Rick van Rein wrote:
- If you're using TLS there's AFAIK no specification how to implement the TLS
hostname check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks.
IMHO, the hostname check is immaterial (and potentially confusing, when hosting multiple dc=,dc= trees)
Not sure I understand "immaterial". One would have to right a spec which maps the "name" (here LDAP URL) used by the client to something stored in the TLS server cert.
Also note that subjectAltName extension can contain an URI.
but DANE can be helpful by checking cert or key, regardless of naming information in the certificate,
https://tools.ietf.org/html/rfc6698
I expected somebody to raise the DANE hype.
Note that DANE requires DNSSEC to be really secure. Also someone would have to write a spec detailing how to map ldap:///dc=example,dc=com to DANE (DNS) name (just like a spec is needed for TLS hostname check).
Ciao, Michael.