ando@sys-net.it wrote:
Philippe.eychart@informatique.gov.pf wrote:
The "tool_conn_setup" function (in common.c) autorise the Url synthaxe "ldap:///dc=my%2cdc=domaine" which produce a SRV request to find the best server to request (not yet according the rfc 2782 - I've made dnssrv.c patch to implement priorities and I try to implement weight before submit this work). So, the client tools - ldapsearch, ldapadd, ... permit this syntaxe (via "ldap_dn2domain" and "ldap_domain2hostlist" functions).
This was done to allow testing client-side the DNS SRV feature.
Unfortunately, ldap_initialize() doesn't use these functions (but only ldap_url_parselist_ext()) and doesn't allow this synthaxe. So, other packages (like SAMBA) doesn't enjoy this capability : "passdb backend = ldapsam:ldap:///dc=my%2cdc=domain" according a SRV definition "_ldap._tcp.my.domain. IN SRV ..."
Is there any reason for that ? Can we envisage to increase this possibility ?
None that I'm aware of. Feel free to move that code from tools to libldap. Patches are welcome, as usual.
But please put a note into the accompanying man-page with a strong recommendation not to use it without further security mechs. I wouldn't configure Samba like this. (Similar problems like DNS lookups in Kerberos implementations for realm- and KDC-discovery.)
I've implemented something like this in web2ldap but the SRV mech causes an user interaction on the UI. So the user has a vague chance to determine whether he's tricked to another DSA by DNS spoofing.
Ciao, Michael.
-
michael@stroeder.com