9:10 a.m.
Hi,
We have FreeIPA with three masters. To get to the LDAP server
we can use either of the three. To configure a service you must
come up with a FQDN for the LDAP server. Until now we have
simply selected one of the three. But that's not very convenient
because we want to do maintenance on that IPA master.
What possibilities are there to have something that switches
automatically to another server? How is the SRV _ldap._tcp record
used?
--
Kees
9:37 a.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
On to, 18 maalis 2021, Kees Bakker via FreeIPA-users wrote:
Hi,
We have FreeIPA with three masters. To get to the LDAP server
we can use either of the three. To configure a service you must
come up with a FQDN for the LDAP server. Until now we have
simply selected one of the three. But that's not very convenient
because we want to do maintenance on that IPA master.
What possibilities are there to have something that switches
automatically to another server? How is the SRV _ldap._tcp record
used?
It very much depends on the application side. DNS SRV-based location
service discovery is defined by RFC 2782. How many applications support
it? Good question.
Some applications allow to specify multiple LDAP servers in their
configuration and would go to the one that responds in some order.
OpenLDAP command line tools support RFC 2782 to discover LDAP servers:
-H ldapuri
Specify URI(s) referring to the ldap server(s); a list of
URI, separated by whitespace or commas is expected; only
the protocol/host/port fields are allowed. As an
exception, if no host/port is specified, but a DN is, the
DN is used to look up the corresponding host(s) using the
DNS SRV records, according to RFC 2782. The DN must be a
non-empty sequence of AVAs whose attribute type is "dc"
(domain component), and must be escaped according to RFC
2396.
Something like
ldapsearch -H dc=example,dc=test ...
PostgreSQL does support the same when compiled with OpenLDAP support:
host ... ldap ldapbasedn="dc=example,dc=net"
For other applications, I haven't seen much of it used.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1:27 p.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
On 3/18/21 9:37 AM, Alexander Bokovoy via FreeIPA-users wrote:
On to, 18 maalis 2021, Kees Bakker via FreeIPA-users wrote:
> Hi,
>
> We have FreeIPA with three masters. To get to the LDAP server
> we can use either of the three. To configure a service you must
> come up with a FQDN for the LDAP server. Until now we have
> simply selected one of the three. But that's not very convenient
> because we want to do maintenance on that IPA master.
>
> What possibilities are there to have something that switches
> automatically to another server? How is the SRV _ldap._tcp record
> used?
It very much depends on the application side. DNS SRV-based location
service discovery is defined by RFC 2782. How many applications support
it? Good question.
Some applications allow to specify multiple LDAP servers in their
configuration and would go to the one that responds in some order.
OpenLDAP command line tools support RFC 2782 to discover LDAP servers:
-H ldapuri
Specify URI(s) referring to the ldap server(s); a list of
URI, separated by whitespace or commas is expected; only
the protocol/host/port fields are allowed. As an
exception, if no host/port is specified, but a DN is, the
DN is used to look up the corresponding host(s) using the
DNS SRV records, according to RFC 2782. The DN must be a
non-empty sequence of AVAs whose attribute type is "dc"
(domain component), and must be escaped according to RFC
2396.
Something like
ldapsearch -H dc=example,dc=test ...
PostgreSQL does support the same when compiled with OpenLDAP support:
host ... ldap ldapbasedn="dc=example,dc=net"
For other applications, I haven't seen much of it used.
This is in the same fashion we saw provision for linux to report a list
of available dns resolvers, and NS record lookups similarly, but
applications failing if the first on the list fails. End-user systems
enabled systemd resolvers or network managers or os-local 'middle ware
DNS systems' that tried to overcome that.
The the freeipa case, to overcome the spotty implementation Alexander
mentioned, and in keeping with the 'replica' capability in freeipa, I
had to implement a cert with SAN entries for all the replicas, and
implement a failover 'freeipa ip' for a working instance to provide a HA
system of sorts (for both ipv4 and v6). At least in that way, client
systems that are rarely if ever rebooted can use more common re-kinit /
link-lost logic to maintain service across freeipa lossage/reboots. It
wasn't enough just to HAProxy, if you want/need ssl on the ldap lookups
(you need failover management somewhere, either on the HAProxy setups,
but better I think managed on the freeipa side).
