locked
Use LDAP Aliases for Authentication? RRS feed

  • Question

  • We have a number of applications that use ldap authentication with Active Directory. Unfortunately, many of these applications only allow you to specify one server during configuration. We've had situations where the one domain controller specified in the application has had an issue, which has then prevented the application from working properly. My manager wants me to look at utilizing ldap aliases to get around situation; however, I have no experience with this nor can I find much information about it.

    Can anyone shed some light on the situation?

    Thanks.

    Monday, September 12, 2011 1:00 AM

Answers

  • hi!

    if your application is making really only LDAP queries against AD and is not using any other functionality like LDAPS or Kerberos, there is another (quick and dirty) way: Go to your DNS Server and make (manually) a "Round Robin" entry for, let's say, my_special_ldap.domain.com and enter all the DCs there. Point your application to my_special_ldap.domain.com and it will query the DCs in a round robin manner, that means every time it queries the DNS for an IP address for my_special_ldap.domain.com it will receive the next DC.

    This will not prevent you from making a query to a DC that is down (since the DNS entry will still be delivered), but it will reduce the chance of contacting an offline DC. And in case of a server failure - just change the DNS entry...

    hope this helps. of course the query to domain.com is more elegant since there is a kind of automatic update to that record, but not all DNS domains are set up to support A records for domains and not all applications can handle this either.

    Regards, Ralf


    Ralf Wigand, MVP Windows Server:Directory Services
    • Marked as answer by marks70 Wednesday, September 14, 2011 10:43 PM
    Monday, September 12, 2011 7:56 PM

All replies

  • If this is the case then the application is wrongly written & the solution can only be provided by the respective vendor.

    LDAP is directory enabled protocol used to query/search active directory for its related services.

    http://www.netid.washington.edu/documentation/ldapAuth.aspx

    http://msdn.microsoft.com/en-us/library/aa367008%28v=vs.85%29.aspx

    http://msdn.microsoft.com/en-us/library/ms806997.aspx

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Monday, September 12, 2011 6:55 AM
  • You can't alias an LDAP server.  When the application was written the vendor should have used the dcLocator process so it could find an active DC.  Unfortunately you are at the mercy of the crappy software your vendor provided.  Unless they provide a way to enter multiple DC's or utilize DNS there is nothing you can do.

     --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, September 12, 2011 12:03 PM
  • Thanks guys. So in Awinish's 3rd link it states the following:

    Establish a Connection Using a Fully Qualified Domain Name

    When connecting to a server running LDAP, always try to specify the fully qualified DNS domain name in the HostName parameter of the ldap_init function. When you specify a DNS domain name, you get the following benefits:

    • Fault tolerance

      If your domain controller goes down, LDAP will transparently reconnect to another domain controller in the domain.

     

    This scenario describes what I'm trying to accomplish, but I'm confused as to how to go about doing it. If you specify a specific dns name for a domain controller in the application, how would it know to "transparently reconnect to another domain controller in the domain" if that one domain controller went down? Perhaps I'm thinking about this all wrong, but can you somehow create a DNS alias record for multiple DCs? pbbergs mentioned utilizing DNS - can you be more specific as to what you mean?

    Thanks.



    • Edited by marks70 Monday, September 12, 2011 3:04 PM
    Monday, September 12, 2011 2:59 PM
  • It depends on your application configuration.  If your application supports domain name instead of just a Domain Controller name and it can query all DCs inside the domain. 

    For example, instead of Dc1.domain.com you can use domain.com.  Again, it depends on your application configuration.  Did you check with your application vendor?  Which application are you using?


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, September 12, 2011 3:04 PM
  • I agree with Santhosh, it depends on how application is been written not on AD whether to allow only FQDN name or name of the Domain. Your vendor must be the right person to tell you what is possible to configure or can AD domain name can be configured instead of FQDN name.

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Monday, September 12, 2011 3:13 PM
  • hi!

    if your application is making really only LDAP queries against AD and is not using any other functionality like LDAPS or Kerberos, there is another (quick and dirty) way: Go to your DNS Server and make (manually) a "Round Robin" entry for, let's say, my_special_ldap.domain.com and enter all the DCs there. Point your application to my_special_ldap.domain.com and it will query the DCs in a round robin manner, that means every time it queries the DNS for an IP address for my_special_ldap.domain.com it will receive the next DC.

    This will not prevent you from making a query to a DC that is down (since the DNS entry will still be delivered), but it will reduce the chance of contacting an offline DC. And in case of a server failure - just change the DNS entry...

    hope this helps. of course the query to domain.com is more elegant since there is a kind of automatic update to that record, but not all DNS domains are set up to support A records for domains and not all applications can handle this either.

    Regards, Ralf


    Ralf Wigand, MVP Windows Server:Directory Services
    • Marked as answer by marks70 Wednesday, September 14, 2011 10:43 PM
    Monday, September 12, 2011 7:56 PM
  • You can't alias an LDAP server. 

    Why not? If there are no certificate issues (LDAPS) or Kerberos why not alias a LDAP server? when you use linux applications doing a simple ldap authentication there shouldn't be a problem? Or am I missing something?

    Regards, Ralf


    Ralf Wigand, MVP Windows Server:Directory Services
    Monday, September 12, 2011 8:01 PM
  • Hi Ralf,

    Sorry for being dense, but can you explain where in DNS I would configure the "Round Robin" entry with all the DCs that you described? What kind of record would it be?

