I have published a patch against nss_ldap 264 which adds the facility to
specify the site that a host should locate its ldap servers in.
This is bug #381 in the bugzilla. It adds the configuration item
'nss_srv_site <sitename>' to the application. With this set the dns
lookup will use the site servers only.
This is a simple approach to providing site location. I would propose
that a more general solution could/should be adopted but it requires
additional DNS records to suppress the need to do a search of a random
Active Directory to find the subnet information for the site. What I
would propose should be implemented would be the addition of TXT records
to the DNS that bind subnets to sites. These text records could be of
the following format.
<sitename>.subnets.<domain> IN TXT "192.168.0.0/24,192.168.10.0/24"
A lookup for the wildcard *.subnets.<domain> would give candidate sites
which could be filtered by IP address of the interfaces on the local host.
An alternative approach would be to use the reverse lookup for the
network to find the record but this requires that the reverse zone is
available which is often not the case but here we could use records like
0.10.168.192.in-addr.arpa IN TXT "Subnet: 192.168.10.0/24" "Site:
<sitename>"
where the address lookup is the network address. The Subnet text is a
check facility and is not really necessary but would allow a check that
the site layout is as expected.
Given these sort of records the lookup to locate the servers could use
the network interface addresses to find the sites to lookup the ldap
servers - I would even be willing to try to code something like this if
there is enough demand. The nice thing about this is that it would allow
a sites and service facility in the absence of an Active Directory!
Regards, Howard.
