[Samba] missing dns records? _ldaps._tcp ?

L.P.H. van Belle belle at bazuin.nl
Thu Aug 25 09:22:46 UTC 2016

> No, I think you need to fix squid or at the very least, ask squid where
> they got _ldaps from, because it doesn't seem to exist on any AD DC.
> Rowland

Thats correct Rowland, found that also.. but.. i also did find. 

_ldaps._tcp is not any standard 
But that’s what usually people do if they can't use startTLS.

startTLS is prefered always before ldaps

  7.4.5.  SRV processing

     The query models described in this document make use of DNS SRV
     resource records whenever a new query process is started, as a way
     to locate the LDAP servers associated with a DIT.
     The procedure for constructing this SRV lookup is as follows:
        a.  Construct an SRV-specific label pair for the service type.
            For LDAP queries, this will be "_ldap._tcp", while LDAPS
            will use "_ldaps._tcp".

        b.  Append the SRV label pair to the left of the input domain
            name. In the case of an LDAP query for "example.com", this
            would result in an SRV-specific domain name of
        c.  Issue a DNS query for the SRV resource records associated
            with the domain name formed in step 7.4.5.b.

no word about ssl/tls..  arg :-/  

So, its all optional, as im seeing here. 

So if you preffer SSL over STARTTLS then its an option to add 
the SRV records or is an application uses/prefferes it. 
Of default _ldap._tcp with the ldaps port and set higher preference on the SRV record. 

One i must make a note of for the squid group setup. 

Thanks guys. 



More information about the samba mailing list