How to NAT with eDirectory


As we know, the eDirectory replication process does not support NAT. The reason is simple: the IP address of each server that conforms the replication ring is stored in the "networkAddress" attribute. Its value cannot change according to the point of view of each server, or the NAT device (if we are talking about servers in different geographical sites).

Fortunately, there is a way to have an eDirectory ring up and running conformed by servers located in different geographical sites within different sub networks. But we need to ask for the networking guys aid. There is no need to have an extra eDirectory configuration, everything is done by network devices (firewall and routers)

Hint: In order to get this configuration up and running, you need to have a secure channel - provided by a telecommunication service provider - that creates a bridge that communicates to the different sites. Do not try to implement this solution over an insecure channel (like the internet), because it can involve information security risks.

Let's say that we have 2 different servers according to the following specifications:

Server: server_1
Site: wonderland
IP Address:

Server: server_2
Site: Middle earth
IP Address:

What we need to do is basically ask the networking team to perform a two step NAT configuration between the Firewall devices. In this scenario we have the following:

Site: wonderland
Network Device 1: Firewall 1
Network Device 2: Border Firewall

Site: Middle earth
Network Device 1: Border Firewall

The following diagram illustrates how a tcp header has been overwritten during the packet flow, so you can see there is two step NAT processes from the source ip, and two step NAT processes from the destination ip. So all the requests and responses are provided from a known networkAddress.


How to test the configuration:

In order to test that the servers are reachable by the real ip address, you can use the tcpdump and netcat UNIX commands.

Destination server

server_2# sudo /usr/sbin/tcpdump -v -v -i eth1 -n port 524 and host

Source server

server_1# sudo /bin/netcat -nvz 524

What you should expect is a proper tcp three hand-shake. Then you can continue adding the servers to the replica ring.

This configuration has been tested under eDirectory 8.8 SP 6 over SUSE Linux Enterprise 11 SP1 and it's running in a productive environment conformed by 7 servers divided in 2 geographical Data Centers.


How To-Best Practice
Comment List