Pierangelo Masarati [mailto:ando@sys-net.it] wrote:
OpenLDAP clients do the following: empty hostport, empty DN: localhost, default port empty hostport, non-empty DN: SRV what might be missing IMHO is: use domain to specify SRV however, I don't see any special need for it, as domain can always be put in DN form. I don't know if there's need for a form that asks to use SRV to discover the server for the default SUFFIX. In order to avoid issues, I recommend using something like x-dnssrv={<domain>|<DN>} where <DN> is restricted to the domain component sequence form.
Ok, I start on this agreement ... So, is it a Good Thing (IYHO ;) to introduce this patch according the "followup 9" ?...
One other possible solution could be (for example) to patch the ldap_connect_to_host() function in os-ip.c (around getaddrinfo() and ldap_pvt_gethostbyname_a() calls). However, samba (as an example) seems not to use it ...
I think that the first solution remains the one who will have a minimal impact on the existing sources ...
Michael Str.der wrote:
Frankly I'd vote against stuffing this into standard function ldap_initialize(). Using this without further pre-caution (like user-interaction) is broken in a similar way like chasing LDAPv3 referrals at the client side.
I also think myself that security aspects are important ; but in other hand, IMHO : it is of the responsibility of the DNS administrator to configure cleanly and to protect its systems of any corruption (and maybe also to the project BIND to improve tools allowing it).
Although it is there, the advantage of the suggested solution ("followup 9") is as well as this patch can be located as well within the function ldap_initialize() as within another frontal function (according to what will be finally decided ;). --- PE