[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side
From: michael@stroeder.com
Date: Mon, 07 May 2018 08:07:17 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

hyc@symas.com wrote:
> ryan@openldap.org wrote:
>> On Sun, May 06, 2018 at 01:50:23PM +0000, arekkusu@r42.ch wrote:
>>> Adding a source IP to an URI feels wrong to it.
>>>
>>> I have not read RFC dealing with URI, however having a quick look [1] seems to
>>> indicate that using the at sign in this way is non-standard.
>>
>> I agree. @ in URIs is already defined as separating credentials (or just
>> username) from the host. I don't recall whether OpenLDAP supports that
>> usage but in any case we shouldn't re-define it.
> 
> Agreed. URI syntax is pretty thoroughly specified in multiple RFCs, nobody can 
> just arbitrarily decide to change it. And the point of a URI is that it is 
> valid for a destination no matter who/where the source is.
> 
> This patch completely breaks the function and intent of URIs.

IMO having the capability to specify the source IP is very useful in
multi-homed host setups with strict network security.

But of course one should not invent new URL syntax or abuse existing
definitions.

RFC 4516 indeed specifies LDAP URL extensions and this should be used.
This also has the advantage that e.g. python-ldap's LDAP URL parser can
also be used for that.

Ideally one could write a very short I-D for such an extension.

Ciao, Michael.

Prev by Date: RE: (ITS#8848) New LDAP URL syntax to support binding to specific IP address at client side
Next by Date: Re: (ITS#8845) Cannot preserve existing controls with new extended operations
Index(es):
- Chronological
- Thread