0
C:\Users\myuser1>nslookup
Default Server:  ns-xxx.xxxx.com
Address:  1xx.xx.x.x

> set types=all
> _ldap._tcp
Server:  ns-xxx.xxxx.com
Address:  1xx.xx.x.x

Non-authoritative answer:
_ldap._tcp.Tech.xyz.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = SRV82.Tech.xyz.com
_ldap._tcp.Tech.xyz.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = SRV61.Tech.xyz.com
_ldap._tcp.Tech.xyz.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = SRV62.Tech.xyz.com
_ldap._tcp.Tech.xyz.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = SRV41.Tech.xyz.com
_ldap._tcp.Tech.xyz.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = SRV42.Tech.xyz.com
_ldap._tcp.Tech.xyz.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = SRV43.Tech.xyz.com
_ldap._tcp.Tech.xyz.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = SRV44.Tech.xyz.com
.
.
.
.

This command is executed on my Windows PC, which is a domain user of the domain that I am trying to find its LDAP server.

Are those servers(srv82, srv61, ...) replicants/clones? so they all LDAP servers?

If that's the case, there must be a server(primary server) with a different domain name that load balances randomly the LDAP requests over these guys?! I don't know if there is a particular command for finding that as well?

Dave M
  • 4,494
  • 21
  • 30
  • 30
Arthas
  • 1
  • 1
  • 1
    DNS doesn't tell us whether these servers are clones or not. They could even be a single server with several IP addresses (I don't know if that would make sense). However, these are the LDAP addresses in your organisation, and they all have the same priority and weight. This means that LDAP clients are given no clue which server they should prefer, and probably round-robin through them. There is no primary server that performs load balancing; it is the client that selects the server. See also https://ldap.com/dns-srv-records-for-ldap (this is where I have my information from). – berndbausch Apr 20 '21 at 06:10
  • I am trying to integrate LDAP for our Cisco VPN service, my question is I can't use this domain _ldap._tcp.Tech.xyz.com to authenticate users against by any chance?, instead of SRV44.Tech.xyz.com or SRV43.Tech.xyz.com, so that way _ldap._tcp.Tech.xyz.com will do the round-robin for me? – Arthas Apr 20 '21 at 07:50
  • `_ldap._tcp.Tech.xyz.com` is not a domain name that resolves to an IP address. I guess you need an LDAP client that performs the translation. – berndbausch Apr 20 '21 at 08:01
  • well I have the LDAP client, my firewall! that I am trying to integrate the LDAP authentication with, instead of using its local-db, I just didn't want to include every single ldab server we have, and I thought there is an obvious different way before I ask our IT Sys Admin to give me the Base DN and LOGIN DN and password, it seems there is none – Arthas Apr 20 '21 at 08:04

0 Answers0