ldapi:// with path

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jun 30 23:44:12 CEST 2015 

> On Jun 30, 2015, at 5:19 PM, Michael Ströder <michael at stroeder.com> wrote:
> 
> Arran Cudbard-Bell wrote:
>> 
>>> On Jun 30, 2015, at 4:54 PM, Michael Ströder <michael at stroeder.com> wrote:
>>> 
>>> Arran Cudbard-Bell wrote:
>>>> If the user specifies:
>>>> 
>>>> 	server = 'ldap://example.org'
>>>> 	port = 1300
>>>> 
>>>> They would (and did) wonder why the server was still attempting to connect on port 389.
>>> 
>>> Hmm, I'm inclined to just spit out an error message in this case clearly
>>> recommending to add the port number to the LDAP URL.
>> 
>> Which we can't do in v3.0.x because it would break people's configurations.
> 
> It's quite a simple change which you could announce clearly.

Then all the package maintainers would refuse to update until the next major
release of their OS because it'd be a breaking change.

> 
>> What are your arguments for URL support when specifying servers?
> 
> First of all:
> It's required to work for LDAPI (which I use a lot together with SASL/EXTERNAL).

No it's not.

As previously stated we could construct the URL with an ldapi:// prefix, and pass
that to LDAP initialize.

> LDAP URLs also have everything in one parameter.

Which makes parsing and modifying the configuration programatically, harder,
and is inconsistent with everything else in the server.

You don't use redis:// to specify a redis server, you don't use mysql:// to
specify a mysql server.

> Example:
> 
> ldaps://ldap.example.com:9999 tells you to talk TLS before LDAP to host
> ldap.example.com and port 9999 all in one line.

But being able to turn on SSL for individual hosts in a cluster is potentially
useful.  I guess that's the biggest advantage.

I can't say i've ever come across an LDAP cluster that uses a mixture of
encryption clear and tls connections though.

> In web2ldap I even use LDAP URL extensions so you can construct a bookmark for
> specifying to use StartTLS extended operation.

Is the extension standard, or something you pull out and use as a hint to call
ldap_start_tls (or Python equivalent)?

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150630/ba2c2eac/attachment-0001.sig>

More information about the Freeradius-Users mailing list