Coe, Colin C. \(Unix Engineer\)
2007-Mar-29 00:20 UTC
[Fedora-directory-users] Failover between masters
Hi all We are currently using Sun''s Directory server and have had some problems with clients failing over to the other master if one fails. The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1. /etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600 /etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand We''re using the bog standard nscd daemons provided by the OS vendors. We also use IDSync to synchronise user passwords from AD to LDAP but not from LDAP to AD. What we''re finding is if ldap1 dies for some reason, the clients don''t failover to ldap2. We don''t know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also not failover properly? While we''re prepared to look at Fed DS, there is a feeling that it too will behave in the same manner, given they are both forks of the same project. Comments? Thanks CC NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
Richard Megginson
2007-Mar-29 00:26 UTC
Re: [Fedora-directory-users] Failover between masters
Coe, Colin C. (Unix Engineer) wrote:> > Hi all > > We are currently using Sun''s Directory server and have had some > problems with clients failing over to the other master if one fails. > The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the > Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1. > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > ssl on > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST ldap1.company.com ldap2.company.com > PORT 636 > SASL_SECPROPS "noanonymous,noplain" > SIZELIMIT 0 > TIMELIMIT 0 > DEREF never > TLS_CACERT /etc/ssl/ldap/cacert.pem > TLS_REQCERT demand > > We''re using the bog standard nscd daemons provided by the OS vendors. > We also use IDSync to synchronise user passwords from AD to LDAP but > not from LDAP to AD. > > What we''re finding is if ldap1 dies for some reason, the clients don''t > failover to ldap2. > > We don''t know if the problem is client side or server side. Would > Fedora Directory Server, set up in a similar manner, also not failover > properly? >It wouldn''t make any difference. I''m pretty sure failover is a properly of the client. Are you sure you have the multiple hosts configured correctly in your ldap.conf files?> > While we''re prepared to look at Fed DS, there is a feeling that it too > will behave in the same manner, given they are both forks of the same > project. > > Comments? > > Thanks > > CC > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
George Holbert
2007-Mar-29 00:33 UTC
Re: [Fedora-directory-users] Failover between masters
> > > What we''re finding is if ldap1 dies for some reason, the clients don''t > failover to ldap2. > > We don''t know if the problem is client side or server side. >When ldap1 dies, do you see any activity in ldap2''s access log? If not, you know the clients aren''t making the switch to ldap2. On one of your Linux LDAP clients, try doing this while ldap1 is down: # service nscd stop # strace getent passwd Among the tons of output should be some indication of what LDAP servers are being tried. Coe, Colin C. (Unix Engineer) wrote:> > Hi all > > We are currently using Sun''s Directory server and have had some > problems with clients failing over to the other master if one fails. > The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the > Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1. > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > ssl on > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST ldap1.company.com ldap2.company.com > PORT 636 > SASL_SECPROPS "noanonymous,noplain" > SIZELIMIT 0 > TIMELIMIT 0 > DEREF never > TLS_CACERT /etc/ssl/ldap/cacert.pem > TLS_REQCERT demand > > We''re using the bog standard nscd daemons provided by the OS vendors. > We also use IDSync to synchronise user passwords from AD to LDAP but > not from LDAP to AD. > > What we''re finding is if ldap1 dies for some reason, the clients don''t > failover to ldap2. > > We don''t know if the problem is client side or server side. Would > Fedora Directory Server, set up in a similar manner, also not failover > properly? While we''re prepared to look at Fed DS, there is a feeling > that it too will behave in the same manner, given they are both forks > of the same project. > > Comments? > > Thanks > > CC >
Coe, Colin C. \(Unix Engineer\)
2007-Mar-29 00:35 UTC
RE: [Fedora-directory-users] Failover between masters
See inline comments> > Coe, Colin C. (Unix Engineer) wrote: > > > > Hi all > > > > We are currently using Sun''s Directory server and have had some > > problems with clients failing over to the other master if > one fails. > > The clients are a minxute of RHEL 3 WS and Solaris 8 > (SPARC), and the > > Sun Directory servers are both Solars 9 (SPARC) running > Directory One 5.1. > > > > /etc/ldap.conf > > host 1.1.1.1 2.2.2.2 > > port 636 > > ldap_version 3 > > base o=unix,dc=company,dc=com > > scope sub > > timelimit 5 > > bind_timelimit 3 > > ssl on > > pam_filter objectclass=posixAccount > > pam_login_attribute uid > > pam_member_attribute memberUid > > pam_password crypt > > idle_timelimit 3600 > > > > /etc/openldap/ldap.conf > > BASE o=unix,dc=company,dc=com > > HOST ldap1.company.com ldap2.company.com > > PORT 636 > > SASL_SECPROPS "noanonymous,noplain" > > SIZELIMIT 0 > > TIMELIMIT 0 > > DEREF never > > TLS_CACERT /etc/ssl/ldap/cacert.pem > > TLS_REQCERT demand > > > > We''re using the bog standard nscd daemons provided by the > OS vendors. > > We also use IDSync to synchronise user passwords from AD to > LDAP but > > not from LDAP to AD. > > > > What we''re finding is if ldap1 dies for some reason, the > clients don''t > > failover to ldap2. > > > > We don''t know if the problem is client side or server side. Would > > Fedora Directory Server, set up in a similar manner, also > not failover > > properly? > > > It wouldn''t make any difference. I''m pretty sure failover is > a properly > of the client. Are you sure you have the multiple hosts configured > correctly in your ldap.conf files?No, I''m not 100% sure that the clients are set right. My sanitised /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest any improvements to them?> > > > While we''re prepared to look at Fed DS, there is a feeling > that it too > > will behave in the same manner, given they are both forks > of the same > > project. > > > > Comments? > > > > Thanks > > > > CC > >NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
