Working with LDAP and Microsoft Active Directory

Working with LDAP and Microsoft Active Directory: For most IT professionals, there has been some point in their career where they have connected a product or service to a Microsoft Active Directory with LDAP for authentication.  This is especially true when working with the products in VMware’s vCloud suite. Most all the products in the vCloud suite like Single Sign-On (SSO) or VMware Operation Manager (vCOPs) as an example relies on LDAP communication to work and function properly. This is really nothing new and has been the trend for years, but I discovered a different way to set up the connections years ago when I was working on a script that would connect to Active Directory with an LDAP call to get a list of members of a group.  I really thought most people already knew this and it was pretty much common knowledge, but it seems lately that every time I work with someone new setting up the LDAP configuration they seem to be quite surprised at the way I do things and I thought this should be something that I share out.

When setting up the LDAP configuration you are asked to supply at least a primary URL to a Domain Controller, sometimes you are asked for another URL to a secondary server,  Base DN for users, Base DN for groups as well the domain name.  This is all pretty much standard for most all products I have worked with so, now for the trick.

When you are setting up the URL to the Domain Controller they always ask for the fully qualified domain name of the server you want to connect to and this usually looks something like this.

ldap://server_name.domain_name.com

My trick is that you really do not need to put the actual server name in the configuration. I know what you’re thinking in that without a server name how are you going to connect to the directory and the answer to that is DNS.  If your DNS server is using service records (SRV records) than you are really all set. A service record is a specification of data in DNS defining the location, i.e. the hostname and port number of servers for specified services. The location of the closest domain controller can be easily present during the DNS call for the location of a server. So instead of configuring the actual server name in the URL we can just list the domain and the configuration would like something like this.

ldap://domain_name.com

By doing your LDAP configuration this way you do not have to have different domain controllers in all your different geographical locations.  DNS will specify which domain controller is used and this method also gives you redundancy in that all your domain controllers will be listed in DNS instead of just listing one or two. Try it out for yourself, from a command line ping just your domain and check out the response from different servers in different locations.

This is just an easier and much simpler way to configure LDAP without having to get a list or look up the names of the domain controllers, as well as gives you a standard configuration for all of your enterprise. I would really like to hear from you if you have heard and use this method already or if this is something new to you? Inquiring minds would like to know.

Steve Beaver (149 Posts)

Stephen Beaver is the co-author of VMware ESX Essentials in the Virtual Data Center and Scripting VMware Power Tools: Automating Virtual Infrastructure Administration as well as being contributing author of Mastering VMware vSphere 4 and How to Cheat at Configuring VMware ESX Server. Stephen is an IT Veteran with over 15 years experience in the industry. Stephen is a moderator on the VMware Communities Forum and was elected vExpert for 2009 and 2010. Stephen can also be seen regularly presenting on different topics at national and international virtualization conferences.

Connect with Steve Beaver:

Tags: , , , , , ,

One Response to Working with LDAP and Microsoft Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *

Please Share

Featured Solutions