[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)

philippe.eychart@informatique.gov.pf wrote:
> Used of SRV rr is a good reponse, (in particular in case of large Intranet
> with many
> remote sites -islands in pacific- and poor communication ressources -
> satellite) but require
> to be performed in all client applications : nssldap, samba, ldap client
> tools
> for rsync/mail/DNS/proxy/supervision definitions, ... or openldap.

We are in this case : I work in Tahiti, for the french polynesian
gouvernment, IT departement.
Our intranet take in a big geographic area recovering several islands.
I'm in charge to transfer of the totality of our management systems (and
network config) in a centralized base (of course: openldap).
But, in one hand, distant servers (and users) can't be submit to
communication links quality, in particular concerning local services
(authentifications, local messaging, samba service, etc ...) and in other
hand, we can't multipy the number of ldap servers assuming redundence (quite
services merged, we already manage more than 100 servers - and about 4000
So, one local server in every remote site must assume ldap service for the
other local servers (which assume different services for different
administrative departements) to guarantee acceptable performances (and also
to insure a certain insensitivity in break of communication links, at least
for local provided services) ; so, in case of an ldap server failure, the
redundance must be assumed by the central servers group, with the help of
SRV resolutions that (will) allow the ... excellent openldap library ;)
It seems to me that SRV RRs definition is actually a quite good answer (easy
to deploy and, why not, standardized) to this problematic.

-----Message d'origine-----
De : Michael Ströder [mailto:michael@stroeder.com]
Envoyé : mercredi 11 février 2009 06:44
À : philippe.eychart@informatique.gov.pf
Cc : openldap-its@openldap.org
Objet : Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)

philippe.eychart@informatique.gov.pf wrote:
> Michael Ströder wrote:
>> Frankly I'd vote against stuffing this into standard function
>> ldap_initialize(). Using this without further pre-caution (like
>> user-interaction) is broken in a similar way like chasing LDAPv3
>> referrals at the client side.
> I also think myself that security aspects are important ; but in other
> IMHO : it is of the responsibility of the DNS administrator to configure
> cleanly and to protect its systems of any corruption (and maybe also to
> project BIND to improve tools allowing it).

DNSSEC would be a solution.

But my question is which problem to solve at first with SRV RRs?

Ciao, Michael.