[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
From: michael@stroeder.com
Date: Wed, 4 Feb 2009 11:00:23 GMT

ando@sys-net.it wrote:
> Philippe.eychart@informatique.gov.pf wrote:
> 
>> The "tool_conn_setup" function (in common.c) autorise the Url synthaxe
>> "ldap:///dc=my%2cdc=domaine"; which produce a SRV request to find the best server
>> to request (not yet according the rfc 2782 - I've made dnssrv.c patch to
>> implement priorities and I try to implement weight before submit this work). So,
>> the client tools - ldapsearch, ldapadd, ... permit this syntaxe (via
>> "ldap_dn2domain" and "ldap_domain2hostlist" functions).
> 
> This was done to allow testing client-side the DNS SRV feature.
> 
>> Unfortunately, ldap_initialize() doesn't use these functions (but only
>> ldap_url_parselist_ext()) and doesn't allow this synthaxe. So, other packages
>> (like SAMBA) doesn't enjoy this capability : "passdb backend =
>> ldapsam:ldap:///dc=my%2cdc=domain"; according a SRV definition
>> "_ldap._tcp.my.domain. IN SRV ..."
>>
>> Is there any reason for that ? Can we envisage to increase this possibility ?
> 
> None that I'm aware of.  Feel free to move that code from tools to 
> libldap.  Patches are welcome, as usual.

But please put a note into the accompanying man-page with a strong
recommendation not to use it without further security mechs. I wouldn't
configure Samba like this. (Similar problems like DNS lookups in
Kerberos implementations for realm- and KDC-discovery.)

I've implemented something like this in web2ldap but the SRV mech causes
an user interaction on the UI. So the user has a vague chance to
determine whether he's tricked to another DSA by DNS spoofing.

Ciao, Michael.

Prev by Date: Re: (ITS#5920) segfault in sockbuf.c
Next by Date: Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
Index(es):
- Chronological
- Thread