Stephen Gallagher wrote:
On 09/25/2013 09:06 AM, Olivier wrote:
> if I may an additionnal question : would the sssd fallback
> mecanism work with the DNS discovery ?
> Aka, if I'd configure this in the DNS :
;. IN SRV 10 0 389
;. IN SRV 20 0 389
> will sssd fallback properly to ldap2 if ldap1 does not respond ?
Yes, and in fact this is the recommended mechanism for setting up SSSD
in your environment, since you need only to update the DNS records and
all of your clients will have access to a new set of LDAP servers
(i.e. if you provision additional ones and/or retire others).
Hmm, I really wonder why SRV RRs are recommended over having a single service
CNAME RR and maybe several A/AAAA RRs?
Especially I'm concerned whether the TLS hostname check is properley done in
case of TLS connections (StartTLS ext.op or LDAPS). Because a hostname check
has to be performed against *a-priori* knowledge of the client to fight
against MITM attacks with DNS spoofing.
So if you're local configuration just knows "example.com" the server cert
have a subject alt name with that domain name. I doubt that LDAP clients
really check this.