Hello, we are trying to use the DNS-SRV backend of OpenLDAP. This gets difficult when ldaps is used. I'm not sure whether we do this correctly - so I'd like to ask the following questions:
1. If I run an LDAP server (administrative point: dc=keutel,dc=de) with both ldap and ldaps enabled: Is it right that I should put *two* lines into DNS? Like:
_ldaps._tcp.keutel.de IN SRV 10 0 636 ldap.keutel.de _ldap._tcp.keutel.de IN SRV 10 0 389 ldap.keutel.de
Or, when using non-default ports:
_ldaps._tcp.keutel.de IN SRV 10 0 1636 ldap.keutel.de _ldap._tcp.keutel.de IN SRV 10 0 1389 ldap.keutel.de
2. If there is another LDAP server, e.g. ldap.abcdefg.hi , configured using DNS-SRV backend: If I search this server like:
ldapsearch -H ldaps://ldap.abcdefh.hi/ -b dc=keutel,dc=de sn=meier
Then I would expect that this requested is chained (using back-meta) to
ldaps://keutel.de:1636/ with search base dc=keutel,dc=de .
Is this understanding correct?
3. If yes: I think that OpenLDAP code currently doesn't handle this correctly: a) independent on the original request (ldap or ldaps): Always the _ldap._tcp DNS record is used (never _ldaps._tcp) b) independent on the original request (ldap or ldaps): Always ldap URLs are returned (never ldaps://...) c) the search base is omitted in the chained request: So keutel.de is searched with empty search base
See ITS 6462 and 6463 for details.
I think fixing b) and c) is not that difficult: Just dnssrv_back_referrals() has to be changed. I'll try to send a patch.
Fixing a) seems more difficult because ldap_domain2hostlist() isn't used only in the DNS SRV backend but also in the tools (ldapsearch etc.) and the NSS overlay.
Best regards,
Jochen.