Re: DNS feature doesn't work with LDAPS

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Michael Ströder <michael [at] stroeder.com>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: DNS feature doesn't work with LDAPS
Date: Thu, 18 Nov 2021 19:45:31 +0100

On Thu, 2021-11-18 at 02:04 +0100, Michael Ströder wrote:
> Nope.
> 
> Let's assume nslcd.conf contains
> 
> uri ldaps://dc=example,dc=com

I wasn't aware of that syntax and it doesn't seem to be document in the
ldap.conf manual page:
https://www.openldap.org/software/man.cgi?query=ldap.conf

The way to configure this in nslcd.conf is
  uri DNS:domain
or simply
  uri DNS
to use the host's domain name, see
https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#uri

> Now where's the cryptograpic binding between your uri-parameter (the 
> a-priori knowledge) and the name in the TLS server cert?

But this part of the argument still more or less holds. It is less of a
problem if you use an LDAP server without a globally resolvable name
and/or a custom CA for signing.

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

DNS feature doesn't work with LDAPS, Albert Akchurin
- Re: DNS feature doesn't work with LDAPS, Michael Ströder
- Re: DNS feature doesn't work with LDAPS, Arthur de Jong
  - Re: DNS feature doesn't work with LDAPS, Michael Ströder
    - Re: DNS feature doesn't work with LDAPS, Arthur de Jong

Prev by Date: Re: DNS feature doesn't work with LDAPS
Next by Date: "Genet group" returns empty list of group member
Previous by thread: Re: DNS feature doesn't work with LDAPS
Next by thread: "Genet group" returns empty list of group member