Discovery could be improved for DCs with multiple IPs
ldap_disco
deals with situations where a DC has multiple IP addresses, or rather, multiple DNS A records. However, there are some aspects that could be improved:
- it uses the default connection timeout, which can be 20-30 s per IP (this would require a non-blocking connection attempt plus something like
select()
with a timeout) - it does not tell the later stages which IP is used during the connection test; e.g.
connect_to_address()
(from adconn.c) performs another iteration through all DNS responses (again, with default timeout)
I'm not even sure if multiple DNS A records for a single DC are legal, considering the reverse DNS lookup performed by Kerberos. I encountered this issue when a DNS proxy had a bug and inserted additional answers. Those are not reachable for LDAP, which seems to break adcli
even if the correct IP is part of the (bloated) DNS answer.