[Samba] missing dns records? _ldaps._tcp ?
walk2sun at arcor.de
Sat Aug 27 13:31:50 UTC 2016
On 15:21:56 wrote L.P.H. van Belle via samba:
> > No, I think you need to fix squid or at the very least, ask squid
> > where they got _ldaps from, because it doesn't seem to exist on
> > any AD DC.
> > Rowland
> Thats correct Rowland, found that also.. but.. i also did find.
> _ldaps._tcp is not any standard
> But that’s what usually people do if they can't use startTLS.
> startTLS is prefered always before ldaps
> 7.4.5. SRV processing
> The query models described in this document make use of DNS SRV
> resource records whenever a new query process is started, as a
> way to locate the LDAP servers associated with a DIT.
> The procedure for constructing this SRV lookup is as follows:
> a. Construct an SRV-specific label pair for the service
> type. For LDAP queries, this will be "_ldap._tcp", while LDAPS will
> use "_ldaps._tcp".
> b. Append the SRV label pair to the left of the input domain
> name. In the case of an LDAP query for "example.com",
> this would result in an SRV-specific domain name of
> c. Issue a DNS query for the SRV resource records associated
> with the domain name formed in step 7.4.5.b.
> no word about ssl/tls.. arg :-/
> So, its all optional, as im seeing here.
> So if you preffer SSL over STARTTLS then its an option to add
> the SRV records or is an application uses/prefferes it.
Or if an admin or a company policy request ssl.
> Of default _ldap._tcp with the ldaps port and set higher preference
> on the SRV record.
To declare _ldap._tcp with a ssl port should not work. ldaps ports do
not accept plain text connections nor the start_tls command.
> One i must make a note of for the squid group setup.
> Thanks guys.
More information about the samba