[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Root for dc style naming

To: David J N Begley <d.begley@nepean.uws.edu.au>
Subject: Re: LDAP Root for dc style naming
From: "Kurt D. Zeilenga" <kurt@OpenLDAP.org>
Date: Fri, 14 Jan 2000 12:18:01 -0800
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <Pine.GSO.4.21.0001142303180.2477-100000@avarice.nepean.uws .edu.au>
References: <3.0.5.32.20000113083312.009e3e50@127.0.0.1>

At 11:15 PM 1/14/00 +1100, David J N Begley wrote:
>Further, I'd be wary of allowing the "well known aliases" approach as it could
>lead to the same problem that happened when Squid used to (by default,
>regardless what the config said) automatically "announce" every proxy to a
>central source (lots of proxies were being used as peers without their
>permission, before the respective admins worked their way up the learning
>curve to apply ACLs).

Did Squid modify DNS records automatically?  I think this be a different
issue.

For SRV or well known aliases to work for a domain, the domain administrator
must modify their DNS zone to provide the SRV or CNAME records.  It is
assumed that if they do modify their DNS zones and publish these records
to the Internet that they do so with intent of the Internet using them.

>In this case, anyone firing up an LDAP server without ACLs would, unwittingly,
>be opening up their directory to the entire world (yes, I know they've done it
>already - but this would seem to make it easier).

Just firing up a server is not enough to be found.  DNS zone
changes must be made.

>Hmm.. in a way, so could SRV records I s'pose... damn.

Yes.

>> Basically the server would accept a search for "dc=openldap,dc=org", look
>> up SRV/aliases for ldap at openldap.org and then construct a URL and
>> return it as a referral.
>> 
>> Such a backend would be fairly easy to write.
>> 
>> Comments?  Volunteers?
>
>As above - prima facie it seems to do exactly what you suggest (ie., root LDAP
>tree without setting up another registration service);  my only concern is as
>above, the "ease" with which it could be used to peek on LDAP servers that
>have yet to be protected.

A root would provide referrals to any and all which have
SRV or well known aliases established in their DNS zones.
The key is that the act of "registration" to the root is a
local one, not a central one.  However, there is still
"registration".

>There's also the matter of differing base DNs (ie.,
>the LDAP directory for acme.com might not use "dc=acme,dc=com" as its base
>DN), but I guess an intelligent LDAP client could probe first for LDAPv3
>support and if present, check the root DSE for naming contexts.

Well, if directory intend to have SRV or well known aliases established
then they should adhere to established practices.  Both practices are
in use and are in the process of being documented.  Those operating
directories on the Internet are presumed to be aware of these
practices.  If not, well, they'll get some curious log messages...

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

Follow-Ups:
- Re: LDAP Root for dc style naming
  - From: David J N Begley <david@avarice.nepean.uws.edu.au>

References:
- LDAP Root for dc style naming
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: graphical userinterface
Next by Date: Re: graphical userinterface
Index(es):
- Chronological
- Thread