[ActiveDir] Discovering LDAPS availability
Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Discovering LDAPS availability
Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | David Loder| | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--| | | |To: ActiveDir@mail.activedir.org | |cc: | | Subject: [ActiveDir] Discovering LDAPS availability | >--| Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Discovering LDAPS availability
There isn't really a way to do it without attempting to connect. Also, remember that SSL has to be negotiated between the client and server. The server may be perfectly capable of doing SSL, but if the client doesn't trust the server's certificate or attempts to contact the server with a name that does not match the name of the server in the certificate, the client may choose to reject the attempt to connect via SSL, whereas another client might not have the same objections. You have to try it. Also, the DC doesn't publish anything that you can query, say via RootDSE, to state whether it supports LDAPS or not (at least nothing that I've every heard of...). Joe K. - Original Message - From: "David Loder" <[EMAIL PROTECTED]> To: Sent: Thursday, October 05, 2006 2:56 PM Subject: [ActiveDir] Discovering LDAPS availability Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Discovering LDAPS availability
LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | David Loder| | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--- ---| | | |To: ActiveDir@mail.activedir.org | | cc: | | Subject: [ActiveDir] Discovering LDAPS availability | >--- ---| Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Discovering LDAPS availability
joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe <[EMAIL PROTECTED]> wrote: > LDAPS records aren't published by DCs, only LDAP > records. I can assure you > if it were that easy, David wouldn't have had an > issue. From what I have > seen, if a secure LDAP connection is required, the > internal routines from > MSFT simply locate a DC and go to the port. If LDAPS > isn't hot, the > connection is dropped with server down error. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 6:28 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Discovering LDAPS > availability > > Couldn't you just query the DNS for the SRV record > advertising it... > > Matt Duguid > Systems Engineer for Identity Services > Department of Internal Affairs > > Phone: +64 4 4748028 (wellington) > Mobile: +64 21 1713290 > Fax: +64 4 4748894 > Address: Level 4, 47 Boulcott Street, Wellington CBD > E-mail: [EMAIL PROTECTED] > Web: http://www.dia.govt.nz/ > > > > |-+--> > | | | > | | | > | | | > | | David Loder| > | | <[EMAIL PROTECTED]> | > | | Sent by: | > | | [EMAIL PROTECTED]| > | | tivedir.org| > | | | > | | | > | | 06/10/2006 08:56 a.m. | > | | Please respond to | > | | ActiveDir | > | | | > |-+----------> > > >--- > ---| > | > | > |To: ActiveDir@mail.activedir.org > | > |cc: > | > |Subject: [ActiveDir] Discovering LDAPS > availability > | > > >--- > ---| > > > Other than directly testing the 636 port on each DC, > can anyone suggest a method for an unprivledged > client > to discover whether or not LDAPS should be available > on a specific DC? > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Discovering LDAPS availability
Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe <[EMAIL PROTECTED]> wrote: > LDAPS records aren't published by DCs, only LDAP > records. I can assure you > if it were that easy, David wouldn't have had an > issue. From what I have > seen, if a secure LDAP connection is required, the > internal routines from > MSFT simply locate a DC and go to the port. If LDAPS > isn't hot, the > connection is dropped with server down error. