The project that I'm working on makes heavy use of LDAPS. However, at the
moment, we favour the latter statement - the built DCs don't leave "staging"
until the certs are pulled. They must be signed off, and that's one of the
last items on the deployment check list.
We'll probably automate this check soon, but we're too busy with automating
the buillds at the moment.
Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate
there's a bit more to it from MSFTs point of view than simply getting
NETLOGON to register them in DNS.
--Paul
----- Original Message -----
From: "joe" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Tuesday, October 10, 2006 10:45 PM
Subject: RE: [ActiveDir] Discovering LDAPS availability
Hmm doesn't look like anyone else has figured this out or just doesn't
deploy LDAPS or alternately makes sure every DC is capable of LDAPS.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Loder
Sent: Friday, October 06, 2006 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Discovering LDAPS availability
joe's absolutely right. What's trying to be
accomplished is to publish new LDAPS SRV records for a
300+ DC environment. But I don't want to just blindly
assume each DC properly enrolled with the CA (we had
problems like that at the beginning), and I'd really
like to avoid the overhead of touching each DC.
Unfortunately, that's about the only viable method I
see.
We have a DCR in with MS to change the behavior so
that the DCs automatically publish LDAPS if it's
available. But what we're hearing right now is that
it's probably not in the pipeline until LH SP1.
--- joe <[EMAIL PROTECTED]> wrote:
LDAPS records aren't published by DCs, only LDAP
records. I can assure you
if it were that easy, David wouldn't have had an
issue. From what I have
seen, if a secure LDAP connection is required, the
internal routines from
MSFT simply locate a DC and go to the port. If LDAPS
isn't hot, the
connection is dropped with server down error.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, October 05, 2006 6:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Discovering LDAPS
availability
Couldn't you just query the DNS for the SRV record
advertising it...
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|---------+---------------------------------->
| | |
| | |
| | |
| | David Loder |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 06/10/2006 08:56 a.m. |
| | Please respond to |
| | ActiveDir |
| | |
|---------+---------------------------------->
---------------------------------------------------------------------------
-----------------------------------|
|
|
| To: ActiveDir@mail.activedir.org
|
| cc:
|
| Subject: [ActiveDir] Discovering LDAPS
availability
|
---------------------------------------------------------------------------
-----------------------------------|
Other than directly testing the 636 port on each DC,
can anyone suggest a method for an unprivledged
client
to discover whether or not LDAPS should be available
on a specific DC?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
