- updated to 5.0.5, nfy.

[packages/autofs.git] / autofs-5.0.4-use-srv-query-for-domain-dn.patch

autofs-5.0.4 - use srv query for domain dn

From: Ian Kent <raven@themaw.net>

Add the ability to use a domain dn in the LDAP_URI configuration
entry. If a domain dn is encountered in the LDAP_URI the list of
servers will be queried and used for the LDAP connection. The list
won't be queried again until the minimum ttl found in the SRV RR
records is reached or, if ttl isn't given in any SRV RR records,
after 1 hour.
---

 CHANGELOG                      |    1 
 include/dclist.h               |   14 +
 include/lookup_ldap.h          |    3 
 man/auto.master.5.in           |    8 
 modules/Makefile               |    5 
 modules/dclist.c               |  785 ++++++++++++++++++++++++++++++++++++++++
 modules/lookup_ldap.c          |   86 ++++
 redhat/autofs.sysconfig.in     |   11 +
 samples/autofs.conf.default.in |   11 +
 9 files changed, 911 insertions(+), 13 deletions(-)
 create mode 100644 include/dclist.h
 create mode 100644 modules/dclist.c


diff --git a/CHANGELOG b/CHANGELOG
index 5000f0c..f49784a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -49,6 +49,7 @@
 - dont fail on ipv6 address when adding host.
 - always read file maps multi map fix.
 - always read file maps key lookup fixes.
+- use srv query for domain dn.
 
 4/11/2008 autofs-5.0.4
 -----------------------
diff --git a/include/dclist.h b/include/dclist.h
new file mode 100644
index 0000000..ed89f97
--- /dev/null
+++ b/include/dclist.h
@@ -0,0 +1,14 @@
+#ifndef __DCLIST_H
+#define __DCLIST_H
+
+#include <sys/types.h>
+
+struct dclist {
+	time_t expire;
+	const char *uri;
+};
+
+struct dclist *get_dc_list(unsigned int logopt, const char *uri);
+void free_dclist(struct dclist *dclist);
+
+#endif
diff --git a/include/lookup_ldap.h b/include/lookup_ldap.h
index b47bf5d..dcae220 100644
--- a/include/lookup_ldap.h
+++ b/include/lookup_ldap.h
@@ -10,6 +10,8 @@
 #include <krb5.h>
 #endif
 
+#include "dclist.h"
+
 struct ldap_schema {
 	char *map_class;
 	char *map_attr;
@@ -57,6 +59,7 @@ struct lookup_context {
 	pthread_mutex_t uris_mutex;
 	struct list_head *uris;
 	struct ldap_uri *uri;
+	struct dclist *dclist;
 	char *cur_host;
 	struct ldap_searchdn *sdns;
 
diff --git a/man/auto.master.5.in b/man/auto.master.5.in
index 7b7004f..71c4402 100644
--- a/man/auto.master.5.in
+++ b/man/auto.master.5.in
@@ -271,6 +271,14 @@ Map entries that include a server name override this option and it is then
 not used. Default is an empty list in which case either the server given
 in a map entry or the LDAP configured default is used. This uri list is read at
 startup and whenever the daemon receives a HUP signal.
+.P
+This configuration option can also be used to request autofs lookup SRV RRs
+for a domain of the form <proto>:///[<domain dn>]. Note that a trailing
+"/" is not allowed when using this form. If the domain dn is not specified
+the dns domain name (if any) is used to construct the domain dn for the
+SRV RR lookup. The server list returned from an SRV RR lookup is refreshed
+according to the minimum ttl found in the SRV RR records or after one hour,
+whichever is less.
 .TP
 .B SEARCH_BASE
 The base dn to use when searching for amap base dn. This entry may be
diff --git a/modules/Makefile b/modules/Makefile
index 0d12f01..13b3bd8 100644
--- a/modules/Makefile
+++ b/modules/Makefile
@@ -86,9 +86,10 @@ lookup_hesiod.so: lookup_hesiod.c
 cyrus-sasl.o: cyrus-sasl.c
 	$(CC) $(CFLAGS) $(LDAP_FLAGS) -c $<
 
