[Date Prev][Date Next] [Chronological] [Thread] [Top]


Daniel Pocock wrote:

On 03/03/12 10:30, Michael Ströder wrote:
Daniel Pocock wrote:
I have slapd listening on port 636 only because I want to enforce use of

It all works successfully (I now have my UNIX users, mail, and about a
dozen apps authenticating against it), however...

I wanted fault tolerance, and I thought that the way to achieve this
would be using DNS SRV and replication (which was also easy to get

What I've observed:

- if I create _ldaps._tcp.example.org SRV records, they are ignored

- if I create _ldap._tcp.example.org SRV records, and I ldapsearch with
a URI of the form "ldaps:///dc%3Dexample%2Cdc%3Dorg" it works

So, it seems to be the combination of the ldaps URI prefix with the
_ldap._tcp SRV record that is working, this doesn't seem right

1. Why do you mandate the use of SSL/TLS when you then completely trust
DNS SRV RRs? IMO this does not make sense.

I think that is a separate question, I've started a new thread on it

IMO it's not a separate topic. Anyway I already responded.

2. You could configure LDAP(S) URIs of all replicas in your client
(space-separated list).

I'm aiming to avoid that and just have the clients discover as much as
possible using DNS SRV.

If you don't want to configure an a priori known hostname or DNSSEC then you're risking possibility of MITM attacks because the hostname check needed with SSL/TLS cannot be performed at all.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature