Bug#489361: marked as done (nss-ldapd: Support LDAP autoconfiguration using rootDSE?)

Sun, 20 Jul 2008 03:46:45 -0700 

Your message dated Sun, 20 Jul 2008 10:37:52 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#489361: fixed in nss-ldapd 0.6.4
has caused the Debian Bug report #489361,
regarding nss-ldapd: Support LDAP autoconfiguration using rootDSE?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
489361: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489361
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: libnss-ldapd
Version: 0.6.3
Severity: wishlist
User: [EMAIL PROTECTED]
Usertag: debian-edu

One issue with large scale deployment of Linux is the need to
configure each client.  It would be easier if the clients were able to
automatically derive their configuration using network services.  This
is successfully done with MS Active directory, where it uses DNS to
locate the LDAP servers, and then uses the LDAP rootDSE to figure out
the LDAP base.

This one-liner show up the SRV record at _ldap._tcp can be used to
locate the LDAP servers:

  ad_servers=$(host -N 2 -t srv _ldap._tcp | grep SRV | rev | awk '{print $1}' 
| cut -d. -f2- | rev)

The next step done is to query any of the LDAP server for the LDAP
base to use

  ldapsearch -LLL -h $(echo $ad_servers | awk '{print $1}')  -s base -b '' -x 
'*' +

The latter trick work with OpenLDAP too.  This is the output from the
OpenLDAP server used in Debian Edu:

  dn:
  objectClass: top
  objectClass: OpenLDAProotDSE
  structuralObjectClass: OpenLDAProotDSE
  configContext: cn=config
  namingContexts: dc=skole,dc=skolelinux,dc=no
  monitorContext: cn=Monitor
  supportedControl: 2.16.840.1.113730.3.4.18
  supportedControl: 2.16.840.1.113730.3.4.2
  supportedControl: 1.3.6.1.4.1.4203.1.10.1
  supportedControl: 1.2.840.113556.1.4.319
  supportedControl: 1.2.826.0.1.334810.2.3
  supportedControl: 1.2.826.0.1.3344810.2.3
  supportedControl: 1.3.6.1.1.13.2
  supportedControl: 1.3.6.1.1.13.1
  supportedControl: 1.3.6.1.1.12
  supportedExtension: 1.3.6.1.4.1.1466.20037
  supportedExtension: 1.3.6.1.4.1.4203.1.11.1
  supportedExtension: 1.3.6.1.4.1.4203.1.11.3
  supportedFeatures: 1.3.6.1.1.14
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
  supportedLDAPVersion: 3
  supportedSASLMechanisms: DIGEST-MD5
  supportedSASLMechanisms: CRAM-MD5
  supportedSASLMechanisms: NTLM
  entryDN:
  subschemaSubentry: cn=Subschema

As you can see, the LDAP base is in the namingContexts attribute.
This is the output from an AD server:

  dn:
  currentTime: 20080705093026.0Z
  subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SKOLEN,DC=LOCAL
  dsServiceName: CN=NTDS Settings,CN=AD2,CN=Servers,CN=Default-First-Site-
   Name,CN=Sites,CN=Configuration,DC=SKOLEN,DC=LOCAL
  namingContexts: DC=SKOLEN,DC=LOCAL
  namingContexts: CN=Configuration,DC=SKOLEN,DC=LOCAL
  namingContexts: CN=Schema,CN=Configuration,DC=SKOLEN,DC=LOCAL
  namingContexts: DC=DomainDnsZones,DC=SKOLEN,DC=LOCAL
  namingContexts: DC=ForestDnsZones,DC=SKOLEN,DC=LOCAL
  defaultNamingContext: DC=SKOLEN,DC=LOCAL
  schemaNamingContext: CN=Schema,CN=Configuration,DC=SKOLEN,DC=LOCAL
  configurationNamingContext: CN=Configuration,DC=SKOLEN,DC=LOCAL
  rootDomainNamingContext: DC=SKOLEN,DC=LOCAL
  supportedControl: 1.2.840.113556.1.4.319
  supportedControl: 1.2.840.113556.1.4.801
  supportedControl: 1.2.840.113556.1.4.473
  supportedControl: 1.2.840.113556.1.4.528
  supportedControl: 1.2.840.113556.1.4.417
  supportedControl: 1.2.840.113556.1.4.619
  supportedControl: 1.2.840.113556.1.4.841
  supportedControl: 1.2.840.113556.1.4.529
  supportedControl: 1.2.840.113556.1.4.805
  supportedControl: 1.2.840.113556.1.4.521
  supportedControl: 1.2.840.113556.1.4.970
  supportedControl: 1.2.840.113556.1.4.1338
  supportedControl: 1.2.840.113556.1.4.474
  supportedControl: 1.2.840.113556.1.4.1339
  supportedControl: 1.2.840.113556.1.4.1340
  supportedControl: 1.2.840.113556.1.4.1413
  supportedControl: 2.16.840.1.113730.3.4.9
  supportedControl: 2.16.840.1.113730.3.4.10
  supportedControl: 1.2.840.113556.1.4.1504
  supportedControl: 1.2.840.113556.1.4.1852
  supportedControl: 1.2.840.113556.1.4.802
  supportedControl: 1.2.840.113556.1.4.1907
  supportedControl: 1.2.840.113556.1.4.1948
  supportedLDAPVersion: 3
  supportedLDAPVersion: 2
  supportedLDAPPolicies: MaxPoolThreads
  supportedLDAPPolicies: MaxDatagramRecv
  supportedLDAPPolicies: MaxReceiveBuffer
  supportedLDAPPolicies: InitRecvTimeout
  supportedLDAPPolicies: MaxConnections
  supportedLDAPPolicies: MaxConnIdleTime
  supportedLDAPPolicies: MaxPageSize
  supportedLDAPPolicies: MaxQueryDuration
  supportedLDAPPolicies: MaxTempTableSize
  supportedLDAPPolicies: MaxResultSetSize
  supportedLDAPPolicies: MaxNotificationPerConn
  supportedLDAPPolicies: MaxValRange
  highestCommittedUSN: 745693014
  supportedSASLMechanisms: GSSAPI
  supportedSASLMechanisms: GSS-SPNEGO
  supportedSASLMechanisms: EXTERNAL
  supportedSASLMechanisms: DIGEST-MD5
  dnsHostName: ad2.SKOLEN.LOCAL
  ldapServiceName: SKOLEN.LOCAL:[EMAIL PROTECTED]
  serverName: CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
   figuration,DC=SKOLEN,DC=LOCAL
  supportedCapabilities: 1.2.840.113556.1.4.800
  supportedCapabilities: 1.2.840.113556.1.4.1670
  supportedCapabilities: 1.2.840.113556.1.4.1791
  isSynchronized: TRUE
  isGlobalCatalogReady: TRUE
  domainFunctionality: 2
  forestFunctionality: 2
  domainControllerFunctionality: 2

