[Samba] missing dns records? _ldaps._tcp ?
Harry Jede
walk2sun at arcor.de
Sat Aug 27 13:31:50 UTC 2016
On 15:21:56 wrote L.P.H. van Belle via samba:
> > No, I think you need to fix squid or at the very least, ask squid
> > where they got _ldaps from, because it doesn't seem to exist on
> > any AD DC.
> >
> > Rowland
>
> Thats correct Rowland, found that also.. but.. i also did find.
>
>
> _ldaps._tcp is not any standard
> But that’s what usually people do if they can't use startTLS.
>
> And
> startTLS is prefered always before ldaps
>
> and
> https://tools.ietf.org/html/draft-hall-ldap-whois-01
> 7.4.5. SRV processing
>
>
> The query models described in this document make use of DNS SRV
> resource records whenever a new query process is started, as a
> way to locate the LDAP servers associated with a DIT.
>
> The procedure for constructing this SRV lookup is as follows:
>
> a. Construct an SRV-specific label pair for the service
> type. For LDAP queries, this will be "_ldap._tcp", while LDAPS will
> use "_ldaps._tcp".
>
> b. Append the SRV label pair to the left of the input domain
> name. In the case of an LDAP query for "example.com",
> this would result in an SRV-specific domain name of
> "_ldap._tcp.example.com".
>
> c. Issue a DNS query for the SRV resource records associated
> with the domain name formed in step 7.4.5.b.
>
> https://tools.ietf.org/html/rfc2782
> no word about ssl/tls.. arg :-/
>
> So, its all optional, as im seeing here.
>
> So if you preffer SSL over STARTTLS then its an option to add
> the SRV records or is an application uses/prefferes it.
Or if an admin or a company policy request ssl.
> Of default _ldap._tcp with the ldaps port and set higher preference
> on the SRV record.
To declare _ldap._tcp with a ssl port should not work. ldaps ports do
not accept plain text connections nor the start_tls command.
> One i must make a note of for the squid group setup.
>
> Thanks guys.
>
> Greetz,
>
> Louis
--
Regards
Harry Jede
More information about the samba
mailing list