Directory Services, OpenLDAP and DNS pools

| No Comments | No TrackBacks

Like many universities, we use OpenLDAP for our central directory system. As you might guess, the hostname for this system is ldap.stanford.edu. This is actually a DNS pool, though. There are multiple machines offering the same service. There's ldap1.stanford.edu, ldap2.stanford.edu, ldap3 and so on.

When I configure a Mac to use an external directory system, it's usually our OpenLDAP directory. Using Directory Access.app in the Utilities folder (or the command line equivalent, dsconfigldap), I usually enter that hostname, ldap.stanford.edu. However, there are limitations to this.

At some point during configuration, the Mac connects to the DNS pool, gets sorted to one of the physical machines, does a forward name resolution, then uses that numerical IP address for subsequent connections.

Here's the rub: if the IP address of that specific host changes, things break.

It takes a rebind of some sort to re-resolve the name. So the benefits of using a DNS pool (or even to use a FQDN) are mostly lost. To make matters worse, it's unlikely your OpenLDAP RFC2307 directory system isn't going to give you a list of replicas. The L in OpenLDAP is lightweight, after all.

(This does not apply to Apple's Open Directory, which, like Active Directory, is based on LDAP fundamentals. Open Directory addresses the limitations I'm detailing here because it tells the binding Mac to keep a list of replicas, which adds some degree of redundancy.)

This behavior has been explained to me as a performance enhancing, but considering its fragility, it's difficult to see the benefits.

To get around this, bind your Mac to the individual hosts in the DNS pool. In this instance, configure your Mac to bind to ldap1.stanford.edu, ldap2.stanford.edu, ldap3, and... well, that's probably enough.

This won't guarantee anything, but if ldap1 has an IP change and can't be found, it will roll over to ldap2 — until the question is answered. (Like, if you're asking a question about login authorization through the login window — does so-and-so have an account in OpenLDAP.)

Now, of course, oftentimes when one host gets an IP change, the process is applied to all the other hosts in the DNS pool — say, when they all move to a different network altogether. But, at least with this arrangement, you'll have some added robustness in your directory system configuration.

No TrackBacks

TrackBack URL: http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/73

Leave a comment

About this Entry

This page contains a single entry by Noah Abrahamson published on October 1, 2009 3:50 PM.

Getting LDAP entries to work in 10.6 Address Book.app was the previous entry in this blog.

Removing ADS for Samba Users is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.