[Richard A Nelson] > hehe, on any ldap server I touch, you'll not see namimg context entries > unless you are authenticated (other entries you have to see - esp the > sasl mechs to even be able to authenticate).
Almost the same with AD. Only authenticated users can fetch data from AD/LDAP, but the rootDSE is available also without authentication. The nss-ldapd author is looking into fetching values from the rootDSE. See #489361 for info. > How does this play in a multi-domain (or roaming workstation) > environment ? Or does it need to ? I do not know, but suspect it does not need to. I suspect the windows client remember the old settings and verify that the current domain is acceptable. It will cache some information when it is unable to reach its AD server, and refresh the cache when it is able to reach it. > An interesting question, and it doesn't appear to be that difficult to > impliment (he says, waving his arms wildly) - sans the roaming issues, > which'll likely require other gyrations. See #489361 to learn how it is planned to work in nss-ldapd. > but it appears that libnss-ldapd also supports SRV records by using > 'uri DNS' Yes, but the algorithm used has a few problems that broke for clients without proper DNS entries. > My preference would be to abondon libpam-ldap, as I have libnss-ldap > in favour of modifying libnss-ldapd to support the password changing > feature - I've spoken with the OpenLDAP upstream who have actually > included libnss-ldapd into newer versions of OpenLDAP! and they > appeared interested, but I've not yet spoken with the libnss-ldapd > maintainer (who is also upstream). In Debian Edu, we use libpam-ldap to check passwords and to allow them to be changed. Is there a replacement for checking passwords using LDAP? If not, we will be using pam-ldap also in the future, or at least until we succeed in replacing it with Kerberos. :) Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
