[python-ldap] Connect to multiple servers for failover
Petr Spacek
pspacek at redhat.com
Tue Apr 21 16:46:21 CEST 2015
On 21.4.2015 16:16, Michael Ströder wrote:
> Petr Spacek wrote:
>> On 20.4.2015 18:41, Rob McBroom wrote:
>>> On 20 Apr 2015, at 5:17, Prashant Bapat wrote:
>>>
>>>> Is there a way to connect to multiple servers for a query and iteratively
>>>> try all of them before failing ?
>>>>
>>>> Can I do something like
>>>>
>>>> ldap.initialize(srv1, srv2, srv3) and it connects to srv2 if srv1 is down
>>>> etc
>>>
>>> If you have the power to do so, just put multiple A records in DNS with the
>>> same name that point to the IPs of the different servers. The OpenLDAP library
>>> is very good at finding a server that’s up and running. Don’t try to reinvent
>>> the functionality yourself.
>>
>> Or even better, use DNS SRV records. It usually works better when it comes to
>> prioritization, geo-clusters etc. (I hope OpenLDAP supports DNS SRV records
>> but I did not check it myself.)
>
> I think we had this open issue on another mailing list (sssd-users?):
>
> The TLS hostname check would have to be based on the service name used to do
> the DNS SRV lookup. AFAIK this is not the case. At least I never saw a server
> cert with _ldap.example.com in subjectAltName:dNSName extension.
>
> => I'd recommend to configure a trusted list of server hostnames
> (Or you have to consequently use DNSSEC).
Yes, I should have mentioned this explicitly. DNSSEC is necessary if service
discovery via DNS should be trusted.
http://tools.ietf.org/html/draft-ietf-dane-srv-13#section-4.1
nicely describes what to do if DNSSEC is available and when it is not, it is
equally applicable here.
(Please note that this is a draft in final stages but still just a draft.)
Have a nice day!
--
Petr Spacek @ Red Hat
More information about the python-ldap
mailing list