Hello,
we are trying to use the DNS-SRV backend of OpenLDAP. This gets
difficult when ldaps is used. I'm not sure whether we do this correctly
- so I'd like to ask the following questions:
1. If I run an LDAP server (administrative point: dc=keutel,dc=de) with
both ldap and ldaps enabled: Is it right that I should put *two* lines
into DNS? Like:
_ldaps._tcp.keutel.de IN SRV 10 0 636 ldap.keutel.de
_ldap._tcp.keutel.de IN SRV 10 0 389 ldap.keutel.de
Or, when using non-default ports:
_ldaps._tcp.keutel.de IN SRV 10 0 1636 ldap.keutel.de
_ldap._tcp.keutel.de IN SRV 10 0 1389 ldap.keutel.de
2. If there is another LDAP server, e.g. ldap.abcdefg.hi , configured
using DNS-SRV backend: If I search this server like:
ldapsearch -H ldaps://ldap.abcdefh.hi/ -b dc=keutel,dc=de sn=meier
Then I would expect that this requested is chained (using back-meta) to
ldaps://keutel.de:1636/ with search base dc=keutel,dc=de .
Is this understanding correct?
3. If yes: I think that OpenLDAP code currently doesn't handle this
correctly:
a) independent on the original request (ldap or ldaps): Always the
_ldap._tcp DNS record is used (never _ldaps._tcp)
b) independent on the original request (ldap or ldaps): Always ldap URLs
are returned (never ldaps://...)
c) the search base is omitted in the chained request: So keutel.de is
searched with empty search base
See ITS 6462 and 6463 for details.
I think fixing b) and c) is not that difficult: Just
dnssrv_back_referrals() has to be changed. I'll try to send a patch.
Fixing a) seems more difficult because ldap_domain2hostlist() isn't used
only in the DNS SRV backend but also in the tools (ldapsearch etc.) and
the NSS overlay.
Best regards,
Jochen.