-lookup_ldap.so: lookup_ldap.c $(SASL_OBJ)
+lookup_ldap.so: lookup_ldap.c dclist.o $(SASL_OBJ)
 	$(CC) $(SOLDFLAGS) $(CFLAGS) $(LDAP_FLAGS) -o lookup_ldap.so \
-		lookup_ldap.c $(SASL_OBJ) $(AUTOFS_LIB) $(LIBLDAP)
+		lookup_ldap.c dclist.o $(SASL_OBJ) \
+		$(AUTOFS_LIB) $(LIBLDAP) $(LIBRESOLV)
 	$(STRIP) lookup_ldap.so
 
 mount_nfs.so: mount_nfs.c replicated.o
diff --git a/modules/dclist.c b/modules/dclist.c
new file mode 100644
index 0000000..5b0e577
--- /dev/null
+++ b/modules/dclist.c
@@ -0,0 +1,785 @@
+/*
+ * Copyright 2009 Ian Kent <raven@themaw.net>
+ * Copyright 2009 Red Hat, Inc.
+ *
+ * This module was apapted from code contained in the Samba distribution
+ * file source/libads/dns.c which contained the following copyright
+ * information:
+ *
+ * Unix SMB/CIFS implementation.
+ * DNS utility library
+ * Copyright (C) Gerald (Jerry) Carter           2006.
+ * Copyright (C) Jeremy Allison                  2007.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <stdlib.h>
+#include <string.h>
+#include <resolv.h>
+#include <netdb.h>
+#include <ldap.h>
+#include <sys/param.h>
+#include <errno.h>
+
+#include "automount.h"
+#include "dclist.h"
+
+#define	MAX_DNS_PACKET_SIZE	0xffff
+#define	MAX_DNS_NAME_LENGTH	MAXHOSTNAMELEN
+/* The longest time we will cache dns srv records */
+#define MAX_TTL			(60*60*1) /* 1 hours */
+
+#ifdef NS_HFIXEDSZ	/* Bind 8/9 interface */
+#if !defined(C_IN)	/* AIX 5.3 already defines C_IN */
+#  define C_IN		ns_c_in
+#endif
+#if !defined(T_A)	/* AIX 5.3 already defines T_A */
+#  define T_A   	ns_t_a
+#endif
+
+#  define T_SRV 	ns_t_srv
+#if !defined(T_NS)	/* AIX 5.3 already defines T_NS */
+#  define T_NS 		ns_t_ns
+#endif
+#else
+#  ifdef HFIXEDSZ
+#    define NS_HFIXEDSZ HFIXEDSZ
+#  else
+#    define NS_HFIXEDSZ sizeof(HEADER)
+#  endif	/* HFIXEDSZ */
+#  ifdef PACKETSZ
+#    define NS_PACKETSZ	PACKETSZ
+#  else	/* 512 is usually the default */
+#    define NS_PACKETSZ	512
+#  endif	/* PACKETSZ */
+#  define T_SRV 	33
+#endif
+
+#define SVAL(buf, pos) (*(const uint16_t *)((const char *)(buf) + (pos)))
+#define IVAL(buf, pos) (*(const uint32_t *)((const char *)(buf) + (pos)))
+
+#define SREV(x) ((((x)&0xFF)<<8) | (((x)>>8)&0xFF))
+#define IREV(x) ((SREV(x)<<16) | (SREV((x)>>16)))
+
+#define RSVAL(buf, pos) SREV(SVAL(buf, pos))
+#define RIVAL(buf, pos) IREV(IVAL(buf, pos))
+
+#define QSORT_CAST	(int (*)(const void *, const void *))
+
+/* DNS query section in replies */
+
+struct dns_query {
+	const char *hostname;
+	uint16_t type;
+	uint16_t in_class;
+};
+
+/* DNS RR record in reply */
+
+struct dns_rr {
+	const char *hostname;
+	uint16_t type;
+	uint16_t in_class;
+	uint32_t ttl;
+	uint16_t rdatalen;
+	uint8_t *rdata;
+};
+
+/* SRV records */
+
+struct dns_rr_srv {
+	const char *hostname;
+	uint16_t priority;
+	uint16_t weight;
+	uint16_t port;
+	uint32_t ttl;
+};
+
+static pthread_mutex_t dclist_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+static void dclist_mutex_lock(void)
+{
+	int status = pthread_mutex_lock(&dclist_mutex);
+	if (status)
+		fatal(status);
+	return;
+}
+
+static void dclist_mutex_unlock(void)
+{
+	int status = pthread_mutex_unlock(&dclist_mutex);
+	if (status)
+		fatal(status);
+	return;
+}
+
+static int dns_parse_query(unsigned int logopt,
+			   uint8_t *start, uint8_t *end,
+			   uint8_t **ptr, struct dns_query *q)
+{
+	uint8_t *p = *ptr;
+	char hostname[MAX_DNS_NAME_LENGTH];
+	char buf[MAX_ERR_BUF];
+	int namelen;
+
+	if (!start || !end || !q || !*ptr)
+		return 0;
+
+	memset(q, 0, sizeof(*q));
+
+	/* See RFC 1035 for details. If this fails, then return. */
+
+	namelen = dn_expand(start, end, p, hostname, sizeof(hostname));
