LDAP accessible by IP address but not domain name

[rcrisanti]

I am attempting to expose ldap (eventually ldaps, but starting simple for now). My current config looks like this

{
    admin :2019

    servers {
        metrics

        trusted_proxies cloudflare {
            interval 12h
            timeout 15s
        }
    }

    debug

    layer4 {
        :389 {
            route {
                proxy lldap:3890
            }
        }
    }
}

ldap.example.com {
    reverse_proxy lldap:17170
}

This is working as I would expect using the IP address, as in I can do

ldapsearch -x -b 'dc=example,dc=com' -H ldap://localhost:389/ -D 'uid=ryan,ou=people,dc=example,dc=com' -W

from the host machine or

ldapsearch -x -b 'dc=example,dc=com' -H ldap://<HOSTIP>:389/ -D 'uid=ryan,ou=people,dc=example,dc=com' -W

from another machine successfully.

But what I want to be able to do is use the domain name like

ldapsearch -x -b 'dc=example,dc=com' -H ldap://example.com:389/ -D 'uid=ryan,ou=people,dc=example,dc=com' -W

but this currently just hangs for a long time until ldapsearch eventually gives up.

This might not even be a caddy-l4 issue but more of a DNS one? But was wondering if anyone here had any ideas.

(related to #272 but not exactly)

[Monviech]

You can not do that as it implies https://

https://ldap.example.com {
    reverse_proxy lldap:17170
}

LDAP would need to do TLS with SNI in order to be matched by the TLS SNI matcher with domain name.

EDIT:

Theoretically this should work. If your client initiates LDAPS it will get matched, tls terminated, and the raw unencrypted ldap traffic will be sent to the upstream port 389.

With the domain specified at the bottom of the caddyfile, your layer4 route will get an automatic certificate.

{
	layer4 {
		tcp/:636 {
			@matchldap tls sni ldap.example.com

			route @matchldap {
				tls
				proxy tcp/192.168.1.100:389 {
				}
			}
		}
	}
}

ldap.example.com {
}