On Sunday, 7 March 2010 05:12:13 Jaap Winius wrote:
Quoting Howard Chu <hyc(a)symas.com>:
> Russ Allbery wrote:
>> I'm not sure if this is also available directly in the library or if the
>> client has to implement it.
>
> This feature is implemented in the OpenLDAP client code, not in libldap.
Okay, so I created these DNS records in my
example.com zone file:
_ldap._tcp IN SRV 10 0 389 server1
_ldap._tcp IN SRV 20 0 389 server2
... and I got this to work:
ldapsearch -H ldap:///dc%3Dexample%2Cdc%3Dcom uid=jsmith
(That's "dc=example,dc=com" escaped according to RFC 2396).
However, if /etc/ldap/ldap.conf could be configured like this:
BASE dc=example,dc=com
URI ldap:///dc%3Dexample%2Cdc%3Dcom
... and /etc/libnss-ldap.conf and /etc/pam_ldap.conf could support
about the same, now that would be more like it! Unfortunately, that
doesn't work.
IIRC nss_ldap by supports DNS discovery, if you omit the URI. However,
pam_ldap does not, and IMHO, shouldn't by default (as it would be too easy to
trick a client to send a clear-text password - I believe Mac OS X had such a
vulnerability ...). I think Red Hat may have a patch on pam_ldap to add the
feature there, but I am not sure if it has gone upstream.
See the 'nss_srv_domain' option in 'man nss_ldap'.
What were you wanting to use pam_ldap for, if pam_krb5 should surely be doing
authentication? LDAP-based authorization?
Correct me if I'm wrong, but I get the impression that none of
the
above will be possible until support for DNS SRV records is added to
libldap.
Why is this a prerequisite?
Regards,
Buchan