Re: LDAP Root for dc style naming

[David J N Begley <david@avarice.nepean.uws.edu.au>]

On Thu, 13 Jan 2000, Kurt D. Zeilenga wrote:

> These servers would have a special backend (back-dnsref) which, for any
> operation, would send a referral based upon the DN's dc components and
> information available via DNS (such as SRV and well known aliases).

It would be nice if, optionally, this proxied the request instead of just
returning a referral to the client (not all networks permit every LDAP client
to follow arbitrary referrals all over the Internet).

Further, I'd be wary of allowing the "well known aliases" approach as it could
lead to the same problem that happened when Squid used to (by default,
regardless what the config said) automatically "announce" every proxy to a
central source (lots of proxies were being used as peers without their
permission, before the respective admins worked their way up the learning
curve to apply ACLs).

In this case, anyone firing up an LDAP server without ACLs would, unwittingly,
be opening up their directory to the entire world (yes, I know they've done it
already - but this would seem to make it easier).

Hmm.. in a way, so could SRV records I s'pose... damn.

> Basically the server would accept a search for "dc=openldap,dc=org", look
> up SRV/aliases for ldap at openldap.org and then construct a URL and
> return it as a referral.
> 
> Such a backend would be fairly easy to write.
> 
> Comments?  Volunteers?

As above - prima facie it seems to do exactly what you suggest (ie., root LDAP
tree without setting up another registration service);  my only concern is as
above, the "ease" with which it could be used to peek on LDAP servers that
have yet to be protected.  There's also the matter of differing base DNs (ie.,
the LDAP directory for acme.com might not use "dc=acme,dc=com" as its base
DN), but I guess an intelligent LDAP client could probe first for LDAPv3
support and if present, check the root DSE for naming contexts.

Cheers..


dave