Kees Bakker via FreeIPA-users wrote: > On 19-03-2021 00:30, Fraser Tweedale wrote: >> On Thu, Mar 18, 2021 at 03:10:30PM +0100, Kees Bakker via FreeIPA-users >> wrote: >>> Hi, >>> >>> We have FreeIPA with three masters. To get to the LDAP server >>> we can use either of the three. To configure a service you must >>> come up with a FQDN for the LDAP server. Until now we have >>> simply selected one of the three. But that's not very convenient >>> because we want to do maintenance on that IPA master. >>> >>> What possibilities are there to have something that switches >>> automatically to another server? How is the SRV _ldap._tcp record >>> used? >>> >> Hi Kees, >> >> SRV records for _ldap._tcp.$DOMAIN return list of DNS names and >> ports for actual service endpoints. See >> https://www.freeipa.org/page/V4/DNS_Location_Mechanism#Current_use_of_SRV_records >> for example. See https://tools.ietf.org/html/rfc2782 for the >> specification of SRV records and how to interpret them. >> >> If it is possible to configure the service to use SRV records to >> locate the LDAP server, that is the best approach. >> >> Cheers, >> Fraser >> > > Thanks for all those who answered. > > The reason I asked this was because we have several services that > have ways to use LDAP. For example GitLab and JIRA. Not every one > of these services have ways to instruct it to use SRV records. So, I > was wondering how others are solving this. > > Alexander showed `ldapsearch` as an example of a tool that can > use SRV. So, there are tools that can do it. Great. > > At GitLab it still hasn't sinked in [2]. > For JIRA an issue was raised 10 years ago [3], I haven't yet found if they > support it > > BTW. While searching further I also came across a reaction [1] warning > that using ldaps through SRV isn't secure. So I need to try and stick to > plain ldap (389) and TLS.
IMHO his concerns are unfounded. DNS returns you a set of hostnames. What you do with those hostnames is up to you. There could be DNS poisoning for sure. But I don't see how this only affects ldaps. All the same TLS MITM protections still xist. So you can do a SRV lookup of ldap and use ldaps against the host if you want. It's no more or less secure IMHO. rob > > [1] https://serverfault.com/questions/1002895/ldaps-srv-resolution-not-working > [2] https://gitlab.com/gitlab-org/gitlab/-/issues/139 > [3] https://jira.atlassian.com/browse/JRASERVER-21361 > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
