[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-devel
Subject:    Re: Patch for LDAP URI support (at least with OpenLDAP libraries)
From:       Kostas Kalevras <kkalev () noc ! ntua ! gr>
Date:       2003-02-22 9:40:24
[Download RAW message or body]

On Fri, 21 Feb 2003, Derrik Pates wrote:

> I've worked up a small patch that works with OpenLDAP features to
> support the use of LDAP URIs for referring to LDAP servers instead of
> specifying by host/port. This will work easily for ldap://, ldaps:// and
> ldapi:// (LDAP over IPC) URIs. I've plugged this in and tested the
> module (with CVS code from ~7 days ago), and it's working well.
>
> I'm checking out the Netscape/iPlanet LDAP C API documentation, but it
> doesn't appear to provide the ldap_initialize() call that the OpenLDAP
> libraries do.
>
> To use this module, just patch it in. No makefile changes are necessary.
> To use an LDAP URI, just add a line like:
>
>   server_uri = ldap://localhost/
>
> or
>
>   server_uri = ldapi:///
>
> to the ldap config section in your radiusd.conf. By default, its value
> will be NULL, so the server and port options will take effect instead.
> If you specify anything for server_uri, however, it will take
> precedence.
>
> Also, if you wish to use an ldapi:// URI, check to see that your slapd
> has been started with the -h "URI list" option. If one of the URIs
> specified points to a particular path for the LDAP socket file, specify
> it like this:
>
>   ldapi://%2fvar%2frun%2fldapi/
>
> See the OpenLDAP docs for additional info.

Where's the patch?

I 've added support for the ldap_initialize function in rlm_ldap.
HAVE_LDAP_INITIALIZE will need to be defined so we need to add a check for
ldap_initialize in the rlm_ldap configure script for things to work.
I prefer just checking that the server directive is an ldap url instead of
adding one more directive.

In any case I really like the idea of ldap uris beacause of the ability
to use unix sockets. The only performance problem left with rlm_ldap is that for
user authentication we need to do an ldap connect/bind which means we have to go
through the tcp connection creation overhead. Using unix sockets can overcome
this and give us better performance.

>
> --
> Derrik Pates
> dpates@dsdk12.net
> dpates@voxel.net
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras		Network Operations Center
kkalev@noc.ntua.gr	National Technical University of Athens, Greece
Work Phone:		+30 210 7721861
'Go back to the shadow'	Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
[prev in list] [next in list] [prev in thread] [next in thread]