INTERNET-DRAFT Michael P. Armijo
-<draft-ietf-ldapext-locate-06.txt> Levon Esibov
-November 13, 2001 Paul Leach
-Expires: May 13, 2002 Microsoft Corporation
+<draft-ietf-ldapext-locate-07.txt> Levon Esibov
+February 20, 2002 Paul Leach
+Expires: August 20, 2002 Microsoft Corporation
R.L. Morgan
University of Washington
http://www.ietf.org/shadow.html.
Distribution of this memo is unlimited. It is filed as <draft-
- ietf-ldapext-locate-04.txt>, and expires on February 25, 2001.
+ ietf-ldapext-locate-07.txt>, and expires on August 20, 2002.
Please send comments to the authors.
Copyright Notice
Armijo, Esibov, Leach and Morgan [Page 1]
-INTERNET-DRAFT Discovering LDAP Services with DNS Novemeber 13, 2001
+INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
Armijo, Esibov, Leach and Morgan [Page 2]
-INTERNET-DRAFT Discovering LDAP Services with DNS Novemeber 13, 2001
+INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
The client would convert the DC components as defined above into
DNS name:
- example.net.
+ example.net
The determined DNS name will be submitted as a DNS query using the
algorithm defined in section 3.
appropriate server from multiple servers according to the algorithm
described in [5]. The name of this record has the following format:
- _<Service>._<Proto>.<Domain>
+ _<Service>._<Proto>.<Domain>.
where <Service> is "ldap", and <Proto> is "tcp". <Domain> is the
domain name formed by converting the DN of a naming context mastered
Armijo, Esibov, Leach and Morgan [Page 3]
-INTERNET-DRAFT Discovering LDAP Services with DNS Novemeber 13, 2001
-
+INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
Presence of such records enables clients to find the LDAP servers
portion of the constructed fully qualified domain name.
-
4. IANA Considerations
This document does not require any IANA actions.
intended to contact. See [7] for more information on security
threats and security mechanisms.
- The client MUST use the server hostname it used to open the LDAP
- connection as the value to compare against the server name as
- expressed in the server's certificate. The client MUST NOT use the
- server's canonical DNS name or any other derived form of name.
+ When using LDAP with TLS the client must check the server's name,
+ as described in section 3.6 of [RFC 2830]. As specified there, the
+ name the client checks for is the server's name before any
+ potentially insecure transformations, including the SRV record
+ lookup specified in this memo. Thus the name the client must check
+ for is the name obtained by doing the mapping step defined in
+ section 2 above. For example, if the DN "cn=John
+ Doe,ou=accounting,dc=example,dc=net" is converted to the DNS name
+ "example.net", the server's name must match "example.net".
This document describes a method that uses DNS SRV records to
discover LDAP servers. All security considerations related to DNS
SRV records are inherited by this document. See the security
considerations section in [5] for more details.
-
-
-
Armijo, Esibov, Leach and Morgan [Page 4]
-INTERNET-DRAFT Discovering LDAP Services with DNS Novemeber 13, 2001
+INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
6. References
Armijo, Esibov, Leach and Morgan [Page 5]
-INTERNET-DRAFT Discovering LDAP Services with DNS Novemeber 13, 2001
+INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
RL "Bob" Morgan
University of Washington
Armijo, Esibov, Leach and Morgan [Page 6]
-INTERNET-DRAFT Discovering LDAP Services with DNS Novemeber 13, 2001
+INTERNET-DRAFT Discovering LDAP Services with DNS February 20, 2002
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
10. Expiration Date
This documentis filed as <draft-ietf-ldapext-locate-06.txt>, and
- expires May 13, 2002.
+ expires August 20, 2002.
Armijo, Esibov, Leach and Morgan [Page 7]
\ No newline at end of file
projects / openldap / commitdiff