LDAP and DNS-SRV: questions

["Keutel, Jochen" <mlists@keutel.de>]

Hello,
  we are trying to use the DNS-SRV backend of OpenLDAP. This gets 
difficult when ldaps is used. I'm not sure whether we do this correctly 
- so I'd like to ask the following questions:

1. If I run an LDAP server (administrative point: dc=keutel,dc=de) with 
both ldap and ldaps enabled: Is it right that I should put *two* lines 
into DNS? Like:

_ldaps._tcp.keutel.de IN SRV 10 0 636 ldap.keutel.de
_ldap._tcp.keutel.de IN SRV 10 0 389 ldap.keutel.de

Or, when using non-default ports:

_ldaps._tcp.keutel.de IN SRV 10 0 1636 ldap.keutel.de
_ldap._tcp.keutel.de IN SRV 10 0 1389 ldap.keutel.de

2. If there is another LDAP server, e.g. ldap.abcdefg.hi , configured 
using DNS-SRV backend: If I search this server like:

ldapsearch -H ldaps://ldap.abcdefh.hi/ -b dc=keutel,dc=de sn=meier

Then I would expect that this requested is chained (using back-meta) to

ldaps://keutel.de:1636/ with search base dc=keutel,dc=de .

Is this understanding correct?

3. If yes: I think that OpenLDAP code currently doesn't handle this 
correctly:
a) independent on the original request (ldap or ldaps): Always the
   _ldap._tcp DNS record is used (never _ldaps._tcp)
b) independent on the original request (ldap or ldaps): Always ldap URLs
   are returned (never ldaps://...)
c) the search base is omitted in the chained request: So keutel.de is 
searched with empty search base

See ITS 6462 and 6463 for details.

I think fixing b) and c) is not that difficult: Just 
dnssrv_back_referrals() has to be changed. I'll try to send a patch.

Fixing a) seems more difficult because ldap_domain2hostlist() isn't used 
only in the DNS SRV backend but also in the tools (ldapsearch etc.) and 
the NSS overlay.

Best regards,

Jochen.