Re: DNS feature doesn't work with LDAPS

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Michael Ströder <michael [at] stroeder.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: DNS feature doesn't work with LDAPS
Date: Thu, 18 Nov 2021 02:04:20 +0100

On 11/18/21 00:23, Arthur de Jong wrote:

Also, since nslcd expands the SRV record to URIs and then passes those
to the LDAP library they are subject to the normal certificate name
verification. Using DNS SRV records in that sense shouldn't be
different from A records from a security perspective (but DNSSEC
validation is always better).


Nope.

Let's assume nslcd.conf contains

uri ldaps://dc=example,dc=com

and

SRV RR _ldap._tcp.example.com. resolves to

0 10 636 ldap.example.org.

and your TLS server cert contains DNS-based subjectAltName or CN insubject DN:


ldap.example.org

Now where's the cryptograpic binding between your uri-parameter (thea-priori knowledge) and the name in the TLS server cert?

Like it or not the SRV lookup is only secure if you have DNSSEC andnslcd insists on using a local validating DNS resolver.


Ciao, Michael.

DNS feature doesn't work with LDAPS, Albert Akchurin
- Re: DNS feature doesn't work with LDAPS, Michael Ströder
- Re: DNS feature doesn't work with LDAPS, Arthur de Jong
  - Re: DNS feature doesn't work with LDAPS, Michael Ströder

Prev by Date: Re: DNS feature doesn't work with LDAPS
Next by Date: Re: DNS feature doesn't work with LDAPS
Previous by thread: Re: DNS feature doesn't work with LDAPS
Next by thread: Re: DNS feature doesn't work with LDAPS