Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   pam_ldap and nss_ldap failover (http://www.linux-archive.org/centos/266578-pam_ldap-nss_ldap-failover.html)

Paul Heinlein 03-19-2009 11:19 PM

pam_ldap and nss_ldap failover
 
I'm (finally) getting around to putting a backup LDAP authentication
server on my network. The backup uses syncrepl to grab the database,
and to my eyes both LDAP servers answer read queries identically.

I'm testing the client side of this configuration on virtual CentOS 5
i386 machine. /etc/ldap.conf reads

----- %< -----
base dc=DOMAIN,dc=com
timelimit 30
bind_timelimit 30
idle_timelimit 300
nss_initgroups_ignoreusers root,ldap,named,[... trimmed ...]
uri ldap://ldap1.DOMAIN.com ldap://ldap2.DOMAIN.com
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
----- %< -----

The client will bind to whichever server is listed first after the
'uri' directive. In the config snippet, it's 'ldap1' -- but it works
the other way too.

If the first-listed server goes away, the client never seems to try to
find or bind to the second-listed server (where "never" == my
patience limit of about an hour). Once the first-listed server goes
away, all password authentication fails, though getent passwd and
getent group still work (presumably because of nscd).

Has anyone else experienced this or, more importantly, figured out a
way to get failover to work in a reasonable timeframe?

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jeff 03-20-2009 01:50 AM

pam_ldap and nss_ldap failover
 
On Thu, Mar 19, 2009 at 7:19 PM, Paul Heinlein <heinlein@madboa.com> wrote:
> I'm (finally) getting around to putting a backup LDAP authentication
> server on my network. The backup uses syncrepl to grab the database,
> and to my eyes both LDAP servers answer read queries identically.
>
> I'm testing the client side of this configuration on virtual CentOS 5
> i386 machine. /etc/ldap.conf reads
>
> ----- %< -----
> base dc=DOMAIN,dc=com
> timelimit 30
> bind_timelimit 30
> idle_timelimit 300
> nss_initgroups_ignoreusers root,ldap,named,[... trimmed ...]
> uri ldap://ldap1.DOMAIN.com ldap://ldap2.DOMAIN.com
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
> ----- %< -----
>
> The client will bind to whichever server is listed first after the
> 'uri' directive. In the config snippet, it's 'ldap1' -- but it works
> the other way too.
>
> If the first-listed server goes away, the client never seems to try to
> find or bind to the second-listed server (where "never" == my
> patience limit of about an hour). Once the first-listed server goes
> away, all password authentication fails, though getent passwd and
> getent group still work (presumably because of nscd).
>
> Has anyone else experienced this or, more importantly, figured out a
> way to get failover to work in a reasonable timeframe?

I recall that nss_ldap prior to CentOS 4.6 had trouble with this. We
are on 4.7 and use
the 'host' and 'port' options in our ldap.conf. It works as advertised.

host ldap1.example.com ldap2.example.com
port 389
...

As for the URI directive perhaps it works the same as it does in
Apache mod_auth_ldap
where you use the rather strange syntax of:

AuthLDAPURL "ldap://ldap1.example.com
ldap2.example.com/OU=example,DC=example,DC=com"

Note the space between hostnames.

The man pages are rather vague on the exact syntax for multiple hosts.

Good luck,

--
Jeff
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Paul Heinlein 03-20-2009 04:34 PM

pam_ldap and nss_ldap failover
 
On Thu, 19 Mar 2009, Jeff wrote:

>> Has anyone else experienced this or, more importantly, figured out
>> a way to get failover to work in a reasonable timeframe?
>
> I recall that nss_ldap prior to CentOS 4.6 had trouble with this. We
> are on 4.7 and use the 'host' and 'port' options in our ldap.conf.
> It works as advertised.
>
> host ldap1.example.com ldap2.example.com
> port 389
> ...

That did the trick. Thanks a bunch!

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 11:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.