+	if (namelen < 0) {
+		error(logopt, "failed to expand query hostname");
+		return 0;
+	}
+
+	p += namelen;
+	q->hostname = strdup(hostname);
+	if (!q) {
+		char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+		error(logopt, "strdup: %s", estr);
+		return 0;
+	}
+
+	/* check that we have space remaining */
+
+	if (p + 4 > end) {
+		error(logopt, "insufficient buffer space for result");
+		free((void *) q->hostname);
+		return 0;
+	}
+
+	q->type     = RSVAL(p, 0);
+	q->in_class = RSVAL(p, 2);
+	p += 4;
+
+	*ptr = p;
+
+	return 1;
+}
+
+static int dns_parse_rr(unsigned int logopt,
+			uint8_t *start, uint8_t *end,
+			uint8_t **ptr, struct dns_rr *rr)
+{
+	uint8_t *p = *ptr;
+	char hostname[MAX_DNS_NAME_LENGTH];
+	char buf[MAX_ERR_BUF];
+	int namelen;
+
+	if (!start || !end || !rr || !*ptr)
+		return 0;
+
+	memset(rr, 0, sizeof(*rr));
+
+	/* pull the name from the answer */
+
+	namelen = dn_expand(start, end, p, hostname, sizeof(hostname));
+	if (namelen < 0) {
+		error(logopt, "failed to expand query hostname");
+		return 0;
+	}
+	p += namelen;
+	rr->hostname = strdup(hostname);
+	if (!rr->hostname) {
+		char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+		error(logopt, "strdup: %s", estr);
+		return 0;
+	}
+
+	/* check that we have space remaining */
+
+	if (p + 10 > end) {
+		error(logopt, "insufficient buffer space for result");
+		free((void *) rr->hostname);
+		return 0;
+	}
+
+	/* pull some values and then skip onto the string */
+
+	rr->type     = RSVAL(p, 0);
+	rr->in_class = RSVAL(p, 2);
+	rr->ttl      = RIVAL(p, 4);
+	rr->rdatalen = RSVAL(p, 8);
+
+	p += 10;
+
+	/* sanity check the available space */
+
+	if (p + rr->rdatalen > end) {
+		error(logopt, "insufficient buffer space for data");
+		free((void *) rr->hostname);
+		return 0;
+	}
+
+	/* save a point to the rdata for this section */
+
+	rr->rdata = p;
+	p += rr->rdatalen;
+
+	*ptr = p;
+
+	return 1;
+}
+
+static int dns_parse_rr_srv(unsigned int logopt,
+			    uint8_t *start, uint8_t *end,
+			    uint8_t **ptr, struct dns_rr_srv *srv)
+{
+	struct dns_rr rr;
+	uint8_t *p;
+	char dcname[MAX_DNS_NAME_LENGTH];
+	char buf[MAX_ERR_BUF];
+	int namelen;
+
+	if (!start || !end || !srv || !*ptr)
+		return 0;
+
+	/* Parse the RR entry.  Coming out of the this, ptr is at the beginning
+	   of the next record */
+
+	if (!dns_parse_rr(logopt, start, end, ptr, &rr)) {
+		error(logopt, "Failed to parse RR record");
+		return 0;
+	}
+
+	if (rr.type != T_SRV) {
+		error(logopt, "Bad answer type (%d)", rr.type);
+		return 0;
+	}
+
+	p = rr.rdata;
+
+	srv->priority = RSVAL(p, 0);
+	srv->weight   = RSVAL(p, 2);
+	srv->port     = RSVAL(p, 4);
+	srv->ttl      = rr.ttl;
+
+	p += 6;
+
+	namelen = dn_expand(start, end, p, dcname, sizeof(dcname));
+	if (namelen < 0) {
+		error(logopt, "Failed to expand dcname");
+		return 0;
+	}
+
+	srv->hostname = strdup(dcname);
+	if (!srv->hostname) {
+		char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+		error(logopt, "strdup: %s", estr);
+		return 0;
+	}
+
+	debug(logopt, "Parsed %s [%u, %u, %u]",
+	      srv->hostname, srv->priority, srv->weight, srv->port);
+
+	return 1;
+}
+
+/*********************************************************************
+ Sort SRV record list based on weight and priority.  See RFC 2782.
+*********************************************************************/
+
+static int dnssrvcmp(struct dns_rr_srv *a, struct dns_rr_srv *b)
+{
+	if (a->priority == b->priority) {
+		/* randomize entries with an equal weight and priority */
+		if (a->weight == b->weight)
+			return 0;
+
+		/* higher weights should be sorted lower */
+		if (a->weight > b->weight)
+			return -1;
+		else
