Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

On Tue, 5 Feb 2002, Keith Moore wrote:

> this from section 5:
>
>    The client MUST use the server hostname it used to open the LDAP
>    connection as the value to compare against the server name as
>    expressed in the server's certificate.  The client MUST NOT use the
>    server's canonical DNS name or any other derived form of name.

Oops, this was a cut-n-paste error.  The text above is actually straight
out of RFC 2830.  The actual text that was supposed to be in the locate
document (as proposed by me in a message to the ldapext list 19 Mar 2001)
is:

   When using LDAP with TLS the client must check the server's name,
   as described in section 3.6 of [RFC 2830].  As specified there, the
   name the client checks for is the server's name before any
   potentially insecure transformations, including the SRV record
   lookup specified in this memo.  Thus the name the client must check
   for is the name obtained by doing the mapping step defined in
   section 2 above.

which I think precisely addresses your concern.

 - RL "Bob"