Working with LDAP and Microsoft Active Directory: For most IT professionals, there has been some point in their career where they have connected a product or service to a Microsoft Active Directory with LDAP for authentication. This is especially true when working with the products in VMware’s vCloud suite. Most all the products in the vCloud suite like Single Sign-On (SSO) or VMware Operation Manager (vCOPs) as an example relies on LDAP communication to work and function properly. This is really nothing new and has been the trend for years, but I discovered a different way to set up the connections years ago when I was working on a script that would connect to Active Directory with an LDAP call to get a list of members of a group. I really thought most people already knew this and it was pretty much common knowledge, but it seems lately that every time I work with someone new setting up the LDAP configuration they seem to be quite surprised at the way I do things and I thought this should be something that I share out.
When setting up the LDAP configuration you are asked to supply at least a primary URL to a Domain Controller, sometimes you are asked for another URL to a secondary server, Base DN for users, Base DN for groups as well the domain name. This is all pretty much standard for most all products I have worked with so, now for the trick.
When you are setting up the URL to the Domain Controller they always ask for the fully qualified domain name of the server you want to connect to and this usually looks something like this.
My trick is that you really do not need to put the actual server name in the configuration. I know what you’re thinking in that without a server name how are you going to connect to the directory and the answer to that is DNS. If your DNS server is using service records (SRV records) than you are really all set. A service record is a specification of data in DNS defining the location, i.e. the hostname and port number of servers for specified services. The location of the closest domain controller can be easily present during the DNS call for the location of a server. So instead of configuring the actual server name in the URL we can just list the domain and the configuration would like something like this.
By doing your LDAP configuration this way you do not have to have different domain controllers in all your different geographical locations. DNS will specify which domain controller is used and this method also gives you redundancy in that all your domain controllers will be listed in DNS instead of just listing one or two. Try it out for yourself, from a command line ping just your domain and check out the response from different servers in different locations.
This is just an easier and much simpler way to configure LDAP without having to get a list or look up the names of the domain controllers, as well as gives you a standard configuration for all of your enterprise. I would really like to hear from you if you have heard and use this method already or if this is something new to you? Inquiring minds would like to know.