From: Ondřej Kuzník Date: Thu, 9 Apr 2026 12:28:27 +0000 (+0100) Subject: ITS#6462 slapd-dnssrv: Enable DNS SRV resolution for ldaps X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;ds=inline;p=thirdparty%2Fopenldap.git ITS#6462 slapd-dnssrv: Enable DNS SRV resolution for ldaps --- diff --git a/servers/slapd/back-dnssrv/referral.c b/servers/slapd/back-dnssrv/referral.c index 136b3b1006..c3384482ce 100644 --- a/servers/slapd/back-dnssrv/referral.c +++ b/servers/slapd/back-dnssrv/referral.c @@ -72,10 +72,12 @@ dnssrv_back_referrals( Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> domain=\"%s\"\n", op->o_req_dn.bv_val, domain ); - i = ldap_domain2hostlist( domain, &hostlist ); - if ( i ) { + i = ldap_domain2hostlist_proto( domain, &hostlist, "ldaps" ); + if ( i == LDAP_UNAVAILABLE ) { + goto do_ldap; + } else if ( i ) { Debug( LDAP_DEBUG_TRACE, - "DNSSRV: domain2hostlist(%s) returned %d\n", + "DNSSRV: domain2hostlist(%s, \"ldaps\") returned %d\n", domain, i ); rs->sr_text = "no DNS SRV RR available for DN"; rc = LDAP_NO_SUCH_OBJECT; @@ -90,6 +92,54 @@ dnssrv_back_referrals( goto done; } + for( i=0; hosts[i] != NULL; i++) { + struct berval url; + + url.bv_len = STRLENOF( "ldaps://" ) + strlen( hosts[i] ); + url.bv_val = ch_malloc( url.bv_len + 1 ); + + strcpy( url.bv_val, "ldaps://" ); + strcpy( &url.bv_val[STRLENOF( "ldaps://" )], hosts[i] ); + + if ( ber_bvarray_add( &urls, &url ) < 0 ) { + free( url.bv_val ); + rs->sr_text = "problem processing DNS SRV records for DN"; + goto done; + } + } + +do_ldap: + if ( hosts != NULL ) { + ldap_charray_free( hosts ); + hosts = NULL; + } + if ( hostlist != NULL ) { + ch_free( hostlist ); + hostlist = NULL; + } + + i = ldap_domain2hostlist_proto( domain, &hostlist, "ldap" ); + if ( i == LDAP_UNAVAILABLE && urls ) { + /* Allow if no _ldap._tcp but we have some ldaps urls */ + goto success; + } else if ( i ) { + Debug( LDAP_DEBUG_TRACE, + "DNSSRV: domain2hostlist(%s, \"ldap\") returned %d\n", + domain, i ); + rs->sr_text = "no DNS SRV RR available for DN"; + rc = LDAP_NO_SUCH_OBJECT; + goto done; + } + + hosts = ldap_str2charray( hostlist, " " ); + + if( hosts == NULL ) { + Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charray error\n" ); + rs->sr_text = "problem processing DNS SRV records for DN"; + rc = LDAP_OTHER; + goto done; + } + for( i=0; hosts[i] != NULL; i++) { struct berval url; @@ -102,10 +152,12 @@ dnssrv_back_referrals( if ( ber_bvarray_add( &urls, &url ) < 0 ) { free( url.bv_val ); rs->sr_text = "problem processing DNS SRV records for DN"; + rc = LDAP_OTHER; goto done; } } +success: Debug( LDAP_DEBUG_STATS, "%s DNSSRV p=%d dn=\"%s\" url=\"%s\"\n", op->o_log_prefix, op->o_protocol, diff --git a/servers/slapd/back-dnssrv/search.c b/servers/slapd/back-dnssrv/search.c index a8260a1c22..5862c42a9b 100644 --- a/servers/slapd/back-dnssrv/search.c +++ b/servers/slapd/back-dnssrv/search.c @@ -82,7 +82,10 @@ dnssrv_back_search( Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> domain=\"%s\"\n", op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", domain ); - if( ( rc = ldap_domain2hostlist( domain, &hostlist ) ) ) { + rc = ldap_domain2hostlist_proto( domain, &hostlist, "ldaps" ); + if ( rc == LDAP_UNAVAILABLE ) { + goto do_ldap; + } else if ( rc ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: domain2hostlist returned %d\n", rc ); send_ldap_error( op, rs, LDAP_NO_SUCH_OBJECT, @@ -116,6 +119,55 @@ dnssrv_back_search( } } +do_ldap: + if ( hosts != NULL ) { + ldap_charray_free( hosts ); + hosts = NULL; + } + if ( hostlist != NULL ) { + ch_free( hostlist ); + hostlist = NULL; + } + + rc = ldap_domain2hostlist_proto( domain, &hostlist, "ldap" ); + if ( rc == LDAP_UNAVAILABLE && urls ) { + /* Allow if no _ldap._tcp but we have some ldaps urls */ + goto success; + } else if ( rc ) { + Debug( LDAP_DEBUG_TRACE, "DNSSRV: domain2hostlist returned %d\n", + rc ); + send_ldap_error( op, rs, LDAP_NO_SUCH_OBJECT, + "no DNS SRV RR available for DN" ); + goto done; + } + + hosts = ldap_str2charray( hostlist, " " ); + + if( hosts == NULL ) { + Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charray error\n" ); + send_ldap_error( op, rs, LDAP_OTHER, + "problem processing DNS SRV records for DN" ); + goto done; + } + + for( i=0; hosts[i] != NULL; i++) { + struct berval url; + + url.bv_len = STRLENOF( "ldap://" ) + strlen(hosts[i]); + url.bv_val = ch_malloc( url.bv_len + 1 ); + + strcpy( url.bv_val, "ldap://" ); + strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] ); + + if( ber_bvarray_add( &urls, &url ) < 0 ) { + free( url.bv_val ); + send_ldap_error( op, rs, LDAP_OTHER, + "problem processing DNS SRV records for DN" ); + goto done; + } + } + +success: Debug( LDAP_DEBUG_STATS, "%s DNSSRV p=%d dn=\"%s\" url=\"%s\"\n", op->o_log_prefix, op->o_protocol,