lists.arthurdejong.org
RSS feed

Re: DNS feature doesn't work with LDAPS

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: DNS feature doesn't work with LDAPS



On Thu, 2021-11-18 at 02:04 +0100, Michael Ströder wrote:
> Nope.
> 
> Let's assume nslcd.conf contains
> 
> uri ldaps://dc=example,dc=com

I wasn't aware of that syntax and it doesn't seem to be document in the
ldap.conf manual page:
https://www.openldap.org/software/man.cgi?query=ldap.conf

The way to configure this in nslcd.conf is
  uri DNS:domain
or simply
  uri DNS
to use the host's domain name, see
https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#uri

> Now where's the cryptograpic binding between your uri-parameter (the 
> a-priori knowledge) and the name in the TLS server cert?

But this part of the argument still more or less holds. It is less of a
problem if you use an LDAP server without a globally resolvable name
and/or a custom CA for signing.

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --