0

I have a linux system that is using Active Directory (2012) for LDAP lookups of users and groups. It's in a network that is connected to our main site by VPN.

When the VPN goes down, all ldap queries start failing. By running ss in a loop while removing this connection, I was able to see that the linux host is trying to make connections to AD servers that are not specified anywhere in ldap.conf.

Does anyone know what would be causing this to happen, and how it can be prevented?

Alex G
  • 376
  • 1
  • 4
  • 13
  • 1
    What are you using for DNS? Where are the other AD servers it is trying to connect to? It could be getting SRV records from DNS and trying to connect to those. – Christopher Jul 10 '15 at 02:19
  • How is your linux system configured? `nss-pam-ldapd` `sssd` `samba`? – 84104 Jul 11 '15 at 02:04
  • @Christopher - there are no SRV record for the subdomain or top-level domain this server resides in. 84104. sss and winbind are not installed - libnss is using files and ldap as sources. – anotheral Jul 11 '15 at 05:51
  • @Christopher may be on to something if one of the servers listed in `ldap.conf` is something along the lines of `ldap.example.com` and that name can be resolved to an IP through DNS over the VPN and the VPN suddenly stops working it would be reasonable to assume that it would no longer be possible for a local system to resolve the name of `ldap.example.com`. – Matt Jul 16 '15 at 17:39

1 Answers1

0

https://technet.microsoft.com/en-us/library/Cc755809(v=WS.10).aspx#w2k3tr_adsrh_how_lhjt

Scroll down to LDAP Referrals

"When a requested object exists in the directory but is not present on the contacted domain controller, resolution of the object name depends on information that is stored on that domain controller about how the directory is partitioned. In a partitioned directory, by definition, the entire directory is not always available on any one domain controller."

Alex G
  • 376
  • 1
  • 4
  • 13