Full_Name: Jochen Keutel Version: 2.4.21 OS: Solaris 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (87.159.206.14) The code for detecting LDAP servers via DNS SRV records seems to handle only ldap URLs - not ldaps URLs. Esp.: If you access an OpenLDAP server with ldaps://host1/..., then the DNS SRV code returns a URL like ldap://host2/... . So the LDAP server chains the original ldaps request as a LDAP query without TLS. This gets problematic when the (company / project) requirements clearly state that only ldaps has to be used ... The problematic code seems to be in libraries/libldap/dnssrv.c, function ldap_domain2hostlist(): request = LDAP_MALLOC(strlen(domain) + sizeof("_ldap._tcp.")); ... sprintf(request, "_ldap._tcp.%s", domain); So always "_ldap._tcp" is used (hard coded) - not "ldaps._tcp" in case of ldaps in the original query. I'd suggest to introduce a third parameter to that function: int ldap_domain2hostlist( LDAP_CONST char *protocol, LDAP_CONST char *domain, char **list ) protocol is either "ldap" oder "ldaps". The code calling this function (slapd/back-dnssrv/search.c and referral.c) has to be adjusted as well. I'm not sure whether you want me to deliver a complete patch or not ... Thanks to my colleague Manuel Gaupp for detecting this problem. Best regards, Jochen.
--On Wednesday, January 27, 2010 1:28 AM +0000 jochen@keutel.de wrote: > Full_Name: Jochen Keutel > Version: 2.4.21 > OS: Solaris 10 > URL: ftp://ftp.openldap.org/incoming/ > protocol is either "ldap" oder "ldaps". LDAPS is not a defined protocol. I would suggest using LDAP with startTLS, which is RFC Defined. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
changed notes changed state Open to Suspended moved from Incoming to Software Enhancements
> --On Wednesday, January 27, 2010 1:28 AM +0000 jochen@keutel.de wrote: > >> Full_Name: Jochen Keutel >> Version: 2.4.21 >> OS: Solaris 10 >> URL: ftp://ftp.openldap.org/incoming/ > >> protocol is either "ldap" oder "ldaps". > > LDAPS is not a defined protocol. I would suggest using LDAP with > startTLS, > which is RFC Defined. One could argue that OpenLDAP supports ldaps in many places. I agree in general with your reply, but I'd treat this ITS as a feature request, although I'm not going to give it any special priority. p.
feature request?