And, really, freeipa has so much 'replica' management going on and cert
management going on, adding a cert with a SAN for all the replicas and
implementing a failover IP is a reasonable feature to implement .. that
way I don't have to maintain the one I wrote....
HC
9:42 a.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
If your application is able to check SRV records, you can definitely use
that. If your client follows the spec (RFC 2782), it will try each of the
returned records and will distribute queries evenly according to the weight
specified in the records. Many systems will allow you to have a list of
LDAP servers (for example, in PHP, you literally list them in a
space-separated string). For clients that really only support a single
host, we run a frontend proxy on our HAProxy servers that will forward
requests to one of our IPA servers.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Thu, Mar 18, 2021, 10:11 AM Kees Bakker via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
We have FreeIPA with three masters. To get to the LDAP server
we can use either of the three. To configure a service you must
come up with a FQDN for the LDAP server. Until now we have
simply selected one of the three. But that's not very convenient
because we want to do maintenance on that IPA master.
What possibilities are there to have something that switches
automatically to another server? How is the SRV _ldap._tcp record
used?
--
Kees
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
6:30 p.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
On Thu, Mar 18, 2021 at 03:10:30PM +0100, Kees Bakker via FreeIPA-users wrote:
Hi,
We have FreeIPA with three masters. To get to the LDAP server
we can use either of the three. To configure a service you must
come up with a FQDN for the LDAP server. Until now we have
simply selected one of the three. But that's not very convenient
because we want to do maintenance on that IPA master.
What possibilities are there to have something that switches
automatically to another server? How is the SRV _ldap._tcp record
used?
Hi Kees,
SRV records for _ldap._tcp.$DOMAIN return list of DNS names and
ports for actual service endpoints. See
https://www.freeipa.org/page/V4/DNS_Location_Mechanism#Current_use_of_SRV...
for example. See https://tools.ietf.org/html/rfc2782 for the
specification of SRV records and how to interpret them.
If it is possible to configure the service to use SRV records to
locate the LDAP server, that is the best approach.
Cheers,
Fraser
3:06 a.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
On 19-03-2021 00:30, Fraser Tweedale wrote:
On Thu, Mar 18, 2021 at 03:10:30PM +0100, Kees Bakker via
FreeIPA-users wrote:
> Hi,
>
> We have FreeIPA with three masters. To get to the LDAP server
> we can use either of the three. To configure a service you must
> come up with a FQDN for the LDAP server. Until now we have
> simply selected one of the three. But that's not very convenient
> because we want to do maintenance on that IPA master.
>
> What possibilities are there to have something that switches
> automatically to another server? How is the SRV _ldap._tcp record
> used?
>
Hi Kees,
SRV records for _ldap._tcp.$DOMAIN return list of DNS names and
ports for actual service endpoints. See
https://www.freeipa.org/page/V4/DNS_Location_Mechanism#Current_use_of_SRV...
for example. See https://tools.ietf.org/html/rfc2782 for the
specification of SRV records and how to interpret them.
If it is possible to configure the service to use SRV records to
locate the LDAP server, that is the best approach.
Cheers,
Fraser
Thanks for all those who answered.
The reason I asked this was because we have several services that
have ways to use LDAP. For example GitLab and JIRA. Not every one
of these services have ways to instruct it to use SRV records. So, I
was wondering how others are solving this.
Alexander showed `ldapsearch` as an example of a tool that can
use SRV. So, there are tools that can do it. Great.
At GitLab it still hasn't sinked in [2].
For JIRA an issue was raised 10 years ago [3], I haven't yet found if they support it
BTW. While searching further I also came across a reaction [1] warning
that using ldaps through SRV isn't secure. So I need to try and stick to
plain ldap (389) and TLS.
