Hi all
We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if one fails. The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1.
/etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600
/etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand
We're using the bog standard nscd daemons provided by the OS vendors. We also use IDSync to synchronise user passwords from AD to LDAP but not from LDAP to AD.
What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2.
We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also not failover properly? While we're prepared to look at Fed DS, there is a feeling that it too will behave in the same manner, given they are both forks of the same project.
Comments?
Thanks
CC
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
Coe, Colin C. (Unix Engineer) wrote:
Hi all
We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if one fails. The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1.
/etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600
/etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand
We're using the bog standard nscd daemons provided by the OS vendors. We also use IDSync to synchronise user passwords from AD to LDAP but not from LDAP to AD.
What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2.
We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also not failover properly?
It wouldn't make any difference. I'm pretty sure failover is a properly of the client. Are you sure you have the multiple hosts configured correctly in your ldap.conf files?
While we're prepared to look at Fed DS, there is a feeling that it too will behave in the same manner, given they are both forks of the same project.
Comments?
Thanks
CC
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
See inline comments
Coe, Colin C. (Unix Engineer) wrote:
Hi all
We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if
one fails.
The clients are a minxute of RHEL 3 WS and Solaris 8
(SPARC), and the
Sun Directory servers are both Solars 9 (SPARC) running
Directory One 5.1.
/etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600
/etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand
We're using the bog standard nscd daemons provided by the
OS vendors.
We also use IDSync to synchronise user passwords from AD to
LDAP but
not from LDAP to AD.
What we're finding is if ldap1 dies for some reason, the
clients don't
failover to ldap2.
We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also
not failover
properly?
It wouldn't make any difference. I'm pretty sure failover is a properly of the client. Are you sure you have the multiple hosts configured correctly in your ldap.conf files?
No, I'm not 100% sure that the clients are set right. My sanitised /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest any improvements to them?
While we're prepared to look at Fed DS, there is a feeling
that it too
will behave in the same manner, given they are both forks
of the same
project.
Comments?
Thanks
CC
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
Coe, Colin C. (Unix Engineer) wrote:
See inline comments
Coe, Colin C. (Unix Engineer) wrote:
Hi all
We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if
one fails.
The clients are a minxute of RHEL 3 WS and Solaris 8
(SPARC), and the
Sun Directory servers are both Solars 9 (SPARC) running
Directory One 5.1.
/etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600
/etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand
We're using the bog standard nscd daemons provided by the
OS vendors.
We also use IDSync to synchronise user passwords from AD to
LDAP but
not from LDAP to AD.
What we're finding is if ldap1 dies for some reason, the
clients don't
failover to ldap2.
We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also
not failover
properly?
It wouldn't make any difference. I'm pretty sure failover is a properly of the client. Are you sure you have the multiple hosts configured correctly in your ldap.conf files?
No, I'm not 100% sure that the clients are set right. My sanitised /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest any improvements to them?
I don't know. I'm not familiar with failover configuration.
While we're prepared to look at Fed DS, there is a feeling
that it too
will behave in the same manner, given they are both forks
of the same
project.
Comments?
Thanks
CC
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On 3/28/07, Coe, Colin C. (Unix Engineer) Colin.Coe@woodside.com.au wrote:
No, I'm not 100% sure that the clients are set right. My sanitised /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest any improvements to them?
We're using RHEL 3 and CentOS 4 with ldap.conf files pretty much like you described, and failover works.
The only difference I see is that in /etc/openldap/ldap.conf, instead of HOST ldap1.company.com ldap2.company.com we use URI ldaps://ldap1.company.com ldaps://ldap2.company.com But that shouldn't make any difference.
On Fedora 6, instead of setting up /etc/ldap.conf as Host 1.1.1.1 2.2.2.2 we instead have to use uri ldaps://1.1.1.1/ ldaps://2.2.2.2/
I'm assuming that the new version of nss_ldap parses the config file differently but haven't bothered tracking down details. (nss_ldap is version 207 on RHEL 3, 226 on CentOS 4, and 253 on Fedora 6.)
Josh Kelley
What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2.
We don't know if the problem is client side or server side.
When ldap1 dies, do you see any activity in ldap2's access log? If not, you know the clients aren't making the switch to ldap2.
On one of your Linux LDAP clients, try doing this while ldap1 is down: # service nscd stop # strace getent passwd Among the tons of output should be some indication of what LDAP servers are being tried.
Coe, Colin C. (Unix Engineer) wrote:
Hi all
We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if one fails. The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1.
/etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600
/etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand
We're using the bog standard nscd daemons provided by the OS vendors. We also use IDSync to synchronise user passwords from AD to LDAP but not from LDAP to AD.
What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2.
We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also not failover properly? While we're prepared to look at Fed DS, there is a feeling that it too will behave in the same manner, given they are both forks of the same project.
Comments?
Thanks
CC
I've never seen it work adequately with RHEL 3 & 4 or Solaris 8 clients (solaris 9 seems to work fine). We use Piranha (which also distributes the load nicely) to get around it.
-Steve
On Thu, 2007-03-29 at 08:20 +0800, Coe, Colin C. (Unix Engineer) wrote:
Hi all
We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if one fails. The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1.
/etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600
/etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand
We're using the bog standard nscd daemons provided by the OS vendors. We also use IDSync to synchronise user passwords from AD to LDAP but not from LDAP to AD.
What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2.
We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also not failover properly? While we're prepared to look at Fed DS, there is a feeling that it too will behave in the same manner, given they are both forks of the same project.
Comments?
Thanks
CC
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org
-
Coe, Colin C. (Unix Engineer) -
George Holbert -
Josh Kelley -
Rich Megginson -
Steve Rigler