Aaron Richton wrote: > On Mon, 17 Apr 2017, Michael Str?der wrote: >> John Lewis wrote: >>> I am reading in the LDAP spec https://tools.ietf.org/html/rfc4511 about >>> naming contexts and I am looking at my RootDSE. >>> >>> Since my DIT mirrors DNS https://tools.ietf.org/html/rfc2247, there must >>> be some way to route someone to the correct naming context based on the >>> DNS they were using to access the LDAP server, otherwise I just don't >>> understand the spec. >> >> https://tools.ietf.org/html/rfc2782 > > I'm not following that from the original question. It's plausible that a SRV > may route > someone to the "correct" server relative to a given DNS label. But since the > SRV Target > MUST be something that resolves to an address, it's quite a leap to find "the > correct > naming context." > > In other words -- and back to the original question here perhaps -- perhaps > you know > you want LDAP service for example.com, and perhaps a SRV > _ldap._tcp.example.com will > illuminate you to (say) ldap.example.com.
So the question boils down to how you know in advance about the DNS domain "example.com". > But upon connecting to ldap.example.com, when the rootDSE presents with n>1 > namingContexts, how do you know "the correct naming context?" I'd argue that > you > basically can't. I understand your doubts because RFC 2782 is just the SRV RR spec. RFC 3088 defines a DN to domain mapping: https://tools.ietf.org/html/rfc3088#section-2.1 And exactly this mapping is used in MS AD, FreeIPA and various other deployments (including the dc-auto-locate feature in my own web2ldap). Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
