6462 – DNS SRV records: ldaps ???

Issue 6462 - DNS SRV records: ldaps ???

Summary: DNS SRV records: ldaps ???

Status:	VERIFIED SUSPENDED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.21
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-27 01:28 UTC by jochen@keutel.de
Modified:	2021-08-03 17:59 UTC (History)
CC List:	0 users

See Also:	9080

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description jochen@keutel.de 2010-01-27 01:28:08 UTC

Full_Name: Jochen Keutel
Version: 2.4.21
OS: Solaris 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.159.206.14)


The code for detecting LDAP servers via DNS SRV records seems to handle only
ldap URLs - not ldaps URLs.

Esp.: If you access an OpenLDAP server with ldaps://host1/..., then the DNS SRV
code returns a URL like ldap://host2/... . So the LDAP server chains the
original ldaps request as a LDAP query without TLS.

This gets problematic when the (company / project) requirements clearly state
that only ldaps has to be used ...

The problematic code seems to be in libraries/libldap/dnssrv.c, function
ldap_domain2hostlist():

request = LDAP_MALLOC(strlen(domain) + sizeof("_ldap._tcp."));
...
sprintf(request, "_ldap._tcp.%s", domain);

So always "_ldap._tcp" is used (hard coded) - not "ldaps._tcp" in case of ldaps
in the original query.

I'd suggest to introduce a third parameter to that function:

int ldap_domain2hostlist(
	LDAP_CONST char *protocol,
	LDAP_CONST char *domain,
	char **list )

protocol is either "ldap" oder "ldaps".

The code calling this function (slapd/back-dnssrv/search.c and referral.c) has
to be adjusted as well.

I'm not sure whether you want me to deliver a complete patch or not ... 

Thanks to my colleague Manuel Gaupp for detecting this problem.

Best regards,  Jochen.

Comment 1 Quanah Gibson-Mount 2010-01-27 05:53:53 UTC

--On Wednesday, January 27, 2010 1:28 AM +0000 jochen@keutel.de wrote:

> Full_Name: Jochen Keutel
> Version: 2.4.21
> OS: Solaris 10
> URL: ftp://ftp.openldap.org/incoming/

> protocol is either "ldap" oder "ldaps".

LDAPS is not a defined protocol.  I would suggest using LDAP with startTLS, 
which is RFC Defined.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Comment 2 ando@openldap.org 2010-04-17 15:40:26 UTC

changed notes
changed state Open to Suspended
moved from Incoming to Software Enhancements

Comment 3 ando@openldap.org 2010-04-17 22:40:22 UTC

> --On Wednesday, January 27, 2010 1:28 AM +0000 jochen@keutel.de wrote:
>
>> Full_Name: Jochen Keutel
>> Version: 2.4.21
>> OS: Solaris 10
>> URL: ftp://ftp.openldap.org/incoming/
>
>> protocol is either "ldap" oder "ldaps".
>
> LDAPS is not a defined protocol.  I would suggest using LDAP with
> startTLS,
> which is RFC Defined.

One could argue that OpenLDAP supports ldaps in many places.  I agree in
general with your reply, but I'd treat this ITS as a feature request,
although I'm not going to give it any special priority.

p.

Comment 4 OpenLDAP project 2014-08-01 21:04:54 UTC

feature request?