    Tuesday, September 13, 2011 9:09 PM
  • simple. either read this:

    http://technet.microsoft.com/en-us/library/cc787484%28WS.10%29.aspx

    or just create 2 or more A-records with the same name but different IPs. Subsequent nslookups will show a new IP each time you try a resolution of the name:

    C:\Users\syswigand>nslookup ralf
    Server:  UnKnown
    Address:  ::1
    Name:    ralf.demo.lab
    Addresses:  10.20.30.40
              10.20.30.41
              10.20.30.42
    
    C:\Users\syswigand>nslookup ralf
    Server:  UnKnown
    Address:  ::1
    Name:    ralf.demo.lab
    Addresses:  10.20.30.41
              10.20.30.42
              10.20.30.40
    
    C:\Users\syswigand>nslookup ralf
    Server:  UnKnown
    Address:  ::1
    Name:    ralf.demo.lab
    Addresses:  10.20.30.42
              10.20.30.40
              10.20.30.41
    
    C:\Users\syswigand>nslookup ralf
    Server:  UnKnown
    Address:  ::1
    Name:    ralf.demo.lab
    Addresses:  10.20.30.40
              10.20.30.41
              10.20.30.42
    


    regards, ralf


    Ralf Wigand, MVP Windows Server:Directory Services
    Wednesday, September 14, 2011 5:57 AM
  • Great, thank you!
    Wednesday, September 14, 2011 10:43 PM
  • You can't alias an LDAP server.  When the application was written the vendor should have used the dcLocator process so it could find an active DC.  Unfortunately you are at the mercy of the crappy software your vendor provided.  Unless they provide a way to enter multiple DC's or utilize DNS there is nothing you can do.

     --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Paul, is there some official document from MS that states this? I have an application that works with a CNAME. It worked with Windows Server 2003 domain controllers but it does not work anymore since we migrated domain controllers to Windows Server 2008 R2.  In details, the application server calls LDAP.mydomain.com. LDAP.mydomain.com is a CNAME of DC01.mydomain.com. With Windows 2003 we used this alias to perform maintenance on Domain controllers by just changing the alias. This worked like a charm with Windows 2003.

    Since Windows 2008 R2 migration, we need to put the FQDN. If we leave the CNAME (ldap.mydomain.com) on application, LDAP authentication does not occour.

    Is there some change in Windows 2008 R2? Is there any whitepaper or technet article that documents that you can't use ALIASES with LDAP servers?

    Thank you in advance!

    --

    Momaweb

    Thursday, July 19, 2012 10:40 AM
  • You could just refer to the domain name instead of creating a dns alias, this will react the same.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.


    Thursday, July 19, 2012 12:07 PM
  • You could just refer to the domain name instead of creating a dns alias, this will react the same.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.


    Paul, referring to the domain name has a different result. In fact, when you refer to the domain name, a round robin in A records for "@" is returned. Round robin of course is not aware that a specific server is down for maintenance. With CNAME, I can choose when to change CNAME resolution and manually modify it.

    Since you stated that "you can't alias LDAP server" I supposed that there is some document supporting it and that it is an "official" usage which I didn't know. I googled around but it doesnt seem to exist such document. So, I ask :-) .... is there some explicit document which confirms restriction that does not allow CNAME usage when authenticating against a Windows 2008 R2 server? (in 2003 server it WORKS perfectly)


    • Edited by Massimo_M Thursday, July 19, 2012 12:32 PM
    Thursday, July 19, 2012 12:31 PM
  • I know this is an old thread, but I see no one mentioned this, and this thread is still very relevant.

    You CANNOT create duplicate CNAME records with the same name in DNS, that point to multiple "A" records, example: This will error out as already exists, when trying to create the second one with the same CNAME.

    CNAME      SERVERNAME [Cannot do this]

    Alias1 - DC1.domainname.com<o:p></o:p>

    Alias1 - DC2.domainname.com

    Alias1 - DC3.domainname.com

    <o:p>The only time an alias should be used for authentication is if you are migrating/moving/decommissioning a domain controller (DC), and have hard-coded DC names in applications, or you don't know what is pointing to the the old DC's name. You can create a CNAME alias of the old DC name, after it is decommissioned/renamed, to point to the name a new one.</o:p>

    <o:p>The domain name should always be used as the application's entry for LDAP, and as long as certs have been issued to all DCs, for LDAPS as well. I have been doing this a long time, and I don't remember the last time an application could not use the domain name. Even if an application asks for hostname/servername/ip address for LDAP/LDAPS, the domain name can be used. This provides full domain redundancy, as well as "site awareness" for authentication to the application. Non-windows applications may need some configuration changes at the OS level for "site awareness", but redundancy will be there.</o:p>

    <o:p></o:p>

    <o:p>Reasons domain name should NOT be used: </o:p>Users, application server, or DC's behind a secure firewall. You don't want to pop a bunch of holes in your firewall, to all the other DC's, and latency could be an issue in large environments, depending on AD Sites and Services configuration. Obviously test any configuration. If redundancy is important, but for some reason the domain name cannot be used, create multiple "A" records with the same name, and point to multiple DC IP addresses, example:

    A Record             IP Address of DCs

    DomainController1 - 192.168.1.1<o:p></o:p>

    DomainController1192.168.1.2

    DomainController1192.168.1.3

    If a DC in the list is going to be down for a while, that DC's round robin "A" record can be removed from DNS. I wouldn't mess with it for a reboot, because more than likely it will be in cache, so it won't matter anyway. You will have to live with a possible temporary failure.


    Wednesday, January 9, 2019 6:24 PM