[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7301) Improve DNS SRV support in OpenLDAP

quanah@zimbra.com wrote:
> --On Tuesday, June 12, 2012 11:25 AM -0700 Howard Chu <hyc@symas.com> wrote:
>> Tough luck. Currently ldap:/// means localhost. Changing the library
>> behavior here would be a pretty drastic incompatible change and would
>> break pretty much all existing software. This has been discussed and shot
>> down before, and rejecting this request is the only correct outcome for
>> this ITS.
> What about an ldap_set_option() parameter for enabling it?

Given the fact that there's no standard with appropriate security
considerations clearly saying e.g. what should be done in case of StartTLS and
hostname check I would also leave it up to the application to do the DNS
lookup itself.

I think people asking for including that feature into libldap should first try
to implement it themselves taking into account all security implications when
relying on DNS. Several existing approaches are IMO flawed.

Ciao, Michael.