On Sunday, 7 March 2010 05:12:13 Jaap Winius wrote:
Quoting Howard Chu hyc@symas.com:
Russ Allbery wrote:
I'm not sure if this is also available directly in the library or if the client has to implement it.
This feature is implemented in the OpenLDAP client code, not in libldap.
Okay, so I created these DNS records in my example.com zone file:
_ldap._tcp IN SRV 10 0 389 server1 _ldap._tcp IN SRV 20 0 389 server2... and I got this to work:
ldapsearch -H ldap:///dc%3Dexample%2Cdc%3Dcom uid=jsmith(That's "dc=example,dc=com" escaped according to RFC 2396).
However, if /etc/ldap/ldap.conf could be configured like this:
BASE dc=example,dc=com URI ldap:///dc%3Dexample%2Cdc%3Dcom... and /etc/libnss-ldap.conf and /etc/pam_ldap.conf could support about the same, now that would be more like it! Unfortunately, that doesn't work.
IIRC nss_ldap by supports DNS discovery, if you omit the URI. However, pam_ldap does not, and IMHO, shouldn't by default (as it would be too easy to trick a client to send a clear-text password - I believe Mac OS X had such a vulnerability ...). I think Red Hat may have a patch on pam_ldap to add the feature there, but I am not sure if it has gone upstream.
See the 'nss_srv_domain' option in 'man nss_ldap'.
What were you wanting to use pam_ldap for, if pam_krb5 should surely be doing authentication? LDAP-based authorization?
Correct me if I'm wrong, but I get the impression that none of the above will be possible until support for DNS SRV records is added to libldap.
Why is this a prerequisite?
Regards, Buchan