Would it be possible to teach nss-ldapd to automatically derive the
LDAP base from the rootDSE entry?  Also, would it be possible to teach
it to automatically figure out which LDAP servers to talk to using the
SRV record provided by AD.  We could easily provide the same DNS entry
in Debian Edu, and thus get the clients to automatically configure NSS
based on the values fetched from the network.  Would need to get
libpam-ldap to do the same to get this working, though. :)

Happy hacking,
-- 
Petter Reinholdtsen

--- End Message ---
--- Begin Message --- 
Source: nss-ldapd
Source-Version: 0.6.4

We believe that the bug you reported is fixed in the latest version of
nss-ldapd, which is due to be installed in the Debian FTP archive:

libnss-ldapd_0.6.4_i386.deb
  to pool/main/n/nss-ldapd/libnss-ldapd_0.6.4_i386.deb
nss-ldapd_0.6.4.dsc
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.4.dsc
nss-ldapd_0.6.4.tar.gz
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.4.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <[EMAIL PROTECTED]> (supplier of updated nss-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 20 Jul 2008 10:30:00 +0200
Source: nss-ldapd
Binary: libnss-ldapd
Architecture: source i386
Version: 0.6.4
Distribution: unstable
Urgency: medium
Maintainer: Arthur de Jong <[EMAIL PROTECTED]>
Changed-By: Arthur de Jong <[EMAIL PROTECTED]>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
Closes: 489361
Changes: 
 nss-ldapd (0.6.4) unstable; urgency=medium
 .
   * set urgency medium in an attempt to get in before the freeze
     (not much code changes)
   * fix for the tls_checkpeer option
   * fix incorrect test for ssl option in combination with ldaps:// URIs
   * improvements to Active Directory sample configuration
   * implement looking up search base in rootDSE of LDAP server
     (closes: #489361)
Checksums-Sha1: 
 baef362c56c153ee1b9183c0fbf56367bee99547 988 nss-ldapd_0.6.4.dsc
 ef503f88db21390276391a44c44ce066964e03b1 373022 nss-ldapd_0.6.4.tar.gz
 51807e7c8d501e0bae8842b29c9fcfd6bb793069 107254 libnss-ldapd_0.6.4_i386.deb
Checksums-Sha256: 
 2e8a62d90e5d933c418e17259990f6da7e681e3ef57154672465dbd9a26a8e74 988 
nss-ldapd_0.6.4.dsc
 e045cf9073cc04198965cbd760401b137594d54435f90850238659f5367ef4e6 373022 
nss-ldapd_0.6.4.tar.gz
 459956d1ea3f34894a37e9925a067c0ee5e4ec2242fa695855bacad1781a7a2c 107254 
libnss-ldapd_0.6.4_i386.deb
Files: 
 e4764ac1c4f5a8d240d24a7edca9ab4c 988 net extra nss-ldapd_0.6.4.dsc
 423f95a3a3df8b4887529f7070c812c3 373022 net extra nss-ldapd_0.6.4.tar.gz
 0d2f299b16fbc7f64cc8127a068d40e9 107254 net extra libnss-ldapd_0.6.4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiDCUQACgkQVYan35+NCKdbygCcDArHFazGaahAsiuQ2932y/bj
FPgAnRiSZwlbrUGi/uymhCAYBvI9NGKD
=kSvC
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to