+			return 1;
+	}
+
+	if (a->priority < b->priority)
+		return -1;
+
+	return 1;
+}
+
+#define DNS_FAILED_WAITTIME          30
+
+static int dns_send_req(unsigned int logopt,
+			const char *name, int q_type, uint8_t **rbuf,
+			int *resp_length)
+{
+	uint8_t *buffer = NULL;
+	size_t buf_len = 0;
+	int resp_len = NS_PACKETSZ;
+	static time_t last_dns_check = 0;
+	static unsigned int last_dns_status = 0;
+	time_t now = time(NULL);
+	char buf[MAX_ERR_BUF];
+
+	/* Try to prevent bursts of DNS lookups if the server is down */
+
+	/* Protect against large clock changes */
+
+	if (last_dns_check > now)
+		last_dns_check = 0;
+
+	/* IF we had a DNS timeout or a bad server and we are still
+	   in the 30 second cache window, just return the previous
+	   status and save the network timeout. */
+
+	if ((last_dns_status == ETIMEDOUT ||
+	     last_dns_status == ECONNREFUSED) &&
+	     ((last_dns_check + DNS_FAILED_WAITTIME) > now)) {
+		char *estr = strerror_r(last_dns_status, buf, MAX_ERR_BUF);
+		debug(logopt, "Returning cached status (%s)", estr);
+		return last_dns_status;
+	}
+
+	/* Send the Query */
+	do {
+		if (buffer)
+			free(buffer);
+
+		buf_len = resp_len * sizeof(uint8_t);
+
+		if (buf_len) {
+			buffer = malloc(buf_len);
+			if (!buffer) {
+				char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+				error(logopt, "malloc: %s", estr);
+				last_dns_status = ENOMEM;
+				last_dns_check = time(NULL);
+				return last_dns_status;
+			}
+		}
+
+		resp_len = res_query(name, C_IN, q_type, buffer, buf_len);
+		if (resp_len < 0) {
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+			error(logopt, "Failed to resolve %s (%s)", name, estr);
+			free(buffer);
+			last_dns_status = ENOENT;
+			last_dns_check = time(NULL);
+			return last_dns_status;
+		}
+
+		/* On AIX, Solaris, and possibly some older glibc systems (e.g. SLES8)
+		   truncated replies never give back a resp_len > buflen
+		   which ends up causing DNS resolve failures on large tcp DNS replies */
+
+		if (buf_len == resp_len) {
+			if (resp_len == MAX_DNS_PACKET_SIZE) {
+				error(logopt,
+				      "DNS reply too large when resolving %s",
+				      name);
+				free(buffer);
+				last_dns_status = EMSGSIZE;
+				last_dns_check = time(NULL);
+				return last_dns_status;
+			}
+
+			resp_len = MIN(resp_len * 2, MAX_DNS_PACKET_SIZE);
+		}
+	} while (buf_len < resp_len && resp_len <= MAX_DNS_PACKET_SIZE);
+
+	*rbuf = buffer;
+	*resp_length = resp_len;
+
+	last_dns_check = time(NULL);
+	last_dns_status = 0;
+
+	return 0;
+}
+
+static int dns_lookup_srv(unsigned int logopt, const char *name,
+			  struct dns_rr_srv **dclist, int *numdcs)
+{
+	uint8_t *buffer = NULL;
+	int resp_len = 0;
+	struct dns_rr_srv *dcs = NULL;
+	int query_count, answer_count;
+	uint8_t *p = buffer;
+	int rrnum;
+	int idx = 0;
+	char buf[MAX_ERR_BUF];
+	int ret;
+
+	if (!name || !dclist)
+		return -EINVAL;
+
+	/* Send the request.  May have to loop several times in case
+	   of large replies */
+
+	ret = dns_send_req(logopt, name, T_SRV, &buffer, &resp_len);
+	if (ret) {
+		error(logopt, "Failed to send DNS query");
+		return ret;
+	}
+	p = buffer;
+
+	/* For some insane reason, the ns_initparse() et. al. routines are only
+	   available in libresolv.a, and not the shared lib.  Who knows why....
+	   So we have to parse the DNS reply ourselves */
+
+	/* Pull the answer RR's count from the header.
+	 * Use the NMB ordering macros */
+
+	query_count      = RSVAL(p, 4);
+	answer_count     = RSVAL(p, 6);
+
+	debug(logopt,
+	      "%d records returned in the answer section.",
+	       answer_count);
+
+	if (answer_count) {
+		dcs = malloc(sizeof(struct dns_rr_srv) * answer_count);
