Internet DRAFT - draft-armijo-ldap-locate


HTTP/1.1 200 OK
Date: Mon, 08 Apr 2002 22:34:56 GMT
Server: Apache/1.3.20 (Unix)
Last-Modified: Thu, 01 Jul 1999 12:16:00 GMT
ETag: "2e7d26-16e9-377b5c00"
Accept-Ranges: bytes
Content-Length: 5865
Connection: close
Content-Type: text/plain

INTERNET-DRAFT                                         Michael P. Armijo
<draft-armijo-ldap-locate-00.txt>                           Levon Esibov
June, 1999                                                    Paul Leach
Expires: December, 1999                            Microsoft Corporation

                Discovering LDAP Services with DNS

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   Distribution of this memo is unlimited.  It is filed as <draft-
   armijo-ldap-locate-00.txt>, and expires on December 21, 1999.  
   Please send comments to the authors.

1. Abstract

This draft defines a way that native Internet LDAP servers can make 
use of the DNS's knowledge base to provide clients a method to 
resolve LDAP services for a given domain.

2. Introduction

The LDAPv3 protocol [RFC 2251] is designed to be a 
lightweight access protocol for directory services supporting X.500 
models. This may be the X.500 directory itself, but the LDAP 
specification explicitly allows it to be a different directory.  
Let us define a "native LDAP server" to be one that is not a front 
end to the X.500 directory service. Let us further define an "Internet 
based organization" as one that has a domain name, and an "Internet 
LDAP server" to be one containing a directory entries for such an 

This draft defines a way that native Internet LDAP servers can make 
use of the DNS's knowledge base to perform the same function, while 
still supporting integration with the X.500 directory.

This draft builds [RFC 2247] to define a mechanism by which collections of 
native Internet LDAP servers can be integrated to create a directory 
service. That work supports this cause by defining a mapping from 
DNS names into LDAP DNs. In an Internet context, many of the names 
about which users seek information are DNS names, or include DNS names. 
A native LDAP based directory service for the Internet should make 
it convenient to process such names -- there is a huge social 
investment spanning two decades to get to the point where names 
like "john.doe@somewhere.example" and "" can 
appear in newspaper articles, TV commercials, and on billboards 
and millions of people understand what to do with them. As a result, 
we assume that Internet based organizations wish to preserve this 
investment, yet also want to deploy directory services.

3. Locating LDAP servers through DNS

Ldap server location information is to be stored using DNS SRV record
specified in [6].  Such SRV record contains the DNS name of the
server that provides the LDAP service, corresponding Port number, and
parameters that enable the client to choose an appropriate server 
according to the algorithm described in [6] in case of multiple 
LDAP servers, servicing the same domain.  The name of this record 
always has the following format:


where Service name is always "ldap", Proto is a protocol that can be
either "udp" or "tcp", and Domain is the ldap domain that this record
refers to.

Presense of such records enables clients to find the LDAP servers
(that support required protocol in specified domain) using standard
DNS query [3].
As an example, a client that searches for an LDAP server in the domain that supports TCP protocol will submit a DNS 
query for a set of SRV records with owner name
The client will receive the list of SRV records published in DNS that 
satisfy the requested criteria.  The following is an example of such
record:	IN	SRV	0 0 389

The set of returned records may contain multiple records in case of
multiple LDAP servers serving the same domain.  Combination with the 
A resource records, such as IN A

resolved by DNS, enables clients to directly contact the LDAP servers.

4. Security Considerations

This document describes a method that uses DNS SRV records to 
discover LDAP servers.  All security considerations related to DNS
SRV records are inherited by this document.  See the security 
considerations section in [6] for more details.

5. References

[1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access 
Protocol(v3)".  RFC 2251, December 1997.

[2] S. Kille, M. Wahl, "Using Domains in LDAP/X.500 Distinguished 
Names". RFC 2247, January 1998.

November, 1987.

SPECIFICATION, November, 1987.

[5] T. Howes, M. Smith, "The LDAP URL Format". RFC 2255  December 1997.

[6] A. Gulbrandsen, P. Vixie, "A DNS RR for specifying the location of 
services (DNS SRV)".
dnsind-rfc2052bis-02.txt, January 1999.

6. Authors' Addresses

Michael P. Armijo
One Microsoft Way
Redmond, WA 98052

Paul Leach
One Microsoft Way
Redmond, WA 98052

Levon Esibov
One Microsoft Way
Redmond, WA 98052

Expires December, 1999