Using Multiple Servers in LDAP Plug-in
-
Good-day Folks,
Is it possible to specify more than one server when configuring the LDAP plug-in in Xen Orchestra?
I have two Active Directory Domain Controllers that I would like to specify, for redundancy. I've been meeting to ask this question for a while, but it kept escaping my mind.
-
K kagbasi-ngc marked this topic as a question
-
@kagbasi-ngc It's not possible at the moment. How would you expect it to work? Would it try to request the first server and fallback to the second one in case of error? And do that for every single request?
-
@kagbasi-ngc
First, a disclaimer. It's been a while since I last designed an HA solution for AD. Things may have improved.You should reconsider your approach to designing a highly availability AD. Configuring the client to guess which AD server to use will work fine, but only as long as both AD servers are healthy. If there is ever a problem between them, you will have no control over which AD the servers hit.
If I remember correctly, best practice for highly available Active Directory is either to use Microsoft's AD VIP solution, or to use round-robin DNS (multiple records with the same name but different IP addresses). Either way, all of the clients in a single domain should have the same configuration.
-
@pdonias Essentially, yes.
Every application I've used that authenticates with AD/LDAP seems to allow the specification of at least two servers, so that if the first doesn't respond, the second is tried. In almost all the environments that I work in, there are at least two Domain Controllers. So it stands to reason, at least to me, that XO should give the administrator the choice of deciding whether to leverage all DCs or a single one.
Normally the current implementation hasn't been a problem, until it was. I noticed this when one of my network guys accidentally disabled the NIC on the DC while attempting to add a management interface to the DC. Grant it, this is a lab environment and we're playing around a lot, but I thought this exercise highlighted a single point of failure so wanted to inquire if it were possible to specify more than one server.
Thanks for your response, much appreciated.
-
@Davidj-0 Thanks for the admonition. I was more concerned about the single point of failure that seems to be inherent with the plugin only allowing a single LDAP/AD server to be specified. As I mentioned to @pdonias , most of our environments (and in my lab) are setup with at least 2 domain controllers, where the Windows systems already leverage them natively.
For the Linux systems we have, which are integrated into AD using SSSD, there's the DNS lookups that happen which essentially protects against the kind of failure I experienced in the lab (where someone accidentally disabled the NIC on the DC that happened to be configured in the LDAP Plugin in XO). Even though the DC was still reachable over it's management interface, authentication into XO was now broken until I discovered it.
-
@kagbasi-ngc said in Using Multiple Servers in LDAP Plug-in:
@Davidj-0 Thanks for the admonition. I was more concerned about the single point of failure that seems to be inherent with the plugin only allowing a single LDAP/AD server to be specified. As I mentioned to @pdonias , most of our environments (and in my lab) are setup with at least 2 domain controllers, where the Windows systems already leverage them natively.
For the Linux systems we have, which are integrated into AD using SSSD, there's the DNS lookups that happen which essentially protects against the kind of failure I experienced in the lab (where someone accidentally disabled the NIC on the DC that happened to be configured in the LDAP Plugin in XO). Even though the DC was still reachable over it's management interface, authentication into XO was now broken until I discovered it.
You can prepare failover clusters of Active Directory servers, using Windows Server Failover Cluster features. The cluster has its own, FQDN which can be used with the plugin. This will work under Linux and Windows a like. Also more vanilla, no modifications to SSSD required, will thus be included in the backups of settings on the appliance, and the account synchronisation feature of XOA.
https://learn.microsoft.com/en-us/windows-server/failover-clustering/configure-ad-accounts
https://learn.microsoft.com/en-us/windows-server/failover-clustering/create-failover-cluster?pivots=powershell -
@john.c Thanks for the suggestion - I'm exploring this option.
-
@kagbasi-ngc said in Using Multiple Servers in LDAP Plug-in:
@john.c Thanks for the suggestion - I'm exploring this option.
Oh, forgot a bit of follow up. You can also do something similar with Linux. Using the clustering software configured for failover and also a Samba server. The Samba server needs to be at minimum version 4.0, though to be supported with updates version 4.20 at minimum, to guarantee a long period of support either 4.21 or 4.22.
Though using the in box Samba server from RHEL 9 is best as its supported by Red Hat and is version 4.15. Though you can select another Linux distribution which is new enough to support at minimum the same version of Samba.
Then run the process of setting up the Samba Server as an Active Directory Domain Controller.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Also with Windows Server based solution, you can add more servers to the AD Failover Cluster as required. So effectively you could even have 3-5 AD domain controllers, instead of just the 2 AD Controllers for redundancy.
