Aaron Richton wrote:
On Mon, 17 Apr 2017, Michael Str?der wrote:
John Lewis wrote:
I am reading in the LDAP spec https://tools.ietf.org/html/rfc4511 about naming contexts and I am looking at my RootDSE.
Since my DIT mirrors DNS https://tools.ietf.org/html/rfc2247, there must be some way to route someone to the correct naming context based on the DNS they were using to access the LDAP server, otherwise I just don't understand the spec.
I'm not following that from the original question. It's plausible that a SRV may route someone to the "correct" server relative to a given DNS label. But since the SRV Target MUST be something that resolves to an address, it's quite a leap to find "the correct naming context."
In other words -- and back to the original question here perhaps -- perhaps you know you want LDAP service for example.com, and perhaps a SRV _ldap._tcp.example.com will illuminate you to (say) ldap.example.com.
So the question boils down to how you know in advance about the DNS domain "example.com".
But upon connecting to ldap.example.com, when the rootDSE presents with n>1 namingContexts, how do you know "the correct naming context?" I'd argue that you basically can't.
I understand your doubts because RFC 2782 is just the SRV RR spec. RFC 3088 defines a DN to domain mapping:
https://tools.ietf.org/html/rfc3088#section-2.1
And exactly this mapping is used in MS AD, FreeIPA and various other deployments (including the dc-auto-locate feature in my own web2ldap).
Ciao, Michael.