[Freeipa-users] faking DNS autodiscovery of servers
Petr Spacek
pspacek at redhat.com
Thu Jan 7 08:37:18 UTC 2016
On 6.1.2016 14:13, Karl Forner wrote:
> Hello,
>
> I have some web applications that use LDAP for
> authentication/authorization, and which do not support LDAP auto-discovery.
>
> I'm wondering if it's possible to fake the auto-discovery of server.
> For instance, I could imagine using a DNS CNAME ldap_current.example.com
> which should point to a currently available ldap server.
>
> Then a cron job would query the DNS/ldaps to find an available ldap server,
> and if different from the current, update the DNS CNAME
> ldap_current.example.com.
>
> Does it make sense ?
It does, but it is certainly sub-optimal solution. For web applications it
would be best to migrate them to SSSD so they will automatically get all the
benefits of caching and fail-over. Please see
http://www.freeipa.org/page/Web_App_Authentication
for details.
> In that case, how to discover a working ldap server ?
You need to script this... theoretically you can run ldapsearch against
servers listed in DNS SRV records and pick one which is working.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list