Re: DNS feature doesn't work with LDAPS

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Michael Ströder <michael [at] stroeder.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: DNS feature doesn't work with LDAPS
Date: Fri, 5 Nov 2021 12:57:00 +0100

On 11/4/21 20:43, Albert Akchurin wrote:

DNS is a great feature that allows effortless reinstall/modification ofLDAP servers.

DNS SRV lookup is not specified to be used with LDAPS. Especially thereis no well-defined equivalent to the TLS hostname check defined for thisuse-case.

So when using DNS SRV lookups there's no cryptographic binding betweenyour the URI ldaps:///dc=example,dc=com in your LDAP client config andthe public-key in the TLS server cert.

So for security reasons you should not rely on that. Or let *all* yourLDAP clients verify DNS lookups with DNSSEC which would require to use alocal validating resolver on 127.0.0.1 or integrate DNSSEC validation inyour LDAP clients.

(And of course I very well understand why you'd love to use it. So noneed to argue.)


Ciao, Michael.

DNS feature doesn't work with LDAPS, Albert Akchurin
- Re: DNS feature doesn't work with LDAPS, Michael Ströder
- Re: DNS feature doesn't work with LDAPS, Arthur de Jong
  - Re: DNS feature doesn't work with LDAPS, Michael Ströder
    - Re: DNS feature doesn't work with LDAPS, Arthur de Jong

Prev by Date: DNS feature doesn't work with LDAPS
Next by Date: Re: DNS feature doesn't work with LDAPS
Previous by thread: DNS feature doesn't work with LDAPS
Next by thread: Re: DNS feature doesn't work with LDAPS