SAM2009
asked on
How ldap located a Domain controller?
Hi,
We have 3 Windows 2008 domain controllers in 3 sites. Also we have applications running on linux system which authenticate by ldap or ldaps to our DC.
Let say:
Mydomain.com contains:
DC1 in site1
DC2 in site2
DC3 in ste3
If for example Linux application is connected by ldaps on mydomain.com and ramdomly get DC1. If DC1 goes down what happen? Is the application will find another DC automatically?
We have 3 Windows 2008 domain controllers in 3 sites. Also we have applications running on linux system which authenticate by ldap or ldaps to our DC.
Let say:
Mydomain.com contains:
DC1 in site1
DC2 in site2
DC3 in ste3
If for example Linux application is connected by ldaps on mydomain.com and ramdomly get DC1. If DC1 goes down what happen? Is the application will find another DC automatically?
In Linux you list the LDAP servers they connect to in a config file. So no, its not random. Configure all DCs that you want your linux servers to authenticate to. Then configure your DCs to allow those linux servers to be able to access them for LDAP.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hmmm... Samba is about Windows Emulated Linux Fileshares and any settings therein are run from the smbd and nmbd services. Pretty sure any LDAP authentication you want done (unless it is to authenticate for a linux samba share) needs to be configured in the LDAP service, and that may depend on the type of Linux you are using.
you can use samba/winbind to join the linux system into the domain such that it handles the tranonaytion. to use LDAP on an AD, the AD has to be extended by installing the Services for Unix which adds the UID/GID related references to the AD schema. With samba/winbind those schema are not necessary samba/winbind have ID mapping scheme...
Apache using NTLM can then interact through smb/winbind to the AD.
dig _ldap._tcp.ForestDnsZones. youraddoma in SRV
You can also have an openldap proxy that is configured to forward requests to the known DCs (preconfigured in the ...)
There are so many variations.... including a script running daily that polls DNS to see the response to the above, which then updates the DCs .......
Apache using NTLM can then interact through smb/winbind to the AD.
dig _ldap._tcp.ForestDnsZones.
You can also have an openldap proxy that is configured to forward requests to the known DCs (preconfigured in the ...)
There are so many variations.... including a script running daily that polls DNS to see the response to the above, which then updates the DCs .......
ASKER
Sorry but no answer is clear:-)
I just want to know if Linux can switch automatically on different DC is one is down for ldap. Yes or No?
I just want to know if Linux can switch automatically on different DC is one is down for ldap. Yes or No?
Yes, ID: 42123753 explains how.
AD uses Sites and Services and based on that it constructs the SRV entries.
If you Sites and Services are correct, it will work if you point to domain.com and not server name
AD uses Sites and Services and based on that it constructs the SRV entries.
If you Sites and Services are correct, it will work if you point to domain.com and not server name
ASKER
So from Linux there is no need to reboot to make it search for the new ldap server?
Everything relies on your configuration. If you configure dc1 then dc1 is replaced, the Linux box will stop working..
Linux setup does not rely on DNS to locate DCs hey have to be explicitly configured.
Linux setup does not rely on DNS to locate DCs hey have to be explicitly configured.
ASKER
I don't know about linux but just try to understand:-)
But is it possible to add all 3 Domain Controllers in the linux config file like that if one failed it can switch to another DC?
But is it possible to add all 3 Domain Controllers in the linux config file like that if one failed it can switch to another DC?
Yes.
ASKER
And no need to restart anything? Linux will detect another DC by itself?
Linux does not detect, haveare to configure the list of servers when setting up the system as an LDAP client.
Or if you setup openldap as a proxy/replica.
So when the configuration is such that there are options, the Linux process will failover from one to the other in the list.
You keep saying "detect" which throws it off.
A Windows based system queries DNS such that it does not need to have an explicit definition of each server.
In your case, if the existing DCs when the Linux was setup are replaced with dc4,dc5,dc6 if you do not update the LDAP configuration file and restart the client services, the Linux will not detect the new servers from which it can get data.
The only time a Linux server needs to be restarted is after a Kernel update any application/library update need only have the individual updated services restarted. Update to a configuration often can also take effect after a reload kill -HUP <PID of process whose configuration was changed>
Or if you setup openldap as a proxy/replica.
