[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6462) DNS SRV records: ldaps ???

To: openldap-its@OpenLDAP.org
Subject: (ITS#6462) DNS SRV records: ldaps ???
From: jochen@keutel.de
Date: Wed, 27 Jan 2010 01:28:08 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Jochen Keutel
Version: 2.4.21
OS: Solaris 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.159.206.14)


The code for detecting LDAP servers via DNS SRV records seems to handle only
ldap URLs - not ldaps URLs.

Esp.: If you access an OpenLDAP server with ldaps://host1/..., then the DNS SRV
code returns a URL like ldap://host2/... . So the LDAP server chains the
original ldaps request as a LDAP query without TLS.

This gets problematic when the (company / project) requirements clearly state
that only ldaps has to be used ...

The problematic code seems to be in libraries/libldap/dnssrv.c, function
ldap_domain2hostlist():

request = LDAP_MALLOC(strlen(domain) + sizeof("_ldap._tcp."));
...
sprintf(request, "_ldap._tcp.%s", domain);

So always "_ldap._tcp" is used (hard coded) - not "ldaps._tcp" in case of ldaps
in the original query.

I'd suggest to introduce a third parameter to that function:

int ldap_domain2hostlist(
	LDAP_CONST char *protocol,
	LDAP_CONST char *domain,
	char **list )

protocol is either "ldap" oder "ldaps".

The code calling this function (slapd/back-dnssrv/search.c and referral.c) has
to be adjusted as well.

I'm not sure whether you want me to deliver a complete patch or not ... 

Thanks to my colleague Manuel Gaupp for detecting this problem.

Best regards,  Jochen.

Prev by Date: Re: (ITS#6457) hiding remote attribute with rwm-map in relay context crashes server
Next by Date: (ITS#6463) dnssrv_back_referrals: ldaps not handled, search base gone
Index(es):
- Chronological
- Thread