[CentOS] Specifying 2 LDAP Server for auth

Mon Dec 13 21:18:32 UTC 2010
Paul Heinlein <heinlein at madboa.com>

On Mon, 13 Dec 2010, Nicolas Ross wrote:

> Hi !
>
> We are planing on deploying an ldap master and replica to serve as 
> our new authentication server for our soon to be RedHat cluster. 
> But, we need to be able to function if the master is down for 
> whatever reason. So, I tried to specify 2 servers in the 
> setup-authentification servername section, separated by a comma, but 
> it doesn't seem to work.
>
> So, is it possible to specifying 2 ldap servers in the config ?
>
> If a ldap server goes down, what are the fall-back for 
> authentification ? I have check "cache information", but in my 
> tests, if the ldap server is down, pretty much nothing works 
> correctly.

It works, but the Red Hat tools don't create the optimal configuration 
files. The following works in our environment (two LDAP servers, TLS 
required). I set the various timelimit values low to facilitate a 
fairly robust failover:

# /etc/ldap.conf
#
# failover doesn't seem to work work using the newer, and
# recommended, 'uri' directive.
host ldap1.you.com ldap2.you.com
port 389
base dc=you,dc=com
# encrypt queries over the wire; our servers require it
ssl start_tls
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
# set time limits fairly low to get benefit of failover
bind_timelimit 30
idle_timelimit 120
timelimit 30
# eof

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/