Hi,
- If you're using TLS there's AFAIK no specification how to implement the TLS hostname
check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks.
IMHO, the hostname check is immaterial (and potentially confusing, when hosting multiple dc=,dc= trees) but DANE can be helpful by checking cert or key, regardless of naming information in the certificate,
https://tools.ietf.org/html/rfc6698
Example records can be generated on
https://www.huque.com/bin/gen_tlsa
Assuming no further server infra I would consider the following settings: * 1 - PKIX-EE: Service Certificate Constraint * 0 - Cert: Use full certificate * 1 - SHA-256: SHA-256 hash * [copy/paste X.509 certificate of the server] * port 389 (ldaps is deprecated AFAIK, and at least ill-advised) * transport tcp * domain name your.corner.of.the.world (for dc=your,dc=corner,dc=of,dc=the,dc=world)
It will generate a TLSA record under DNS name _389._tcp.your.corner.of.the.world.
Take note that DANE relies on DNSSEC for security.
- You still need a-priori configuration how the client should authenticate to the directory.
I would use a client that uses DANE. Not sure if this already exists, but it's something that we will probably be doing in LillyDAP in the coming year.
https://github.com/vanrein/lillydap
I hope this helps, -Rick