Hello everyone,

just to share the trick of how to configure openLDAP in Ubuntu. we did config the domain DNS SRV records and ldapsearch -x -LLL -H ldap:///dc%3Dmy-domain%2Cdc%3Dcom works fine... dig shall also return the target server and port with the command "dig SRV _ldap._tcp.my-domain.com."

the confusing part is: there are 2 ldap.conf files; a) at /etc/ldap.conf: this one will control the how Ubuntu check user id, feeding PAM via nss_ldap; just keep it with no URI or commented URI entries and DNS SRV will work as expected (DN must be in place); it is possible to test it using the command "id <user>"; journalctl -f and tcpdump port 389 are useful for troubleshoting; b) at /etc/lpad/ldap.conf: it is the param source for tools as ldapsearch; we were not able to make it work without declaring URI, hence, we just pointed to one LDAP server, but you can list it all; another option is to do command aliases as in http://www.rjsystems.nl/en/2100-dns-discovery-openldap.php; a proper configuration should list all the users with ldapsearch -x -LLL;

anyway, doing a very small contribution to this great project, as it took us 4 hours to get it going, and we found old mentions that openLDAP do not do resolve SRV records (which was the case in the past), as also, there are some client implementations that do resolve and some that don't. LDAP is very powerful to escalate servers/virtual machines in which credentials sync are required

best regards all