New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolving LDAP servers via SRV records #5

dfish3r opened this Issue Nov 4, 2014 · 0 comments


None yet
1 participant
Copy link

dfish3r commented Nov 4, 2014

Currently, when requesting Kerberos ticket to the LDAP service, the JAAS login module (such as LdapDnAuthorizationModule) builds SPN by prepending "ldap/" to hostname specified in the ldapUrl. So if in the login module parameters appears:
then the SPN will be "ldap/dc1.mydomain.local".

This actually forces me to list specific DC or DCs in the ldapUrl, which, of course, isn't very flexible and can lead to problems, if these DCs are decomissioned and replaced by new ones.

In Active Directory, such discovery problems are solved by so-called SRV records in DNS. For example, SRV record
contains regular A (host) records for all DCs of mydomain.local. Other examples may include:

means "all DCs in the London site",

means "all Global Catalogs in the domain",
and so on.

It would be great, if ldaptive login modules could make use of this mechanism.
For instance, if they could to do this:

  • Get the URL in the format like ldapUrl="ldap://_gc._tcp.mydomain.local:3268,SRV" or something similar,
  • Understand that it's SRV record, not a hostname,
  • Resolve the record to specific hostname or hostnames (such as dc1.mydomain.local),
  • Pick up one of these hostnames, build an SPN out of it and then get a service ticket for this SPN, as usual.

Cat Mucius.

dfish3r added a commit that referenced this issue Nov 17, 2014

Add DnsSrvConnectionStrategy.
Remove ConnectionStrategies and put impls in separate classes.
Add unit tests.
Fixes #5.

@dfish3r dfish3r closed this in #12 Nov 22, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment