On Mon, 17 Apr 2017, Michael Str?der wrote:
John Lewis wrote:I am reading in the LDAP spec https://tools.ietf.org/html/rfc4511 about naming contexts and I am looking at my RootDSE. Since my DIT mirrors DNS https://tools.ietf.org/html/rfc2247, there must be some way to route someone to the correct naming context based on the DNS they were using to access the LDAP server, otherwise I just don't understand the spec.https://tools.ietf.org/html/rfc2782
I'm not following that from the original question. It's plausible that a SRV may route someone to the "correct" server relative to a given DNS label. But since the SRV Target MUST be something that resolves to an address, it's quite a leap to find "the correct naming context."
In other words -- and back to the original question here perhaps -- perhaps you know you want LDAP service for example.com, and perhaps a SRV _ldap._tcp.example.com will illuminate you to (say) ldap.example.com.
But upon connecting to ldap.example.com, when the rootDSE presents with n>1 namingContexts, how do you know "the correct naming context?" I'd argue that you basically can't. It would be like a connection to www.example.com imputing that you want www.example.com/product/lightbulb or a connection to sql.example.com somehow magically determining, solely on the basis of the connection characteristics, that you want a query "FROM creditCardNumbers" table. I don't see that being meaningfully possible.
Note: 1. If you're using TLS there's AFAIK no specification how to implement the TLS hostname check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks. 2. You still need a-priori configuration how the client should authenticate to the directory. Ciao, Michael.