[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is there anything in LDAP that works similar to HTTP's virtual hosting.



On Mon, 17 Apr 2017, Michael Str?der wrote:

John Lewis wrote:
I am reading in the LDAP spec https://tools.ietf.org/html/rfc4511 about
naming contexts and I am looking at my RootDSE.

Since my DIT mirrors DNS https://tools.ietf.org/html/rfc2247, there must
be some way to route someone to the correct naming context based on the
DNS they were using to access the LDAP server, otherwise I just don't
understand the spec.

https://tools.ietf.org/html/rfc2782

I'm not following that from the original question. It's plausible that a SRV may route someone to the "correct" server relative to a given DNS label. But since the SRV Target MUST be something that resolves to an address, it's quite a leap to find "the correct naming context."

In other words -- and back to the original question here perhaps -- perhaps you know you want LDAP service for example.com, and perhaps a SRV _ldap._tcp.example.com will illuminate you to (say) ldap.example.com.

But upon connecting to ldap.example.com, when the rootDSE presents with n>1 namingContexts, how do you know "the correct naming context?" I'd argue that you basically can't. It would be like a connection to www.example.com imputing that you want www.example.com/product/lightbulb or a connection to sql.example.com somehow magically determining, solely on the basis of the connection characteristics, that you want a query "FROM creditCardNumbers" table. I don't see that being meaningfully possible.

Note:

1. If you're using TLS there's AFAIK no specification how to implement the TLS hostname
check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks.

2. You still need a-priori configuration how the client should authenticate to the directory.

Ciao, Michael.