FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 03-19-2009, 11:19 PM
Paul Heinlein
 
Default pam_ldap and nss_ldap failover

I'm (finally) getting around to putting a backup LDAP authentication
server on my network. The backup uses syncrepl to grab the database,
and to my eyes both LDAP servers answer read queries identically.

I'm testing the client side of this configuration on virtual CentOS 5
i386 machine. /etc/ldap.conf reads

----- %< -----
base dc=DOMAIN,dc=com
timelimit 30
bind_timelimit 30
idle_timelimit 300
nss_initgroups_ignoreusers root,ldap,named,[... trimmed ...]
uri ldap://ldap1.DOMAIN.com ldap://ldap2.DOMAIN.com
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
----- %< -----

The client will bind to whichever server is listed first after the
'uri' directive. In the config snippet, it's 'ldap1' -- but it works
the other way too.

If the first-listed server goes away, the client never seems to try to
find or bind to the second-listed server (where "never" == my
patience limit of about an hour). Once the first-listed server goes
away, all password authentication fails, though getent passwd and
getent group still work (presumably because of nscd).

Has anyone else experienced this or, more importantly, figured out a
way to get failover to work in a reasonable timeframe?

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-20-2009, 01:50 AM
Jeff
 
Default pam_ldap and nss_ldap failover

On Thu, Mar 19, 2009 at 7:19 PM, Paul Heinlein <heinlein@madboa.com> wrote:
> I'm (finally) getting around to putting a backup LDAP authentication
> server on my network. The backup uses syncrepl to grab the database,
> and to my eyes both LDAP servers answer read queries identically.
>
> I'm testing the client side of this configuration on virtual CentOS 5
> i386 machine. /etc/ldap.conf reads
>
> ----- %< -----
> base dc=DOMAIN,dc=com
> timelimit 30
> bind_timelimit 30
> idle_timelimit 300
> nss_initgroups_ignoreusers root,ldap,named,[... trimmed ...]
> uri ldap://ldap1.DOMAIN.com ldap://ldap2.DOMAIN.com
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
> ----- %< -----
>
> The client will bind to whichever server is listed first after the
> 'uri' directive. In the config snippet, it's 'ldap1' -- but it works
> the other way too.
>
> If the first-listed server goes away, the client never seems to try to
> find or bind to the second-listed server (where "never" == my
> patience limit of about an hour). Once the first-listed server goes
> away, all password authentication fails, though getent passwd and
> getent group still work (presumably because of nscd).
>
> Has anyone else experienced this or, more importantly, figured out a
> way to get failover to work in a reasonable timeframe?

I recall that nss_ldap prior to CentOS 4.6 had trouble with this. We
are on 4.7 and use
the 'host' and 'port' options in our ldap.conf. It works as advertised.

host ldap1.example.com ldap2.example.com
port 389
...

As for the URI directive perhaps it works the same as it does in
Apache mod_auth_ldap
where you use the rather strange syntax of:

AuthLDAPURL "ldap://ldap1.example.com
ldap2.example.com/OU=example,DC=example,DC=com"

Note the space between hostnames.

The man pages are rather vague on the exact syntax for multiple hosts.

Good luck,

--
Jeff
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-20-2009, 04:34 PM
Paul Heinlein
 
Default pam_ldap and nss_ldap failover

On Thu, 19 Mar 2009, Jeff wrote:

>> Has anyone else experienced this or, more importantly, figured out
>> a way to get failover to work in a reasonable timeframe?
>
> I recall that nss_ldap prior to CentOS 4.6 had trouble with this. We
> are on 4.7 and use the 'host' and 'port' options in our ldap.conf.
> It works as advertised.
>
> host ldap1.example.com ldap2.example.com
> port 389
> ...

That did the trick. Thanks a bunch!

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org