I am also not a C programmer. I've not even looked at patch at this point.
I agree best practice says hostname are limited to specific ASCII characters. And underscore are indeed not included.
However DNS name in general only have very few restriction (RFC2181) (2). I did some tests using the 'host' and 'dig' command and they do not perform additional validation. For example (2):
$ host 'ldap://.test.com' ldap://.test.com has address 69.172.200.109
I would expect C library for resolving DNS names to already enforce those basic constrain. I believe we should be careful about performing additional validation/restriction.
Micheal, you are *right* about the man page saying _hostname_. Indeed OpenLDAP only accepting hostname as per best practice/RFC might be the most correct behavior. However we can not change this behavior without breakable. consider:
- Underscore are not that uncommon with Active Directory - What about internationalized DNS name - ... (probably more)
Therefore I believe such change could only be done in a major release. And at that point we might just remove the depreciated '-h' option altogether.
I don't know how OpenLDAP code work. I have a suspicion it might transform hostname + port into a URI. The ITC shows that (for some cases) hostname are handled differently when:
1. Using only '-h' without '-p' 2. Using both '-h' and '-p'
And this is clearly not a correct behavior.
Best, Alex
(1) See RFC for reference but essentially: - A full domain name is limited to 255 octets (including the separators) - Each part of the domain (label) can be between 1 and 63 octets
(2) test.com DNS seems to simply return the same A record for any subdomain (wildcard). It highlights that wierd name like works at the DNS level.
PS: I exchanged a few email regarding DNS/hostname with Lawrence off the list. I believe this email summarizes the main points from my perspective.
On Fri, 2018-03-02 at 18:48 +0000, michael@stroeder.com wrote:
andrew.lawrence@siemens.com wrote:
I believe the following patch addresses this problem. I am still a bit conf used about what constitutes a DNS name. Alex has suggested they should contain an underscore. My colleague who reviewed the code had a different opinion.
Disclaimer: Since I'm not a C programmer I did not really review your patch in detail but just want to add some general notes.
- Reviewing this ticket my is that the only problem is that
-h also accepts a LDAP URI because -H should be used instead. IIRC -h was only meant to take an IP address or hostname. Therefore I'd strongly recommend to simply reject an LDAP URI for -h. Is that your goal?
- The term "DNS name" is a bit too blurry. In case of option -h it
should be an IP address or . And according to best practices hostnames SHOULD NOT contain underscores. Whether you _allow_ underscores to accommodate some strange setups is your decision.
Ciao, .