Feature request: resolving LDAP servers via SRV records

[GoogleCodeExporter]

Currently, when requesting Kerberos ticket to the LDAP service, the JAAS login 
module (such as LdapDnAuthorizationModule) builds SPN by prepending "ldap/" to 
hostname specified in the ldapUrl. So if in the login module parameters appears:
   ldapUrl="ldap://dc1.mydomain.local:389"
then the SPN will be "ldap/dc1.mydomain.local".

This actually forces me to list specific DC or DCs in the ldapUrl, which, of 
course, isn't very flexible and can lead to problems, if these DCs are 
decomissioned and replaced by new ones.

In Active Directory, such discovery problems are solved by so-called SRV 
records in DNS. For example, SRV record
   _ldap._tcp.mydomain.local
contains regular A (host) records for all DCs of mydomain.local. Other examples 
may include:

   _ldap._tcp.London._sites.mydomain.local
means "all DCs in the London site",

   _gc._tcp.mydomain.local
means "all Global Catalogs in the domain",
and so on.

It would be great, if ldaptive login modules could make use of this mechanism.
For instance, if they could to do this:
* Get the URL in the format like 
ldapUrl="ldap://_gc._tcp.mydomain.local:3268,SRV" or something similar,
* Understand that it's SRV record, not a hostname,
* Resolve the record to specific hostname or hostnames (such as 
dc1.mydomain.local),
* Pick up one of these hostnames, build an SPN out of it and then get a service 
ticket for this SPN, as usual.

Thanks!
Cat Mucius.

Original issue reported on code.google.com by muc...@wirade.ru on 3 Nov 2014 at 12:22

[GoogleCodeExporter]

This project is moving over to github, moving this issue.

See https://github.com/vt-middleware/ldaptive/issues/5

Please follow it there.

Original comment by dfis...@gmail.com on 4 Nov 2014 at 10:22

• Changed state: Duplicate