[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP and DNS-SRV: questions

we are trying to use the DNS-SRV backend of OpenLDAP. This gets difficult when ldaps is used. I'm not sure whether we do this correctly - so I'd like to ask the following questions:

1. If I run an LDAP server (administrative point: dc=keutel,dc=de) with both ldap and ldaps enabled: Is it right that I should put *two* lines into DNS? Like:

_ldaps._tcp.keutel.de IN SRV 10 0 636 ldap.keutel.de
_ldap._tcp.keutel.de IN SRV 10 0 389 ldap.keutel.de

Or, when using non-default ports:

_ldaps._tcp.keutel.de IN SRV 10 0 1636 ldap.keutel.de
_ldap._tcp.keutel.de IN SRV 10 0 1389 ldap.keutel.de

2. If there is another LDAP server, e.g. ldap.abcdefg.hi , configured using DNS-SRV backend: If I search this server like:

ldapsearch -H ldaps://ldap.abcdefh.hi/ -b dc=keutel,dc=de sn=meier

Then I would expect that this requested is chained (using back-meta) to

ldaps://keutel.de:1636/ with search base dc=keutel,dc=de .

Is this understanding correct?

3. If yes: I think that OpenLDAP code currently doesn't handle this correctly:
a) independent on the original request (ldap or ldaps): Always the
   _ldap._tcp DNS record is used (never _ldaps._tcp)
b) independent on the original request (ldap or ldaps): Always ldap URLs
   are returned (never ldaps://...)
c) the search base is omitted in the chained request: So keutel.de is searched with empty search base

See ITS 6462 and 6463 for details.

I think fixing b) and c) is not that difficult: Just dnssrv_back_referrals() has to be changed. I'll try to send a patch.

Fixing a) seems more difficult because ldap_domain2hostlist() isn't used only in the DNS SRV backend but also in the tools (ldapsearch etc.) and the NSS overlay.

Best regards,