=com".
The 2.4 client tools have been modified to support this feature. However, they use libldap to perform this. See clients/tools/common.c, the calls to ldap_dn2domain(3) and ldap_domain2hostlist(3) calls (I don't think they actually have a man page...). Those calls are available in libldap since 2.0, I believe, in 2000.
Is there a reason this isn't implemented in the library? As far as I understand, at present only the OpenLDAP utilities will work with this URI, while if it were implemented in the library, other LDAP clients using the OpenLDAP library which don't already support a similar feature (sudo is the best example I can think of in this case, though various other desktop software could benefit) would get it for free?
Because. If this is considered useful, we can move it to the library, of course. Please file an ITS.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
I'm confused. You said it's already in the libs ando?
On 30/12/2008, Pierangelo Masarati ando@sys-net.it wrote:
Buchan Milne wrote:
The man page says: "if no host/port is specified, but a DN is...". It means that:
you must provide a(n RFC 45) LDAP URI
it must contain no host/port
it must contain a DN
yours is not a LDAP URI. Try something like "ldap:///dc=domain,dc=com".
The 2.4 client tools have been modified to support this feature. However, they use libldap to perform this. See clients/tools/common.c, the calls to ldap_dn2domain(3) and ldap_domain2hostlist(3) calls (I don't think they actually have a man page...). Those calls are available in libldap since 2.0, I believe, in 2000.
Is there a reason this isn't implemented in the library? As far as I understand, at present only the OpenLDAP utilities will work with this URI, while if it were implemented in the library, other LDAP clients using the OpenLDAP library which don't already support a similar feature (sudo is the best example I can think of in this case, though various other desktop software could benefit) would get it for free?
Because. If this is considered useful, we can move it to the library, of course. Please file an ITS.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
----- "Gavin Henry" gavin.henry@gmail.com wrote:
I'm confused. You said it's already in the libs ando?
I said this feature (DN with no host/port resorting to DNS SRV) is implemented using calls that are in the libs since 2000 or so. I understand that Buchan would like the libs to have this feature built-in (into ldap_initialize(3), I guess).
p.
On 30/12/2008, Pierangelo Masarati ando@sys-net.it wrote:
Buchan Milne wrote:
The man page says: "if no host/port is specified, but a DN is...".
It
means that:
you must provide a(n RFC 45) LDAP URI
it must contain no host/port
it must contain a DN
yours is not a LDAP URI. Try something like
"ldap:///dc=domain,dc=com".
The 2.4 client tools have been modified to support this feature. However, they use libldap to perform this. See
clients/tools/common.c,
the calls to ldap_dn2domain(3) and ldap_domain2hostlist(3) calls
(I
don't think they actually have a man page...). Those calls are available in libldap since 2.0, I believe, in 2000.
Is there a reason this isn't implemented in the library? As far as
I
understand, at present only the OpenLDAP utilities will work with
this
URI, while if it were implemented in the library, other LDAP clients
using the
OpenLDAP library which don't already support a similar feature
(sudo is
the best example I can think of in this case, though various other
desktop
software could benefit) would get it for free?
Because. If this is considered useful, we can move it to the
library,
of course. Please file an ITS.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
-- Sent from my mobile device
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
openldap-software@openldap.org
-
Buchan Milne -
Gavin Henry -
Gavin Henry -
Gavin Henry -
Matt Kowske -
Pierangelo Masarati