ldapi:// with path

Michael Ströder michael at stroeder.com
Wed Jul 1 00:04:04 CEST 2015 

Arran Cudbard-Bell wrote:
>> On Jun 30, 2015, at 5:19 PM, Michael Ströder <michael at stroeder.com> wrote:
>> It's quite a simple change which you could announce clearly.
> 
> Then all the package maintainers would refuse to update until the next major
> release of their OS because it'd be a breaking change.

The holy cow of package maintainers to call their distribution "stable".
For whatever definition of "stable" that is...

>> First of all:
>> It's required to work for LDAPI (which I use a lot together with SASL/EXTERNAL).
> 
> No it's not.
> 
> As previously stated we could construct the URL with an ldapi:// prefix, and pass
> that to LDAP initialize.

Hmm, of course you could even accept a path name for "server". But that makes
distinguishing the different values even more complicated.

>> LDAP URLs also have everything in one parameter.
> 
> Which makes parsing and modifying the configuration programatically, harder,
> and is inconsistent with everything else in the server.
> 
> You don't use redis:// to specify a redis server, you don't use mysql:// to
> specify a mysql server.

Frankly I love URLs... ;-)

>> Example:
>>
>> ldaps://ldap.example.com:9999 tells you to talk TLS before LDAP to host
>> ldap.example.com and port 9999 all in one line.
> 
> But being able to turn on SSL for individual hosts in a cluster is potentially
> useful.  I guess that's the biggest advantage.
> 
> I can't say i've ever come across an LDAP cluster that uses a mixture of
> encryption clear and tls connections though.

You could think of a local replica accessible via LDAPI and using a remote
replica as fall-back.

>> In web2ldap I even use LDAP URL extensions so you can construct a bookmark for
>> specifying to use StartTLS extended operation.
> 
> Is the extension standard, or something you pull out and use as a hint to call
> ldap_start_tls (or Python equivalent)?

The LDAP URL extensions are standard but this particular extension is not. I
should write an I-D though.

<off-topic>

In python-ldap it's pretty easy to deal with LDAP URLs and custom extensions
by just defining a mapping from a extension name to a class attribute:

https://fossies.org/linux/web2ldap/pylib/ldaputil/extldapurl.py

</off-topic>

Ciao, Michael.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150701/ba50ef6c/attachment.bin>

More information about the Freeradius-Users mailing list