Support for SRV lookup of LDAP servers and fallback behaviour

[EugeneKay]

At present you need to specify a X-LDAP-URL pointing to a specific server. If this server is down(or points to a round-robin DNS A record) the connection will be retried indefinitely and leads to a 500 error for the client.

I would like to add two features:

1. Support for lookup of SRV records in AD-integrated LDAP environments to find a Domain Controller
2. Retry other servers(or A/AAAA records) if a response is not received within a reasonable timeout period.

I have begun work on a local branch to implement these features, but I would like to open a discussion before creating a Pull Request.

Presently X-LDAP-URL is a required parameter supplying the scheme, server, and port all together. With AD only the domain name is required; server/port are looked-up in DNS SRV records, and the scheme(LDAP or LDAPS) can be inferred from the port(389 or 636). I see two ways to implement this:

• Add a new X-LDAP-Domain parameter which is mutually exclusive with -URL. This should be relatively simple to implement and is my preference. It should be backwards-compatible with the current config, since the two are exclusive.
• If X-LDAP-URL does not contain a scheme:// or port://(only a bare domain name, eg example.com) infer that this is Active Directory and perform the necessary SRV lookups. This will require additional complexity to parse the URL, but doesn't need any changes to the parameters.

Please let me know your thoughts, thanks for looking.

[vl-homutov]

Thank you for participating!

The intention for the current nginx-ldap-auth code is to be example/reference implementation, showing how LDAP integration can be done in principle. There are numerous extensions and improvements that may be invented on top of this, but we'd like to keep original code simple. This means 'no' to your question about pull request. Bug fixes and small improvements are welcome.