ldapi:// with path

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jun 30 22:44:30 CEST 2015 

> On Jun 30, 2015, at 3:50 PM, Michael Ströder <michael at stroeder.com> wrote:
> 
> Michael Ströder wrote:
>> Arran Cudbard-Bell wrote:
>>> OK, should work now.
>> 
>> These cases both work:
>> 
>> server = 'ldap://localhost:1390'
>> server = 'localhost:1390'
>> 
>> This does not work:
>> server = 'ldapi://%2Ftmp%2Fopenldap-socket'
>> 
>> => "Failed recombining URL components"
> 
> And this fails too:
> 
> server = 'ldapi://'
> 
> rlm_ldap (ldap): Bind with uid=radiusd,ou=sys,dc=stroeder,dc=local to
> ldapi://:389 failed: Can't contact LDAP server
>       ^^^^^
> 
> As said you should not do any recombination and pass the string as is to
> libldap. This would save you a lot of headache.

TBH LDAP URLs are the wrong thing to use to specify a server, but we have no choice, the
the OpenLDAP guys don't provide an interface to specify the connection type for a handle.

The string recombination is done because we need to set a port.

If the user specifies:

	server = 'ldap://example.org'
	port = 1300

They would (and did) wonder why the server was still attempting to connect on port 389.

So whilst in theory, in a perfect world, it would be nice to pass through the URLs
unmolested, in this case we can't (except for ldapi://).

Why not just get rid of port?
-----------------------------

Because not all versions of libldap or LDAP libraries support LDAP urls, plus we need it
for legacy compatibility.

Why not just disallow URLs?
---------------------------

We likely will for v3.1.x, because the current code is ridiculously complex for what is does.

We'll then have a scheme configuration option to specify ldapi, ldapc, ldaps or ldap,
which will make integrating with other LDAP implementations easier.

If ldap_initialize is the only interface for specifying the scheme, then we'll construct
a URL behind the scenes and pass that to it.

-Arran


rlm_ldap (ldap): Opening additional connection (0), 1 of 100 pending slots used
rlm_ldap (ldap): Connecting to ldapi://
rlm_ldap (ldap): Bind with cn=admin,dc=foo,dc=com to ldapi:// failed: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/usr/local/freeradius/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

rlm_ldap (ldap): Opening additional connection (0), 1 of 100 pending slots used
rlm_ldap (ldap): Connecting to ldapi://%2Ftmp%2Fopenldap-socket
rlm_ldap (ldap): Bind with cn=admin,dc=foo,dc=com to ldapi://%2Ftmp%2Fopenldap-socket failed: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/usr/local/freeradius/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150630/9beea483/attachment.sig>

More information about the Freeradius-Users mailing list