Questions[ldap](server)

I've written various pieces of code that connect to LDAP servers and run queries, but it's always been voodoo to me. One thing I don't really understand is the concept of a bind DN. Here's an example using the ldapsearch command-line tool available from openldap. (Ignore the lack of authentication.)

ldapsearch -h 1.2.3.4 -D dc=example,dc=com [query]

What is the purpose and function of the -D dc=example,dc=com part of this? Why do we need to bind to a particular location in the directory hierarchy? Is it to establish which part of the directory my queries should apply to? E.g. if the root node of the directory is dc=com, and it has two children (dc=foo and dc=bar), maybe I want my queries to be against the dc=foo,dc=com subtree and not the dc=bar,dc=com subtree?

How to check the LDAP connection from a client to server. I'm working on the LDAP authentication and this client desktop needs to authenticate via a LDAP server. I can SSH to the LDAP server using LDAP user but When in desktop login prompt, I can't login. It says Authentication failure.

Client machine has Cent OS 6.3 and LDAP server has Cent OS 5.5

LDAP software is Openldap.

LDAP servers logs doesn't even show any messages.

So, how to test whether the client can successfully connect to LDAP or not.

During the last couple of days I have been using a lot of F-words, while browsing Internet for good documentation about how to setup an LDAP-server. So far I have found none, but plenty that are less than good, but better than bad. So I had to do it the usual Linux way, read, test, scream, read, test and scream.

My goals for the LDAP-server are:

• Install LDAP on a Centos 6 minimum installation, both for server and clients.
• Install in the way that the developers of OpenLDAP intended.
• Install LDAP securely with LDAPS, iptables, SELinux etc. enabled.
• Use SSSD on the clients for the "authentication" connections to the LDAP-server.

This is the kind of question that I usually answer myself, but I would appreciate suggestions about how to do the installation even better.

For Linux, this command should return the DNS record for the LDAP server

host -t srv _ldap._tcp.DOMAINNAME

(found at Authenticating from Java (Linux) to Active Directory using LDAP WITHOUT servername)

How could I get the same on the Windows command line using nslookup?

I tried

nslookup -type srv _ldap._tcp.DOMAINNAME

(following http://support.microsoft.com/kb/200525), would this be correct?

We're on a corporate network thats running active directory and we'd like to test out some LDAP stuff (active directory membership provider, actually) and so far, none of us can figure out what our LDAP connection string is. Does anyone know how we can go about finding it? The only thing we know is the domain that we're on.