Re: Is there anything in LDAP that works similar to HTTP's virtual hosting.

[Rick van Rein <rick@openfortress.nl>]

Hi,

> 1. If you're using TLS there's AFAIK no specification how to implement the TLS hostname
> check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks.

IMHO, the hostname check is immaterial (and potentially confusing, when
hosting multiple dc=,dc= trees) but DANE can be helpful by checking cert
or key, regardless of naming information in the certificate,

    https://tools.ietf.org/html/rfc6698

Example records can be generated on

    https://www.huque.com/bin/gen_tlsa

Assuming no further server infra I would consider the following settings:
 * 1 - PKIX-EE: Service Certificate Constraint
 * 0 - Cert: Use full certificate
 * 1 - SHA-256: SHA-256 hash
 * [copy/paste X.509 certificate of the server]
 * port 389 (ldaps is deprecated AFAIK, and at least ill-advised)
 * transport tcp
 * domain name your.corner.of.the.world (for
dc=your,dc=corner,dc=of,dc=the,dc=world)

It will generate a TLSA record under DNS name
_389._tcp.your.corner.of.the.world.

Take note that DANE relies on DNSSEC for security.

> 2. You still need a-priori configuration how the client should authenticate to the directory.

I would use a client that uses DANE.  Not sure if this already exists,
but it's something that we will probably be doing in LillyDAP in the
coming year.

https://github.com/vanrein/lillydap


I hope this helps,
 -Rick