Hello,
in the case I was not knocking at the right door, please accept my apologies,
but I suspect that some of you may provide some advices that would help me
to avoid mistakes. The problem is : which mecanism would you recommand
to route ldap requests to the right ldap server.
Here is the situation :
My hosts and services are distributed in 3 distinct operationnal sites (site
A, site B, site C).
I have three ldap servers (one on each site), they are configured to be exact
replicate of the others (I use openldap syncrepl in multimaster mode).
Authentication on my hosts are based on ldap :
posixaccounts/nsswitch/pam/ldap.conf/sssd
I also have deployed things such as centralized sudoer rules in ldap.
At this stage, I have configured hosts so that ldap queries are sent to
the closer ldap server first, then to another one if the first one timeout
and so on:
Here is an extract of my ldap.conf for a host located in site A:
URI ldap://ldapA.mydom.fr ldap://ldapB.mydom.fr ldap://ldapC.mydom.fr
Here is an extract of my sssd.conf:
ldap_uri =
ldap://ldapA.mydom.fr,ldap://ldapB.mydom.fr,ldap://ldapC.mydom.fr
For a host located in site C, I have declared this in ldap.conf:
URI ldap://ldapC.mydom.fr ldap://ldapB.mydom.fr ldap://ldapA.mydom.fr
I would like to change that.
Rather than declaring three ldap server references in configurations on the
client side, I would like to implement some sort of mecanism to declare
only one reference (that route ldap queries to ldap service, not to ldap
servers).
I see different possibilities to do that, such as setting up some sort of
"heartbeat" or using some DNS trick such as multiple IN A for the same
DNS RR, sortlist option or _ldap._tcp. See:
http://www-01.ibm.com/software/network/directory/library/publications/jnd...
http://www.rjsystems.nl/en/2100-dns-discovery-openldap.php
http://www.ietf.org/proceedings/50/I-D/ldapext-locate-05.txt
http://ipamworldwide.com/bind-options/sortlist-option.html
Intuitively, my preference would go to use an "_ldap._tcp" srv
record, but I'm not sure that nsswitch or sssd would interpret
this kind of DNS responses correctly (what I mean by "correctly"
is "not sure that the client would query an up and running ldap
server found in the NS response list, and even better: would
query the faster one that respond" ).
Any advice ?
Thanks,
---
Olivier