Re: SSL, TLS and DNS SRV

[Daniel Pocock <daniel@pocock.com.au>]

On 03/03/12 10:30, Michael Ströder wrote:
> Daniel Pocock wrote:
>> I have slapd listening on port 636 only because I want to enforce use of
>> SSL/TLS
>>
>> It all works successfully (I now have my UNIX users, mail, and about a
>> dozen apps authenticating against it), however...
>>
>> I wanted fault tolerance, and I thought that the way to achieve this
>> would be using DNS SRV and replication (which was also easy to get
>> working)
>>
>> What I've observed:
>>
>> - if I create _ldaps._tcp.example.org SRV records, they are ignored
>>
>> - if I create _ldap._tcp.example.org SRV records, and I ldapsearch with
>> a URI of the form "ldaps:///dc%3Dexample%2Cdc%3Dorg" it works
>>
>> So, it seems to be the combination of the ldaps URI prefix with the
>> _ldap._tcp SRV record that is working, this doesn't seem right
> 
> 1. Why do you mandate the use of SSL/TLS when you then completely trust
> DNS SRV RRs? IMO this does not make sense.

I think that is a separate question, I've started a new thread on it

> 2. You could configure LDAP(S) URIs of all replicas in your client
> (space-separated list).

I'm aiming to avoid that and just have the clients discover as much as
possible using DNS SRV.  I already do such things with SIP, for example.