Authenticating from Java (Linux) to Active Directory using LDAP WITHOUT servername

Question

Our developers use Java on Linux for various things (like checking membership of groups etc). It works - no problem with that! I'm not a developer so bare with me.

The problem is that they have hardcoded the servernames of our Domain Controllers (LDAP-servers) in their code. So now when we need to replace them with newer DCs, they need to change the code.

Active Directory by nature is redundant. The domain name (example: domain.local) is a round-robin of all the DC:s available for our AD.

Is there any way for the developer to NOT specify Domain Controller server names but simply the Active Directory domain name and then their Linux server will find the DC:s available and use whichever one is up and running?

Examples/links appreciated. Thanks!

Answer 1

Obviously, the server name should at least be configurable, not hard coded into the application.

However, you should be able to find the server by looking up a special DNS record, namely a SRV record for _ldap._tcp.DOMAINNAME. The linux servers have to be configured to use the same DNS server as your AD updates.

To determine whether this is feasible, run the command host -t srv _ldap._tcp.DOMAINNAME on your linux server

See also http://stackoverflow.com/questions/738750/querying-the-dns-service-records-to-find-the-hostname-and-tcp-ip provides some info on how to look up SRV records in java, and http://weblogs.java.net/blog/2008/06/12/more-active-directory-integration-java