[python-ldap] Connect to multiple servers for failover

Petr Spacek pspacek at redhat.com
Tue Apr 21 16:46:21 CEST 2015

On 21.4.2015 16:16, Michael Ströder wrote:
> Petr Spacek wrote:
>> On 20.4.2015 18:41, Rob McBroom wrote:
>>> On 20 Apr 2015, at 5:17, Prashant Bapat wrote:
>>>> Is there a way to connect to multiple servers for a query and iteratively
>>>> try all of them before failing ?
>>>> Can I do something like
>>>> ldap.initialize(srv1, srv2, srv3) and it connects to srv2 if srv1 is down
>>>> etc
>>> If you have the power to do so, just put multiple A records in DNS with the
>>> same name that point to the IPs of the different servers. The OpenLDAP library
>>> is very good at finding a server that’s up and running. Don’t try to reinvent
>>> the functionality yourself.
>> Or even better, use DNS SRV records. It usually works better when it comes to
>> prioritization, geo-clusters etc. (I hope OpenLDAP supports DNS SRV records
>> but I did not check it myself.)
> I think we had this open issue on another mailing list (sssd-users?):
> The TLS hostname check would have to be based on the service name used to do
> the DNS SRV lookup. AFAIK this is not the case. At least I never saw a server
> cert with _ldap.example.com in subjectAltName:dNSName extension.
> => I'd recommend to configure a trusted list of server hostnames
>    (Or you have to consequently use DNSSEC).

Yes, I should have mentioned this explicitly. DNSSEC is necessary if service
discovery via DNS should be trusted.

nicely describes what to do if DNSSEC is available and when it is not, it is
equally applicable here.

(Please note that this is a draft in final stages but still just a draft.)

Have a nice day!

Petr Spacek  @  Red Hat

More information about the python-ldap mailing list