lists.arthurdejong.org
RSS feed

Re: DNS SRV Records and ldaps

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: DNS SRV Records and ldaps



On Sat, Sep 3, 2011 at 12:40, Jakub Hrozek <jhrozek@redhat.com> wrote:
> On Fri, Sep 02, 2011 at 10:29:25PM -0400, Matthew Roy wrote:
>> Does this need to be addressed in OpenLDAP first? (perhaps adding a
>> sister method to ldap_domain2hostlist, ldaps_domain2hostlist)
>>
>
> I think this would be technically the best solution because
> ldap_domain2hostlist currently hardcodes the "service" part of the DNS
> query to "ldap".
>
> They could perhaps add even a ldap_domain_service2hostlist that would
> allow you to specify the service with ldap{,s}_domain2hostlist as a very
> thin wrapper.

I've posted to the openldap-devel list to see what they think, but I
also wonder if we should guess at the service type based on the port
number. We get both the host and the port back from
ldap_domain2hostlist in the form "host:port".

Another thing we could do, instead of warning (and droppping?) ldap://
URIs when SSL is on, we instead rewrite them to ldaps:// since the
user has specified ssl top be on. This could happen at 1251-1261 where
we issue the warning or at 212-215 when we add the URI (do we already
have the ssl config setting when 212-215 executes?)

1220    void cfg_init(const char *fname)
1221    {
...
1251      /* if ssl is on each URI should start with ldaps */
1252    #ifdef LDAP_OPT_X_TLS
1253      if (nslcd_cfg->ldc_ssl_on==SSL_LDAPS)
1254      {
1255        for (i=0;nslcd_cfg->ldc_uris[i].uri!=NULL;i++)
1256        {
1257          if (strncasecmp(nslcd_cfg->ldc_uris[i].uri,"ldaps://",8)!=0)
1258            log_log(LOG_WARNING,"%s doesn't start with ldaps:// and
\"ssl on\" is specified",
1259                                nslcd_cfg->ldc_uris[i].uri);
1260        }
1261      }


185     /* add URIs by doing DNS queries for SRV records */
186     static void add_uris_from_dns(const char *filename,int lnr,
187                                   struct ldap_config *cfg)
188     {
...
212         /* add the URI */
213         mysnprintf(buf,sizeof(buf),"ldap://%s",hostlist);
214         log_log(LOG_DEBUG,"add_uris_from_dns(): found uri: %s",buf);
215         add_uri(filename,lnr,cfg,buf);
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users