On Mon, 17 Apr 2017, Michael Str?der wrote:
John Lewis wrote:
I am reading in the LDAP spec https://tools.ietf.org/html/rfc4511 about
naming contexts and I am looking at my RootDSE.
Since my DIT mirrors DNS https://tools.ietf.org/html/rfc2247, there must
be some way to route someone to the correct naming context based on the
DNS they were using to access the LDAP server, otherwise I just don't
understand the spec.
https://tools.ietf.org/html/rfc2782
I'm not following that from the original question. It's plausible that a
SRV may route someone to the "correct" server relative to a given DNS
label. But since the SRV Target MUST be something that resolves to an
address, it's quite a leap to find "the correct naming context."
In other words -- and back to the original question here perhaps --
perhaps you know you want LDAP service for example.com, and perhaps a SRV
_ldap._tcp.example.com will illuminate you to (say) ldap.example.com.
But upon connecting to ldap.example.com, when the rootDSE presents with
n>1 namingContexts, how do you know "the correct naming context?" I'd
argue that you basically can't. It would be like a connection to
www.example.com imputing that you want www.example.com/product/lightbulb
or a connection to sql.example.com somehow magically determining, solely
on the basis of the connection characteristics, that you want a query
"FROM creditCardNumbers" table. I don't see that being meaningfully
possible.
Note:
1. If you're using TLS there's AFAIK no specification how to implement the TLS
hostname
check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks.
2. You still need a-priori configuration how the client should authenticate to
the directory.
Ciao, Michael.
