[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)

Pierangelo Masarati [mailto:ando@sys-net.it] wrote:
> OpenLDAP clients do the following:
> 	empty hostport, empty DN: localhost, default port
> 	empty hostport, non-empty DN: SRV
> what might be missing IMHO is:
> 	use domain to specify SRV
> however, I don't see any special need for it, as domain can always be
> put in DN form.
> I don't know if there's need for a form that asks to use SRV to discover
> the server for the default SUFFIX.
> In order to avoid issues, I recommend using something like
> 	x-dnssrv={<domain>|<DN>}
> where <DN> is restricted to the domain component sequence form.

Ok, I start on this agreement ...
So, is it a Good Thing (IYHO ;) to introduce this patch according the
"followup 9" ?...

One other possible solution could be (for example) to patch the
ldap_connect_to_host() function in os-ip.c (around getaddrinfo() and
ldap_pvt_gethostbyname_a() calls). However, samba (as an example) seems not
to use it ...

I think that the first solution remains the one who will have a minimal
impact on the existing sources ...

Michael Str.der wrote:
> Frankly I'd vote against stuffing this into standard function
> ldap_initialize(). Using this without further pre-caution (like
> user-interaction) is broken in a similar way like chasing LDAPv3
> referrals at the client side.

I also think myself that security aspects are important ; but in other hand,
IMHO : it is of the responsibility of the DNS administrator to configure
cleanly and to protect its systems of any corruption (and maybe also to the
project BIND to improve tools allowing it).

Although it is there, the advantage of the suggested solution ("followup 9")
is as well as this patch can be located as well within the function
ldap_initialize() as within another frontal function (according to what will
be finally decided ;).