I have a weird setup where we have LDAP and LDAPS servers responding to SRV records. How can I use them appropriately (SSL for LDAPS). Also, some of the LDAP servers support StartTLS. Is it possible to define a beast that does SSL (for LDAPS), check whether StartTLS is supported and if so use it or not.
If this is not possible, can I resolve the servers separately and use say FastestConnectServerSet() where some servers are LDAPS and others are not?
Is there another way to implement this with connection pools?
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It’s not clear from your description whether all of the servers are under the same record name or not. If they’re all under the same record name, then there’s no way for the LDAP SDK to know whether to try to create an unencrypted LDAP connection or an LDAPS connection. So in that case, the LDAP SDK definitely can’t do what you’re asking out of the box.
But if you’re using different record names for LDAP versus LDAPS (for example “_ldap.txp” and “_ldaps.tcp”), then the LDAP SDK can do that with two separate DNSSRVRecordServerSet objects. For the LDAPS one, you’ll need to use a constructor that includes a SocketFactory argument and provide it with an appropriately configured SSLSocketFactory instance.
The DNSSRVRecordServerSet implementation also provides support for StartTLS. In that case, you’d use the constructor that includes a PostConnectProcessor argument, and you’d provide it with a StartTLSPostConectProcessor. That processor doesn’t support conditionally using StartTLS if the server claims to support it, but you could achieve that pretty simply by creating your own PostConnectProcessor implementation that overrides the processPreAuthenticatedConnection method to check the server’s root DSE, and then calling the StartTLSPostConnectProcessor’s processPreAuthenticatedConnection method to actually secure the connection (or you could just handle the StartTLS processing in your own processor, since it’s very straightforward).
If you really do have a case where different servers with different ways to connect to them are all under the same DNS record name, then you’ll probably have to create your own ServerSet implementation. The core of a ServerSet isn’t really all that complicated, and you can look at the code for the existing implementations to see how they do it. This is the most effort, but it also gives you the most flexibility.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the detailed response. I was afraid of that but that makes sense; in some of the complex/broken setups, there are LDAP and LDAPS for the same domain. Some of the LDAP servers advertise StartTLS. Some of those fail to actually switch. I would like to prioritize them and so looks like my own ServerSet is the way to go. WIll look at other implementations for guidance. Thanks much
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have a weird setup where we have LDAP and LDAPS servers responding to SRV records. How can I use them appropriately (SSL for LDAPS). Also, some of the LDAP servers support StartTLS. Is it possible to define a beast that does SSL (for LDAPS), check whether StartTLS is supported and if so use it or not.
If this is not possible, can I resolve the servers separately and use say FastestConnectServerSet() where some servers are LDAPS and others are not?
Is there another way to implement this with connection pools?
Thanks
It’s not clear from your description whether all of the servers are under the same record name or not. If they’re all under the same record name, then there’s no way for the LDAP SDK to know whether to try to create an unencrypted LDAP connection or an LDAPS connection. So in that case, the LDAP SDK definitely can’t do what you’re asking out of the box.
But if you’re using different record names for LDAP versus LDAPS (for example “_ldap.txp” and “_ldaps.tcp”), then the LDAP SDK can do that with two separate DNSSRVRecordServerSet objects. For the LDAPS one, you’ll need to use a constructor that includes a SocketFactory argument and provide it with an appropriately configured SSLSocketFactory instance.
The DNSSRVRecordServerSet implementation also provides support for StartTLS. In that case, you’d use the constructor that includes a PostConnectProcessor argument, and you’d provide it with a StartTLSPostConectProcessor. That processor doesn’t support conditionally using StartTLS if the server claims to support it, but you could achieve that pretty simply by creating your own PostConnectProcessor implementation that overrides the processPreAuthenticatedConnection method to check the server’s root DSE, and then calling the StartTLSPostConnectProcessor’s processPreAuthenticatedConnection method to actually secure the connection (or you could just handle the StartTLS processing in your own processor, since it’s very straightforward).
If you really do have a case where different servers with different ways to connect to them are all under the same DNS record name, then you’ll probably have to create your own ServerSet implementation. The core of a ServerSet isn’t really all that complicated, and you can look at the code for the existing implementations to see how they do it. This is the most effort, but it also gives you the most flexibility.
Thanks for the detailed response. I was afraid of that but that makes sense; in some of the complex/broken setups, there are LDAP and LDAPS for the same domain. Some of the LDAP servers advertise StartTLS. Some of those fail to actually switch. I would like to prioritize them and so looks like my own ServerSet is the way to go. WIll look at other implementations for guidance. Thanks much