[1] https://serverfault.com/questions/1002895/ldaps-srv-resolution-not-working
[2] https://gitlab.com/gitlab-org/gitlab/-/issues/139
[3] https://jira.atlassian.com/browse/JRASERVER-21361
--
Kees
7:16 a.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
Kees Bakker via FreeIPA-users wrote:
On 19-03-2021 00:30, Fraser Tweedale wrote:
> On Thu, Mar 18, 2021 at 03:10:30PM +0100, Kees Bakker via FreeIPA-users wrote:
>> Hi,
>>
>> We have FreeIPA with three masters. To get to the LDAP server
>> we can use either of the three. To configure a service you must
>> come up with a FQDN for the LDAP server. Until now we have
>> simply selected one of the three. But that's not very convenient
>> because we want to do maintenance on that IPA master.
>>
>> What possibilities are there to have something that switches
>> automatically to another server? How is the SRV _ldap._tcp record
>> used?
>>
> Hi Kees,
>
> SRV records for _ldap._tcp.$DOMAIN return list of DNS names and
> ports for actual service endpoints. See
> https://www.freeipa.org/page/V4/DNS_Location_Mechanism#Current_use_of_SRV...
> for example. See https://tools.ietf.org/html/rfc2782 for the
> specification of SRV records and how to interpret them.
>
> If it is possible to configure the service to use SRV records to
> locate the LDAP server, that is the best approach.
>
> Cheers,
> Fraser
>
Thanks for all those who answered.
The reason I asked this was because we have several services that
have ways to use LDAP. For example GitLab and JIRA. Not every one
of these services have ways to instruct it to use SRV records. So, I
was wondering how others are solving this.
Alexander showed `ldapsearch` as an example of a tool that can
use SRV. So, there are tools that can do it. Great.
At GitLab it still hasn't sinked in [2].
For JIRA an issue was raised 10 years ago [3], I haven't yet found if they support
it
BTW. While searching further I also came across a reaction [1] warning
that using ldaps through SRV isn't secure. So I need to try and stick to
plain ldap (389) and TLS.
IMHO his concerns are unfounded. DNS returns you a set of hostnames.
What you do with those hostnames is up to you. There could be DNS
poisoning for sure. But I don't see how this only affects ldaps. All the
same TLS MITM protections still xist.
So you can do a SRV lookup of ldap and use ldaps against the host if you
want. It's no more or less secure IMHO.
rob
5:06 a.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
For Gitlab you can specify multiple LDAP servers with the EE if I am not mistaken.
We have Gitlab EE and we can use both of our FreeIPA servers.
In Grafana for example, we simply write both LDAP servers separated by a space.
We do the same in a similar fashion with phpIPAM for example. All in all, we haven't
found a case that would need the installation of an HAProxy in front of the FreeIPA
servers.
5:38 a.m.
New subject: What FQDN to use to get the LDAP server when there are multiple masters
On 23-03-2021 11:06, Peter Tselios via FreeIPA-users wrote:
For Gitlab you can specify multiple LDAP servers with the EE if I am
not mistaken.
We have Gitlab EE and we can use both of our FreeIPA servers.
The multiple LDAP
servers in GitLab are not meant as "fail-over".
There is an issue [1] for it, but it seems there is no priority for it.
In your case you get multiple LDAP tabs on the login page, right?
It's a workaround that I could try.
[1] https://gitlab.com/gitlab-org/gitlab/-/issues/139
In Grafana for example, we simply write both LDAP servers separated
by a space.
We do the same in a similar fashion with phpIPAM for example. All in all, we haven't
found a case that would need the installation of an HAProxy in front of the FreeIPA
servers.
Let me then also mention dokuwiki, where you can list multiple LDAP
servers in the config. So, yes, there are systems with a solution.
--
Kees
1127
days inactive
1132
days old
freeipa-users@lists.fedorahosted.org
8 comments
7 participants
participants (7)
-
Alexander Bokovoy -
Fraser Tweedale -
Harry G. Coin -
Kees Bakker -
Peter Tselios -
Rob Crittenden -
Yehuda Katz