+		if (!dcs) {
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+			error(logopt, "malloc: %s", estr);
+			free(buffer);
+			return ENOMEM;
+		}
+	}
+
+	/* now skip the header */
+
+	p += NS_HFIXEDSZ;
+
+	/* parse the query section */
+
+	for (rrnum = 0; rrnum < query_count; rrnum++) {
+		struct dns_query q;
+
+		ret = dns_parse_query(logopt, buffer, buffer+resp_len, &p, &q);
+		if (!ret) {
+			error(logopt,
+			      "Failed to parse query record [%d]", rrnum);
+			free(buffer);
+			free(dcs);
+			return EBADMSG;
+		}
+	}
+
+	/* now we are at the answer section */
+
+	for (rrnum = 0; rrnum < answer_count; rrnum++) {
+		ret = dns_parse_rr_srv(logopt,
+				       buffer, buffer+resp_len,
+				       &p, &dcs[rrnum]);
+		if (!ret) {
+			error(logopt,
+			      "Failed to parse answer record [%d]", rrnum);
+			free(buffer);
+			free(dcs);
+			return EBADMSG;
+		}
+	}
+	idx = rrnum;
+
+	qsort(dcs, idx, sizeof(struct dns_rr_srv), QSORT_CAST dnssrvcmp);
+
+	*dclist = dcs;
+	*numdcs = idx;
+
+	return 0;
+}
+
+static char *escape_dn_commas(const char *uri)
+{
+	size_t len = strlen(uri);
+	char *new, *tmp, *ptr;
+
+	ptr = (char *) uri;
+	while (*ptr) {
+		if (*ptr == '\\')
+			ptr += 2;
+		if (*ptr == ',')
+			len += 2;
+		ptr++;
+	}
+
+	new = malloc(len + 1);
+	if (!new)
+		return NULL;
+	memset(new, 0, len + 1);
+
+	ptr = (char *) uri;
+	tmp = new;
+	while (*ptr) {
+		if (*ptr == '\\') {
+			ptr++;
+			*tmp++ = *ptr++;
+			continue;
+		}
+		if (*ptr == ',') {
+			strcpy(tmp, "%2c");
+			ptr++;
+			tmp += 3;
+			continue;
+		}
+		*tmp++ = *ptr++;
+	}
+
+	return new;
+}
+
+void free_dclist(struct dclist *dclist)
+{
+	if (dclist->uri)
+		free((void *) dclist->uri);
+	free(dclist);
+}
+
+static char *getdnsdomainname(unsigned int logopt)
+{
+	struct addrinfo hints, *ni;
+	char name[MAX_DNS_NAME_LENGTH + 1];
+	char buf[MAX_ERR_BUF];
+	char *dnsdomain = NULL;
+	char *ptr;
+	int ret;
+
+	memset(name, 0, sizeof(name));
+	if (gethostname(name, MAX_DNS_NAME_LENGTH) == -1) {
+		char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+		error(logopt, "gethostname: %s", estr);
+		return NULL;
+	}
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+
+	ret = getaddrinfo(name, NULL, &hints, &ni);
+	if (ret) {
+		error(logopt, "hostname lookup failed: %s", gai_strerror(ret));
+		return NULL;
+	}
+
+	ptr = ni->ai_canonname;
+	while (*ptr && *ptr != '.')
+		ptr++;
+
+	if (*++ptr)
+		dnsdomain = strdup(ptr);
+
+	freeaddrinfo(ni);
+
+	return dnsdomain;
+}
+
+struct dclist *get_dc_list(unsigned int logopt, const char *uri)
+{
+	LDAPURLDesc *ludlist = NULL;
+	LDAPURLDesc **ludp;
+	struct dns_rr_srv *dcs;
+	unsigned int min_ttl = MAX_TTL;
+	struct dclist *dclist = NULL;;
+	char buf[MAX_ERR_BUF];
+	char *dn_uri, *esc_uri;
+	char *domain;
+	char *list;
+	int numdcs;
+	int ret;
+
+	if (strcmp(uri, "ldap:///") && strcmp(uri, "ldaps:///")) {
+		dn_uri = strdup(uri);
+		if (!dn_uri) {
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+			error(logopt, "strdup: %s", estr);
+			return NULL;
+		}
+	} else {
+		char *dnsdomain;
+		char *hdn;
+
+		dnsdomain = getdnsdomainname(logopt);
+		if (!dnsdomain) {
+			error(logopt, "failed to get dns domainname");
+			return NULL;
+		}
+
+		if (ldap_domain2dn(dnsdomain, &hdn) || hdn == NULL) {
+			error(logopt,
+			      "Could not turn domain \"%s\" into a dn\n",
+			      dnsdomain);
+			free(dnsdomain);
+			return NULL;
+		}
+		free(dnsdomain);
+
+		dn_uri = malloc(strlen(uri) + strlen(hdn) + 1);
+		if (!dn_uri) {
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+			error(logopt, "malloc: %s", estr);
+			ber_memfree(hdn);
+			return NULL;
+		}
+
+		strcpy(dn_uri, uri);
+		strcat(dn_uri, hdn);
+		ber_memfree(hdn);
+	}
+
+	esc_uri = escape_dn_commas(dn_uri);
+	if (!esc_uri) {
+		error(logopt, "Could not escape commas in uri %s", dn_uri);
+		free(dn_uri);
+		return NULL;
+	}
+
+	ret = ldap_url_parse(esc_uri, &ludlist);
+	if (ret != LDAP_URL_SUCCESS) {
+		error(logopt, "Could not parse uri %s (%d)", dn_uri, ret);
+		free(esc_uri);
+		free(dn_uri);
+		return NULL;
+	}
+
+	free(esc_uri);
+
+	if (!ludlist) {
+		error(logopt, "No dn found in uri %s", dn_uri);
+		free(dn_uri);
+		return NULL;
+	}
+
+	free(dn_uri);
+
+	dclist = malloc(sizeof(struct dclist));
+	if (!dclist) {
+		char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+		error(logopt, "malloc: %s", estr);
+		ldap_free_urldesc(ludlist);
+		return NULL;
+	}
+	memset(dclist, 0, sizeof(struct dclist));
+
+	list = NULL;
+	for (ludp = &ludlist; *ludp != NULL;) {
+		LDAPURLDesc *lud = *ludp;
+		size_t req_len, len;
+		char *request = NULL;
+		char *tmp;
+		int i;
+
+		if (!lud->lud_dn && !lud->lud_dn[0] &&
+		   (!lud->lud_host || !lud->lud_host[0])) {
+			*ludp = lud->lud_next;
+			continue;
+		}
+
+		domain = NULL;
+		if (ldap_dn2domain(lud->lud_dn, &domain) || domain == NULL) {
+			error(logopt,
+			      "Could not turn dn \"%s\" into a domain",
+			      lud->lud_dn);
+			*ludp = lud->lud_next;
+			continue;
+		}
+
+		debug(logopt, "doing lookup of SRV RRs for domain %s", domain);
+
+		req_len = sizeof("_ldap._tcp.") + strlen(domain);
+		request = malloc(req_len);
+		if (!request) {
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+			error(logopt, "malloc: %s", estr);
+			goto out_error;
+		}
+
+		ret = snprintf(request, req_len, "_ldap._tcp.%s", domain);
+		if (ret >= req_len) {
+			free(request);
+			goto out_error;
+		}
+
+		dclist_mutex_lock();
+		if (dns_lookup_srv(logopt, request, &dcs, &numdcs)) {
+			error(logopt,
+			      "DNS SRV query failed for domain %s", domain);
+			dclist_mutex_unlock();
+			free(request);
+			goto out_error;
+		}
+		dclist_mutex_unlock();
+		free(request);
+
+		len = strlen(lud->lud_scheme);
+		len += sizeof("://");
+		len *= numdcs;
+
+		for (i = 0; i < numdcs; i++) {
+			if (dcs[i].ttl > 0 && dcs[i].ttl < min_ttl)
+				min_ttl = dcs[i].ttl;
+			len += strlen(dcs[i].hostname);
+			if (dcs[i].port > 0)
+				len += sizeof(":65535");
+		}
+
+		tmp = realloc(list, len);
+		if (!tmp) {
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+			error(logopt, "realloc: %s", estr);
+			goto out_error;
+		}
+
+		if (!list)
+			memset(tmp, 0, len);
+		else
+			strcat(tmp, " ");
+
+		for (i = 0; i < numdcs; i++) {
+			if (i > 0)
+				strcat(tmp, " ");
+			strcat(tmp, lud->lud_scheme);
+			strcat(tmp, "://");
+			strcat(tmp, dcs[i].hostname);
+			if (dcs[i].port > 0) {
+				char port[7];
+				ret = snprintf(port, 7, ":%d", dcs[i].port);
+				if (ret > 6) {
+					error(logopt,
+					      "invalid port: %u", dcs[i].port);
+					goto out_error;
+				}
+				strcat(tmp, port);
+			}
+		}
+		list = tmp;
+
+		*ludp = lud->lud_next;
+		ber_memfree(domain);
+	}
+
+	ldap_free_urldesc(ludlist);
+
+	dclist->expire = time(NULL) + min_ttl;
+	dclist->uri = list;
+
+	return dclist;
+
+out_error:
+	if (list)
+		free(list);
+	if (domain)
+		ber_memfree(domain);
+	ldap_free_urldesc(ludlist);
+	free_dclist(dclist);
+	return NULL;
+}
diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
index a847622..f6b3f42 100644
--- a/modules/lookup_ldap.c
+++ b/modules/lookup_ldap.c
@@ -643,14 +643,26 @@ static LDAP *find_server(unsigned logopt, struct lookup_context *ctxt)
 	LDAP *ldap = NULL;
 	struct ldap_uri *this;
 	struct list_head *p, *first;
+	struct dclist *dclist = NULL;
+	char *uri = NULL;
 
-	/* Try each uri in list, add connect fails to tmp list */
 	uris_mutex_lock(ctxt);
+	if (ctxt->dclist) {
+		dclist = ctxt->dclist;
+		if (ctxt->dclist->expire < time(NULL)) {
+			free_dclist(ctxt->dclist);
+			ctxt->dclist = NULL;
+			dclist = NULL;
+		}
+	}
 	if (!ctxt->uri)
 		first = ctxt->uris;
 	else
 		first = &ctxt->uri->list;
 	uris_mutex_unlock(ctxt);
+
+
+	/* Try each uri, save point in server list upon success */
 	p = first->next;
 	while(p != first) {
 		/* Skip list head */
@@ -659,25 +671,62 @@ static LDAP *find_server(unsigned logopt, struct lookup_context *ctxt)
 			continue;
 		}
 		this = list_entry(p, struct ldap_uri, list);
-		debug(logopt, "trying server %s", this->uri);
-		ldap = connect_to_server(logopt, this->uri, ctxt);
+		if (!strstr(this->uri, ":///"))
+			uri = strdup(this->uri);
+		else {
+			if (dclist)
+				uri = strdup(dclist->uri);
+			else {
+				struct dclist *tmp;
+				tmp = get_dc_list(logopt, this->uri);
+				if (!tmp) {
+					p = p->next;
+					continue;
+				}
+				dclist = tmp;
+				uri = strdup(dclist->uri);
+			}
+		}
+		if (!uri) {
+			p = p->next;
+			continue;
+		}
+		debug(logopt, "trying server uri %s", uri);
+		ldap = connect_to_server(logopt, uri, ctxt);
 		if (ldap) {
-			info(logopt, "connected to uri %s", this->uri);
-			uris_mutex_lock(ctxt);
-			ctxt->uri = this;
-			uris_mutex_unlock(ctxt);
+			info(logopt, "connected to uri %s", uri);
+			free(uri);
 			break;
 		}
+		free(uri);
+		uri = NULL;
+		free_dclist(dclist);
+		dclist = NULL;
 		p = p->next;
 	}
 
+	uris_mutex_lock(ctxt);
+	if (ldap)
+		ctxt->uri = this;
+	if (dclist) {
+		if (!ctxt->dclist)
+			ctxt->dclist = dclist;
+		else {
+			if (ctxt->dclist != dclist) {
+				free_dclist(ctxt->dclist);
+				ctxt->dclist = dclist;
+			}
+		}
+	}
+	uris_mutex_unlock(ctxt);
+
 	return ldap;
 }
 
 static LDAP *do_reconnect(unsigned logopt, struct lookup_context *ctxt)
 {
-	struct ldap_uri *this;
 	LDAP *ldap;
+	char *uri;
 
 	if (ctxt->server || !ctxt->uris) {
 		ldap = do_connect(logopt, ctxt->server, ctxt);
@@ -692,9 +741,20 @@ static LDAP *do_reconnect(unsigned logopt, struct lookup_context *ctxt)
 	}
 
 	uris_mutex_lock(ctxt);
-	this = ctxt->uri;
+	if (ctxt->dclist)
+		uri = strdup(ctxt->dclist->uri);
+	else
+		uri = strdup(ctxt->uri->uri);
 	uris_mutex_unlock(ctxt);
-	ldap = do_connect(logopt, this->uri, ctxt);
+
+	if (!uri) {
+		char buf[MAX_ERR_BUF];
+		char *estr = strerror_r(errno, buf, sizeof(buf));
+		crit(logopt, MODPREFIX "strdup: %s", estr);
+		return NULL;
+	}
+
+	ldap = do_connect(logopt, uri, ctxt);
 #ifdef WITH_SASL
 	/*
 	 * Dispose of the sasl authentication connection and try the
@@ -702,9 +762,11 @@ static LDAP *do_reconnect(unsigned logopt, struct lookup_context *ctxt)
 	 */
 	if (!ldap) {
 		autofs_sasl_dispose(ctxt);
-		ldap = connect_to_server(logopt, this->uri, ctxt);
+		ldap = connect_to_server(logopt, uri, ctxt);
 	}
 #endif
+	free(uri);
+
 	if (ldap)
 		return ldap;
 
@@ -1296,6 +1358,8 @@ static void free_context(struct lookup_context *ctxt)
 		fatal(ret);
 	if (ctxt->sdns)
 		defaults_free_searchdns(ctxt->sdns);
+	if (ctxt->dclist)
+		free_dclist(ctxt->dclist);
 	free(ctxt);
 
 	return;
diff --git a/redhat/autofs.sysconfig.in b/redhat/autofs.sysconfig.in
index 97e20fe..37448ea 100644
--- a/redhat/autofs.sysconfig.in
+++ b/redhat/autofs.sysconfig.in
@@ -50,6 +50,17 @@ BROWSE_MODE="no"
 # 	     Map entries that include a server name override
 # 	     this option.
 #
+#	     This configuration option can also be used to
+#	     request autofs lookup SRV RRs for a domain of
+#	     the form <proto>:///[<domain dn>]. Note that a
+#	     trailing "/" is not allowed when using this form.
+#	     If the domain dn is not specified the dns domain
+#	     name (if any) is used to construct the domain dn
+#	     for the SRV RR lookup. The server list returned
+#	     from an SRV RR lookup is refreshed according to
+#	     the minimum ttl found in the SRV RR records or
+#	     after one hour, whichever is less.
+#
 #LDAP_URI=""
 #
 # LDAP__TIMEOUT - timeout value for the synchronous API  calls
diff --git a/samples/autofs.conf.default.in b/samples/autofs.conf.default.in
index 62084c2..7dee5fd 100644
--- a/samples/autofs.conf.default.in
+++ b/samples/autofs.conf.default.in
@@ -48,6 +48,17 @@ BROWSE_MODE="no"
 # 	     Map entries that include a server name override
 # 	     this option.
 #
+#	     This configuration option can also be used to
+#	     request autofs lookup SRV RRs for a domain of
+#	     the form <proto>:///[<domain dn>]. Note that a
+#	     trailing "/" is not allowed when using this form.
+#	     If the domain dn is not specified the dns domain
+#	     name (if any) is used to construct the domain dn
+#	     for the SRV RR lookup. The server list returned
+#	     from an SRV RR lookup is refreshed according to
+#	     the minimum ttl found in the SRV RR records or
+#	     after one hour, whichever is less.
+#
 #LDAP_URI=""
 #
 # LDAP__TIMEOUT - timeout value for the synchronous API  calls