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 6:28 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Discovering LDAPS > availability > > Couldn't you just query the DNS for the SRV record > advertising it... > > Matt Duguid > Systems Engineer for Identity Services > Department of Internal Affairs > > Phone: +64 4 4748028 (wellington) > Mobile: +64 21 1713290 > Fax: +64 4 4748894 > Address: Level 4, 47 Boulcott Street, Wellington CBD > E-mail: [EMAIL PROTECTED] > Web: http://www.dia.govt.nz/ > > > > |-+--> > | | | > | | | > | | | > | | David Loder| > | | <[EMAIL PROTECTED]> | > | | Sent by: | > | | [EMAIL PROTECTED]| > | | tivedir.org| > | | | > | | | > | | 06/10/2006 08:56 a.m. | > | | Please respond to | > | | ActiveDir | > | | | > |-+----------> > > >--- > ---| > | > | > |To: ActiveDir@mail.activedir.org > | > |cc: > | > |Subject: [ActiveDir] Discovering LDAPS > availability > | > > >--- > ---| > > > Other than directly testing the 636 port on each DC, > can anyone suggest a method for an unprivledged > client > to discover whether or not LDAPS should be available > on a specific DC? > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Discovering LDAPS availability
The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave "staging" until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe <[EMAIL PROTECTED]> wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | David Loder| | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+--> ------- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Discovering LDAPS availability | --- ---| Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam
RE: [ActiveDir] Discovering LDAPS availability
The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave "staging" until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability > Hmm doesn't look like anyone else has figured this out or just doesn't > deploy LDAPS or alternately makes sure every DC is capable of LDAPS. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Loder > Sent: Friday, October 06, 2006 8:51 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Discovering LDAPS availability > > joe's absolutely right. What's trying to be > accomplished is to publish new LDAPS SRV records for a > 300+ DC environment. But I don't want to just blindly > assume each DC properly enrolled with the CA (we had > problems like that at the beginning), and I'd really > like to avoid the overhead of touching each DC. > Unfortunately, that's about the only viable method I > see. > > We have a DCR in with MS to change the behavior so > that the DCs automatically publish LDAPS if it's > available. But what we're hearing right now is that > it's probably not in the pipeline until LH SP1. > > --- joe <[EMAIL PROTECTED]> wrote: > >> LDAPS records aren't published by DCs, only LDAP >> records. I can assure you >> if it were that easy, David wouldn't have had an >> issue. From what I have >> seen, if a secure LDAP connection is required, the >> internal routines from >> MSFT simply locate a DC and go to the port. If LDAPS >> isn't hot, the >> connection is dropped with server down error. >> >> >> -- >> O'Reilly Active Directory Third Edition - >> http://www.joeware.net/win/ad3e.htm >> >> >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of >> [EMAIL PROTECTED] >> Sent: Thursday, October 05, 2006 6:28 PM >> To: ActiveDir@mail.activedir.org >> Subject: Re: [ActiveDir] Discovering LDAPS >> availability >> >> Couldn't you just query the DNS for the SRV record >> advertising it... >> >> Matt Duguid >> Systems Engineer for Identity Services >> Department of Internal Affairs >> >> Phone: +64 4 4748028 (wellington) >> Mobile: +64 21 1713290 >> Fax: +64 4 4748894 >> Address: Level 4, 47 Boulcott Street, Wellington CBD >> E-mail: [EMAIL PROTECTED] >> Web: http://www.dia.govt.nz/ >> >> >> >> |-+--> >> | | | >> | | | >> | | | >> | | David Loder| >> | | <[EMAIL PROTECTED]> | >> | | Sent by: | >> | | [EMAIL PROTECTED]| >> | | tivedir.org| >> | | | >> | | | >> | | 06/10/2006 08:56 a.m. | >> | | Please respond to | >> | | ActiveDir | >> | |
RE: [ActiveDir] Discovering LDAPS availability
In this context, would it make sense to write/use a servicePrincipalName value? (maybe even using admod/adfind 8-) ) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave "staging" until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability > Hmm doesn't look like anyone else has figured this out or just doesn't > deploy LDAPS or alternately makes sure every DC is capable of LDAPS. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Loder > Sent: Friday, October 06, 2006 8:51 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Discovering LDAPS availability > > joe's absolutely right. What's trying to be > accomplished is to publish new LDAPS SRV records for a > 300+ DC environment. But I don't want to just blindly > assume each DC properly enrolled with the CA (we had > problems like that at the beginning), and I'd really > like to avoid the overhead of touching each DC. > Unfortunately, that's about the only viable method I > see. > > We have a DCR in with MS to change the behavior so > that the DCs automatically publish LDAPS if it's > available. But what we're hearing right now is that > it's probably not in the pipeline until LH SP1. > > --- joe <[EMAIL PROTECTED]> wrote: > >> LDAPS records aren't published by DCs, only LDAP >> records. I can assure you >> if it were that easy, David wouldn't have had an >> issue. From what I have >> seen, if a secure LDAP connection is required, the >> internal routines from >> MSFT simply locate a DC and go to the port. If LDAPS >> isn't hot, the >> connection is dropped with server down error. >> >> >> -- >> O'Reilly Active Directory Third Edition - >> http://www.joeware.net/win/ad3e.htm >> >> >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of >> [EMAIL PROTECTED] >> Sent: Thursday, October 05, 2006 6:28 PM >> To: ActiveDir@mail.activedir.org >> Subject: Re: [ActiveDir] Discovering LDAPS >> availability >> >> Couldn't you just query the DNS for the SRV record >> advertising it... >> >> Matt Duguid >> Systems Engineer for Identity Services >> Department of Internal Affairs >> >> Phone: +64 4 4748028 (wellington) >> Mobile: +64 21 1713290 >> Fax: +64 4 4748894 >> Address: Level 4, 47 Boulcott Street, Wellington CBD >> E-mail: [EMAIL PROTECTED] >> Web: http://www.dia.govt.nz/ >> >> >> >> |-+--> >> | | | >> | | | >> | | | >> | | David Loder| >> | | <[EMAIL PROTECTED]> | >> | | Sent by: | >> | | [EMAIL PROTECTED]| >> |
RE: [ActiveDir] Discovering LDAPS availability
Not really. Certainly it is an option as would any normal AD attribute (existing or you create), but you would end up binding to a DC to search it to find a DC to bind to. A DNS record makes the most sense as you simply ask for the site/domain specific LDAPS record, just like you do for LDAP. Probably be good to implement a "GCS" as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, October 11, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability In this context, would it make sense to write/use a servicePrincipalName value? (maybe even using admod/adfind 8-) ) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave "staging" until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability > Hmm doesn't look like anyone else has figured this out or just doesn't > deploy LDAPS or alternately makes sure every DC is capable of LDAPS. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Loder > Sent: Friday, October 06, 2006 8:51 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Discovering LDAPS availability > > joe's absolutely right. What's trying to be > accomplished is to publish new LDAPS SRV records for a > 300+ DC environment. But I don't want to just blindly > assume each DC properly enrolled with the CA (we had > problems like that at the beginning), and I'd really > like to avoid the overhead of touching each DC. > Unfortunately, that's about the only viable method I > see. > > We have a DCR in with MS to change the behavior so > that the DCs automatically publish LDAPS if it's > available. But what we're hearing right now is that > it's probably not in the pipeline until LH SP1. > > --- joe <[EMAIL PROTECTED]> wrote: > >> LDAPS records aren't published by DCs, only LDAP >> records. I can assure you >> if it were that easy, David wouldn't have had an >> issue. From what I have >> seen, if a secure LDAP connection is required, the >> internal routines from >> MSFT simply locate a DC and go to the port. If LDAPS >> isn't hot, the >> connection is dropped with server down error. >> >> >> -- >> O'Reilly Active Directory Third Edition - >> http://www.joeware.net/win/ad3e.htm >> >> >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of >> [EMAIL PROTECTED] >> Sent: Thursday, October 05, 2006 6:28 PM >> To: ActiveDir@mail.activedir.org >> Subject: Re: [ActiveDir] Discovering LDAPS >> availability >> >> Couldn't you just query the DNS for the SRV record >> advertising it... >> >> Matt Duguid >> Systems Engineer for Identity Services >> Department of Internal Affairs >> >> Phone: +64 4 4748028 (wellington
