I have have three locations with an OD Master in our primary location and OD Replicas in each off-site location. I've always bound clients to our OD Master because the Open Directory Admin documentation says:
"The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica."
However, will the clients pick the nearest replica in general (for faster responses) or only in the event of a failure of the OD Master?
We recently had an employee bind some clients in the 3rd location to the local OD Replica. When that server went down (Snow Leopard Server), the local workstations (Snow Leopard) had auth issues, so does the plug-in it not look up the replica tree, but only down?
I think, back in the 10.3 or 10.4 days, one could bind a client to both the OD Master and the OD Replica and then set the preferred search order, but I have a vague recollection that clients (in 10.5 maybe) would complain if it was already bound to a server in the same replica tree. Am I remembering correctly or would that be the correct way to configure clients in our other locations?
The 2nd & 3rd locations are over point-to-point T1s and VPNs, so I'd really like to have our Open Directory setup correct and optimized.
A client should be able to use any replica (or the master) in the tree, no matter which it was explicitly bound to. Generally, they'll prefer the one they were bound to, and if that's not available they'll try the others in the order they were added to the tree (i.e. master first, then the first replica that was created off it, etc) and use the first one that responds. Note that the replica "tree" has to do with how updates propagate between servers, not with the client failover process.
Because of all of this, the standard recommendation is to bind each client to the nearest server (whether it's the master or a replica), just as your employee did. I'm not sure why the failover didn't work properly...