Richard Megginson
2007-Mar-29 01:09 UTC
Re: [Fedora-directory-users] Failover between masters
Coe, Colin C. (Unix Engineer) wrote:> See inline comments > > >> Coe, Colin C. (Unix Engineer) wrote: >> >>> Hi all >>> >>> We are currently using Sun''s Directory server and have had some >>> problems with clients failing over to the other master if >>> >> one fails. >> >>> The clients are a minxute of RHEL 3 WS and Solaris 8 >>> >> (SPARC), and the >> >>> Sun Directory servers are both Solars 9 (SPARC) running >>> >> Directory One 5.1. >> >>> /etc/ldap.conf >>> host 1.1.1.1 2.2.2.2 >>> port 636 >>> ldap_version 3 >>> base o=unix,dc=company,dc=com >>> scope sub >>> timelimit 5 >>> bind_timelimit 3 >>> ssl on >>> pam_filter objectclass=posixAccount >>> pam_login_attribute uid >>> pam_member_attribute memberUid >>> pam_password crypt >>> idle_timelimit 3600 >>> >>> /etc/openldap/ldap.conf >>> BASE o=unix,dc=company,dc=com >>> HOST ldap1.company.com ldap2.company.com >>> PORT 636 >>> SASL_SECPROPS "noanonymous,noplain" >>> SIZELIMIT 0 >>> TIMELIMIT 0 >>> DEREF never >>> TLS_CACERT /etc/ssl/ldap/cacert.pem >>> TLS_REQCERT demand >>> >>> We''re using the bog standard nscd daemons provided by the >>> >> OS vendors. >> >>> We also use IDSync to synchronise user passwords from AD to >>> >> LDAP but >> >>> not from LDAP to AD. >>> >>> What we''re finding is if ldap1 dies for some reason, the >>> >> clients don''t >> >>> failover to ldap2. >>> >>> We don''t know if the problem is client side or server side. Would >>> Fedora Directory Server, set up in a similar manner, also >>> >> not failover >> >>> properly? >>> >>> >> It wouldn''t make any difference. I''m pretty sure failover is >> a properly >> of the client. Are you sure you have the multiple hosts configured >> correctly in your ldap.conf files? >> > > No, I''m not 100% sure that the clients are set right. My sanitised > /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest > any improvements to them? >I don''t know. I''m not familiar with failover configuration.> >>> While we''re prepared to look at Fed DS, there is a feeling >>> >> that it too >> >>> will behave in the same manner, given they are both forks >>> >> of the same >> >>> project. >>> >>> Comments? >>> >>> Thanks >>> >>> CC >>> >>> > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Stephen C. Rigler
2007-Mar-29 12:03 UTC
Re: [Fedora-directory-users] Failover between masters
I''ve never seen it work adequately with RHEL 3 & 4 or Solaris 8 clients (solaris 9 seems to work fine). We use Piranha (which also distributes the load nicely) to get around it. -Steve On Thu, 2007-03-29 at 08:20 +0800, Coe, Colin C. (Unix Engineer) wrote:> > Hi all > > We are currently using Sun''s Directory server and have had some > problems with clients failing over to the other master if one fails. > The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the > Sun Directory servers are both Solars 9 (SPARC) running Directory One > 5.1. > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > ssl on > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST ldap1.company.com ldap2.company.com > PORT 636 > SASL_SECPROPS "noanonymous,noplain" > SIZELIMIT 0 > TIMELIMIT 0 > DEREF never > TLS_CACERT /etc/ssl/ldap/cacert.pem > TLS_REQCERT demand > > We''re using the bog standard nscd daemons provided by the OS vendors. > We also use IDSync to synchronise user passwords from AD to LDAP but > not from LDAP to AD. > > What we''re finding is if ldap1 dies for some reason, the clients don''t > failover to ldap2. > > We don''t know if the problem is client side or server side. Would > Fedora Directory Server, set up in a similar manner, also not failover > properly? While we''re prepared to look at Fed DS, there is a feeling > that it too will behave in the same manner, given they are both forks > of the same project. > > Comments? > > Thanks > > CC > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
On 3/28/07, Coe, Colin C. (Unix Engineer) <Colin.Coe@woodside.com.au> wrote:> No, I''m not 100% sure that the clients are set right. My sanitised > /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest > any improvements to them?We''re using RHEL 3 and CentOS 4 with ldap.conf files pretty much like you described, and failover works. The only difference I see is that in /etc/openldap/ldap.conf, instead of HOST ldap1.company.com ldap2.company.com we use URI ldaps://ldap1.company.com ldaps://ldap2.company.com But that shouldn''t make any difference. On Fedora 6, instead of setting up /etc/ldap.conf as Host 1.1.1.1 2.2.2.2 we instead have to use uri ldaps://1.1.1.1/ ldaps://2.2.2.2/ I''m assuming that the new version of nss_ldap parses the config file differently but haven''t bothered tracking down details. (nss_ldap is version 207 on RHEL 3, 226 on CentOS 4, and 253 on Fedora 6.) Josh Kelley