philippe.eychart@informatique.gov.pf wrote:
Used of SRV rr is a good reponse, (in particular in case of large Intranet with many remote sites -islands in pacific- and poor communication ressources - satellite) but require to be performed in all client applications : nssldap, samba, ldap client tools for rsync/mail/DNS/proxy/supervision definitions, ... or openldap.
We are in this case : I work in Tahiti, for the french polynesian gouvernment, IT departement. Our intranet take in a big geographic area recovering several islands. I'm in charge to transfer of the totality of our management systems (and network config) in a centralized base (of course: openldap). But, in one hand, distant servers (and users) can't be submit to communication links quality, in particular concerning local services (authentifications, local messaging, samba service, etc ...) and in other hand, we can't multipy the number of ldap servers assuming redundence (quite services merged, we already manage more than 100 servers - and about 4000 pc). So, one local server in every remote site must assume ldap service for the other local servers (which assume different services for different administrative departements) to guarantee acceptable performances (and also to insure a certain insensitivity in break of communication links, at least for local provided services) ; so, in case of an ldap server failure, the redundance must be assumed by the central servers group, with the help of SRV resolutions that (will) allow the ... excellent openldap library ;) It seems to me that SRV RRs definition is actually a quite good answer (easy to deploy and, why not, standardized) to this problematic.
-----Message d'origine----- De : Michael Ströder [mailto:michael@stroeder.com] Envoyé : mercredi 11 février 2009 06:44 À : philippe.eychart@informatique.gov.pf Cc : openldap-its@openldap.org Objet : Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
philippe.eychart@informatique.gov.pf wrote:
Michael Ströder wrote:
Frankly I'd vote against stuffing this into standard function ldap_initialize(). Using this without further pre-caution (like user-interaction) is broken in a similar way like chasing LDAPv3 referrals at the client side.
I also think myself that security aspects are important ; but in other
hand,
IMHO : it is of the responsibility of the DNS administrator to configure cleanly and to protect its systems of any corruption (and maybe also to
the
project BIND to improve tools allowing it).
DNSSEC would be a solution.
But my question is which problem to solve at first with SRV RRs?
Ciao, Michael.