[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)

ando@sys-net.it wrote:
> Philippe.eychart@informatique.gov.pf wrote:
>> The "tool_conn_setup" function (in common.c) autorise the Url synthaxe
>> "ldap:///dc=my%2cdc=domaine"; which produce a SRV request to find the best server
>> to request (not yet according the rfc 2782 - I've made dnssrv.c patch to
>> implement priorities and I try to implement weight before submit this work). So,
>> the client tools - ldapsearch, ldapadd, ... permit this syntaxe (via
>> "ldap_dn2domain" and "ldap_domain2hostlist" functions).
> This was done to allow testing client-side the DNS SRV feature.
>> Unfortunately, ldap_initialize() doesn't use these functions (but only
>> ldap_url_parselist_ext()) and doesn't allow this synthaxe. So, other packages
>> (like SAMBA) doesn't enjoy this capability : "passdb backend =
>> ldapsam:ldap:///dc=my%2cdc=domain"; according a SRV definition
>> "_ldap._tcp.my.domain. IN SRV ..."
>> Is there any reason for that ? Can we envisage to increase this possibility ?
> None that I'm aware of.  Feel free to move that code from tools to 
> libldap.  Patches are welcome, as usual.

But please put a note into the accompanying man-page with a strong
recommendation not to use it without further security mechs. I wouldn't
configure Samba like this. (Similar problems like DNS lookups in
Kerberos implementations for realm- and KDC-discovery.)

I've implemented something like this in web2ldap but the SRV mech causes
an user interaction on the UI. So the user has a vague chance to
determine whether he's tricked to another DSA by DNS spoofing.

Ciao, Michael.