On 19-03-2021 00:30, Fraser Tweedale wrote: > On Thu, Mar 18, 2021 at 03:10:30PM +0100, Kees Bakker via FreeIPA-users wrote: >> Hi, >> >> We have FreeIPA with three masters. To get to the LDAP server >> we can use either of the three. To configure a service you must >> come up with a FQDN for the LDAP server. Until now we have >> simply selected one of the three. But that's not very convenient >> because we want to do maintenance on that IPA master. >> >> What possibilities are there to have something that switches >> automatically to another server? How is the SRV _ldap._tcp record >> used? >> > Hi Kees, > > SRV records for _ldap._tcp.$DOMAIN return list of DNS names and > ports for actual service endpoints. See > https://www.freeipa.org/page/V4/DNS_Location_Mechanism#Current_use_of_SRV_records > for example. See https://tools.ietf.org/html/rfc2782 for the > specification of SRV records and how to interpret them. > > If it is possible to configure the service to use SRV records to > locate the LDAP server, that is the best approach. > > Cheers, > Fraser >
Thanks for all those who answered. The reason I asked this was because we have several services that have ways to use LDAP. For example GitLab and JIRA. Not every one of these services have ways to instruct it to use SRV records. So, I was wondering how others are solving this. Alexander showed `ldapsearch` as an example of a tool that can use SRV. So, there are tools that can do it. Great. At GitLab it still hasn't sinked in [2]. For JIRA an issue was raised 10 years ago [3], I haven't yet found if they support it BTW. While searching further I also came across a reaction [1] warning that using ldaps through SRV isn't secure. So I need to try and stick to plain ldap (389) and TLS. [1] https://serverfault.com/questions/1002895/ldaps-srv-resolution-not-working [2] https://gitlab.com/gitlab-org/gitlab/-/issues/139 [3] https://jira.atlassian.com/browse/JRASERVER-21361 -- Kees _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
