Re: DNS feature doesn't work with LDAPS

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Fri, 2021-11-05 at 01:43 +0600, Albert Akchurin wrote:
> DNS is a great feature that allows effortless reinstall/modification
> of LDAP servers.
> But unfortunately it does not work with LDAPS in my case.
> The problem. Samba AD, uses both LDAP 389 port and LDAPS 636 port.
> But advertises only 389 via SRV records (AFAIK same is true for MS
> AD).
> Therefore nslcd choses non secure LDAP 389 port. And there is no way
> to tell nslcd to use the LDAPS 636 port instead.

If you publish SRV records on port 636 they are picked up by nslcd. I
think it would be wrong (at least by default) to switch to using ldaps
over port 636 if only SRV records for port 389 were published.

You could configure start_tls and still use port 389 in nslcd.conf
though (I don't know if Samba AD or MS AD support that though).

> Tell me please, is the nslcd currently maintained?

It is maintained but since the software is pretty stable and reasonably
feature complete not a lot of changes are made (there will be a new
release soonish though).

> If so, I would suggest introducing DNSLDAPS directive, that will
> force using LDAPS port, or simpler way: just check if `ssl on` option
> is present in config file.

Rewriting the URIs to ldaps:// shouldn't be that hard to implement. If
you use the config you described, nslcd should already log a warning
that the URI doesn't start with ldaps://. That code could be modified
to change the URI instead. The DNSLDAPS option would also not be too
difficult. I'll look into which solution is nicer.

Also, since nslcd expands the SRV record to URIs and then passes those
to the LDAP library they are subject to the normal certificate name
verification. Using DNS SRV records in that sense shouldn't be
different from A records from a security perspective (but DNSSEC
validation is always better).

Kind regards,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --