INTERNET-DRAFT Michael P. Armijo
-<draft-ietf-ldapext-locate-07.txt> Levon Esibov
-February 20, 2002 Paul Leach
-Expires: August 20, 2002 Microsoft Corporation
+<draft-ietf-ldapext-locate-08.txt> Levon Esibov
+June 5, 2002 Paul Leach
+Expires: December 5, 2002 Microsoft Corporation
R.L. Morgan
University of Washington
http://www.ietf.org/shadow.html.
Distribution of this memo is unlimited. It is filed as <draft-
- ietf-ldapext-locate-07.txt>, and expires on August 20, 2002.
+ ietf-ldapext-locate-08.txt>, and expires on December 5, 2002.
Please send comments to the authors.
Copyright Notice
Armijo, Esibov, Leach and Morgan [Page 1]
-INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
+INTERNET-DRAFT Discovering LDAP Services with DNS June 5, 2002
reasonable because many objects of interest are named with domain
names, and use of domain-name-based DNs is becoming common.
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [9].
+
+
+
+
+
+
+Armijo, Esibov, Leach and Morgan [Page 2]
+
+INTERNET-DRAFT Discovering LDAP Services with DNS June 5, 2002
2. Mapping Distinguished Names into Domain Names
DNs cannot be converted into a domain name. Converted DNs result
in a fully qualified domain name.
-Armijo, Esibov, Leach and Morgan [Page 2]
-
-INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
-
-
The output domain name is initially empty. The DN is processed in
right-to-left order (i.e., beginning with the first RDN in the
-
-
-
-
-
-
-
Armijo, Esibov, Leach and Morgan [Page 3]
-INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
+INTERNET-DRAFT Discovering LDAP Services with DNS June 5, 2002
Presence of such records enables clients to find the LDAP servers
that satisfy the requested criteria. The following is an example of
such a record:
- _ldap._tcp.example.net. IN SRV 0 0 389 phoenix.example.net.
+ _ldap._tcp.example.net. IN SRV 0 0 389 phoenix.example.net.
The set of returned records may contain multiple records in the case
where multiple LDAP servers serve the same domain. If there are no
intended to contact. See [7] for more information on security
threats and security mechanisms.
- When using LDAP with TLS the client must check the server's name,
+ When using LDAP with TLS the client MUST check the server's name,
as described in section 3.6 of [RFC 2830]. As specified there, the
name the client checks for is the server's name before any
potentially insecure transformations, including the SRV record
- lookup specified in this memo. Thus the name the client must check
+ lookup specified in this memo. Thus the name the client MUST check
for is the name obtained by doing the mapping step defined in
section 2 above. For example, if the DN "cn=John
Doe,ou=accounting,dc=example,dc=net" is converted to the DNS name
- "example.net", the server's name must match "example.net".
+ "example.net", the server's name MUST match "example.net".
This document describes a method that uses DNS SRV records to
discover LDAP servers. All security considerations related to DNS
Armijo, Esibov, Leach and Morgan [Page 4]
-INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
+INTERNET-DRAFT Discovering LDAP Services with DNS June 5, 2002
6. References
"Authentication Methods for LDAP", RFC 2829, May 2000.
[8] Hodges, J., Morgan, R., Wahl, M., "Lightweight Directory Access
- Protocol (v3): Extension for Transport Layer Security", RFC 2830,
- May 2000.
-
+ Protocol (v3): Extension for Transport Layer Security",
+ RFC 2830, May 2000.
+ [9] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
levone@microsoft.com
-
Armijo, Esibov, Leach and Morgan [Page 5]
-INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
+INTERNET-DRAFT Discovering LDAP Services with DNS June 5, 2002
RL "Bob" Morgan
University of Washington
Armijo, Esibov, Leach and Morgan [Page 6]
-INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
+INTERNET-DRAFT Discovering LDAP Services with DNS June 5, 2002
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
10. Expiration Date
- This documentis filed as <draft-ietf-ldapext-locate-06.txt>, and
- expires August 20, 2002.
+ This document is filed as <draft-ietf-ldapext-locate-08.txt>, and
+ expires December 5, 2002.
Armijo, Esibov, Leach and Morgan [Page 7]
\ No newline at end of file