[Date Prev][Date Next]
Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
> Philippe.email@example.com wrote:
>> The "tool_conn_setup" function (in common.c) autorise the Url synthaxe
>> "ldap:///dc=my%2cdc=domaine" which produce a SRV request to find the best server
>> to request (not yet according the rfc 2782 - I've made dnssrv.c patch to
>> implement priorities and I try to implement weight before submit this work). So,
>> the client tools - ldapsearch, ldapadd, ... permit this syntaxe (via
>> "ldap_dn2domain" and "ldap_domain2hostlist" functions).
> This was done to allow testing client-side the DNS SRV feature.
>> Unfortunately, ldap_initialize() doesn't use these functions (but only
>> ldap_url_parselist_ext()) and doesn't allow this synthaxe. So, other packages
>> (like SAMBA) doesn't enjoy this capability : "passdb backend =
>> ldapsam:ldap:///dc=my%2cdc=domain" according a SRV definition
>> "_ldap._tcp.my.domain. IN SRV ..."
>> Is there any reason for that ? Can we envisage to increase this possibility ?
> None that I'm aware of. Feel free to move that code from tools to
> libldap. Patches are welcome, as usual.
But please put a note into the accompanying man-page with a strong
recommendation not to use it without further security mechs. I wouldn't
configure Samba like this. (Similar problems like DNS lookups in
Kerberos implementations for realm- and KDC-discovery.)
I've implemented something like this in web2ldap but the SRV mech causes
an user interaction on the UI. So the user has a vague chance to
determine whether he's tricked to another DSA by DNS spoofing.