So when the configuration is such that there are options, the Linux process will failover from one to the other in the list.
You keep saying "detect" which throws it off.
A Windows based system queries DNS such that it does not need to have an explicit definition of each server.
In your case, if the existing DCs when the Linux was setup are replaced with dc4,dc5,dc6 if you do not update the LDAP configuration file and restart the client services, the Linux will not detect the new servers from which it can get data.
The only time a Linux server needs to be restarted is after a Kernel update any application/library update need only have the individual updated services restarted. Update to a configuration often can also take effect after a reload kill -HUP <PID of process whose configuration was changed>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just so we are clear - I explained this in the very first comment I made. Its setup and configured in the LDAP service config file, and that file may depend on the linux distro you are using (which so far you have not shared).
My point is that you should virtually always point to the DN of the domain, never IP, server name or server list
ASKER
Ok just help me to understand this:
Arnold tou said: "Linux setup does not rely on DNS to locate DCs hey have to be explicitly configured"
Shaun said: "you should virtually always point to the DN of the domain, never IP, server name or server list"
That mean if I ask Linux admin to use as the host the domain name for ldap then it should find any ldap servers in that domain. No need to add specific DC server in the config file. It make thing more simple no? That also mean Linux check the available ldap servers in DNS for that specific domain.
Arnold tou said: "Linux setup does not rely on DNS to locate DCs hey have to be explicitly configured"
Shaun said: "you should virtually always point to the DN of the domain, never IP, server name or server list"
That mean if I ask Linux admin to use as the host the domain name for ldap then it should find any ldap servers in that domain. No need to add specific DC server in the config file. It make thing more simple no? That also mean Linux check the available ldap servers in DNS for that specific domain.
The issue is that neighter Shaun nor I know your setup and all we rely on us that your question indicates LDAP and Windows AD interaction.
How that interaction is facilitated is not include and there are several ways...
I've not seen slapd config as a client that using a DN can identify/locate DCs in an environment or relied upon the fact that dc's are more "recently" represent the DCs for the purpose of handling domain based shares (dfs) distributed file server
In order to allow LDAP access, the DCs have to ve monied registry, editing to enable port LDAP/ldaps.
It is safer and more reliable in such cases to be aware of the considerations and implement the way it works for you.
Some use scripts to query DNS and rebuild the config to deal with dc transitions .....
How that interaction is facilitated is not include and there are several ways...
I've not seen slapd config as a client that using a DN can identify/locate DCs in an environment or relied upon the fact that dc's are more "recently" represent the DCs for the purpose of handling domain based shares (dfs) distributed file server
In order to allow LDAP access, the DCs have to ve monied registry, editing to enable port LDAP/ldaps.
It is safer and more reliable in such cases to be aware of the considerations and implement the way it works for you.
Some use scripts to query DNS and rebuild the config to deal with dc transitions .....
A) LDAP is not DNS nor has ANYTHING to do with DNS. I clarify this because is looks like this may be getting confused in the responses up above.
B) How can you point to a DN of anything if the linux server doesnt have an LDAP server to reference that DN with? The typical way you configure an LDAP server in the config file is using an IP address of that LDAP server or servers (depending on your environment). This is a MUST. You will never get any kind of LDAP authentication until you do this.
B) How can you point to a DN of anything if the linux server doesnt have an LDAP server to reference that DN with? The typical way you configure an LDAP server in the config file is using an IP address of that LDAP server or servers (depending on your environment). This is a MUST. You will never get any kind of LDAP authentication until you do this.
ASKER
Hi,
Just to clarify normally my Linux team use this in there config file:
ldap_uri = ldaps://DC01.mydomain.org, ldaps://DC02.mydomain.org
That config works.
But what I wondering is what happen if they use the domain name instead like this:
ldap_uri = ldaps://mydomain.org
And I realized that's working too.
Just to clarify normally my Linux team use this in there config file:
ldap_uri = ldaps://DC01.mydomain.org,
That config works.
But what I wondering is what happen if they use the domain name instead like this:
ldap_uri = ldaps://mydomain.org
And I realized that's working too.
This is the correct one IMHO because it dynamically contains all DCs, even when some are commissioned/decommissione d
ldap_uri = ldaps://mydomain.org
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks