On to, 18 maalis 2021, Kees Bakker via FreeIPA-users wrote:
Hi,
We have FreeIPA with three masters. To get to the LDAP server
we can use either of the three. To configure a service you must
come up with a FQDN for the LDAP server. Until now we have
simply selected one of the three. But that's not very convenient
because we want to do maintenance on that IPA master.
What possibilities are there to have something that switches
automatically to another server? How is the SRV _ldap._tcp record
used?
It very much depends on the application side. DNS SRV-based location
service discovery is defined by RFC 2782. How many applications support
it? Good question.
Some applications allow to specify multiple LDAP servers in their
configuration and would go to the one that responds in some order.
OpenLDAP command line tools support RFC 2782 to discover LDAP servers:
-H ldapuri
Specify URI(s) referring to the ldap server(s); a list of
URI, separated by whitespace or commas is expected; only
the protocol/host/port fields are allowed. As an
exception, if no host/port is specified, but a DN is, the
DN is used to look up the corresponding host(s) using the
DNS SRV records, according to RFC 2782. The DN must be a
non-empty sequence of AVAs whose attribute type is "dc"
(domain component), and must be escaped according to RFC
2396.
Something like
ldapsearch -H dc=example,dc=test ...
PostgreSQL does support the same when compiled with OpenLDAP support:
host ... ldap ldapbasedn="dc=example,dc=net"
For other applications, I haven't seen much of it used.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland