[Samba] missing dns records? _ldaps._tcp ?

Harry Jede walk2sun at arcor.de
Sat Aug 27 13:31:50 UTC 2016

On 15:21:56 wrote L.P.H. van Belle via samba:
> > No, I think you need to fix squid or at the very least, ask squid
> > where they got _ldaps from, because it doesn't seem to exist on
> > any AD DC.
> > 
> > Rowland
> Thats correct Rowland, found that also.. but.. i also did find.
> _ldaps._tcp is not any standard
> But that’s what usually people do if they can't use startTLS.
> And
> startTLS is prefered always before ldaps
> and
> https://tools.ietf.org/html/draft-hall-ldap-whois-01
>   7.4.5.  SRV processing
>      The query models described in this document make use of DNS SRV
>      resource records whenever a new query process is started, as a
> way to locate the LDAP servers associated with a DIT.
>      The procedure for constructing this SRV lookup is as follows:
>         a.  Construct an SRV-specific label pair for the service
> type. For LDAP queries, this will be "_ldap._tcp", while LDAPS will
> use "_ldaps._tcp".
>         b.  Append the SRV label pair to the left of the input domain
>             name. In the case of an LDAP query for "example.com",
> this would result in an SRV-specific domain name of
>             "_ldap._tcp.example.com".
>         c.  Issue a DNS query for the SRV resource records associated
>             with the domain name formed in step 7.4.5.b.
> https://tools.ietf.org/html/rfc2782
> no word about ssl/tls..  arg :-/
> So, its all optional, as im seeing here.
> So if you preffer SSL over STARTTLS then its an option to add
> the SRV records or is an application uses/prefferes it.
Or if an admin or a company policy request ssl.

> Of default _ldap._tcp with the ldaps port and set higher preference
> on the SRV record.
To declare _ldap._tcp with a ssl port should not work. ldaps ports do 
not accept plain text connections nor the start_tls command.
> One i must make a note of for the squid group setup.
> Thanks guys.
> Greetz,
> Louis


	Harry Jede

More information about the samba mailing list