[Date Prev][Date Next] [Chronological] [Thread] [Top]

Advice request : LDAP server discovering

To: openldap-technical@openldap.org
Subject: Advice request : LDAP server discovering
From: Olivier <ldap@guillard.nom.fr>
Date: Fri, 15 Feb 2013 14:54:24 +0100

Hello,

in the case I was not knocking at the right door, please accept my apologies,
but as I suspect that some of you could provide some advices I post this here.

In summary the issue I try to solve is "which mecanism should I deloy to route
ldap requests to the right ldap server".

Here is the situation :

My hosts and services are distributed in 3 distinct operationnal sites (site
A, site B, site C).

I have three ldap servers (one on each site) that are configured to be exact
replication of the others (I use openldap syncrepl in multimaster mode).

On the client side (linux boxes), authentication on my hosts are based on
ldap (posixaccounts/nsswitch/pam/ldap.conf and sssd).

I also have deployed things such as centralized sudoer rules in ldap.

At this stage, I have configured hosts so that ldap queries are sent to
"the closer" ldap server first, then to another one if the first timeout :

nsswitch.conf tells to query ldap (sss), and here is an extract of my
ldap.conf for a host located in site A:

  > URI ldap://ldapA.mydom.fr ldap://ldapB.mydom.fr ldap://ldapC.mydom.fr

For a host located in site C, I have declared this in ldap.conf:

  > URI ldap://ldapC.mydom.fr ldap://ldapB.mydom.fr ldap://ldapA.mydom.fr

I would like to change that.

Rather than declaring three ldap server references in configurations on the
client side, I would like to implement some sort of mecanism thanks to which
I would only need to declare one reference on the client side (routing ldap
queries to ldap service, not to ldap servers).

I see different possibilities to do that, such as setting up some sort of
"heartbeat" or using some DNS trick such as multiple IN A for the same
DNS RR, using sortlist option, or DNS SRV records ( _ldap._tcp. )

See:

http://www-01.ibm.com/software/network/directory/library/publications/jndidoc/doc/dns_configuration.html
http://www.rjsystems.nl/en/2100-dns-discovery-openldap.php
http://www.ietf.org/proceedings/50/I-D/ldapext-locate-05.txt
http://ipamworldwide.com/bind-options/sortlist-option.html

Intuitively, my preference would go to use an "_ldap._tcp" srv record,
but I'm not sure if nsswitch (or clients such as sssd) would interpret
this kind of DNS responses correctly (what I mean by "correctly" is
"client would query an up and running ldap server found in the NS
response list." Even better: "would query the faster one to respond" ).

Any advice ? Experience ? Article to read ?

Thanks,

---
Olivier

Follow-Ups:
- Re: Advice request : LDAP server discovering
  - From: Gavin Henry <ghenry@suretecsystems.com>

Prev by Date: Re: Compile openldap library with GSSAPI enabled
Next by Date: Re: Advice request : LDAP server discovering
Index(es):
- Chronological
- Thread