Hi !
We are planing on deploying an ldap master and replica to serve as our new authentication server for our soon to be RedHat cluster. But, we need to be able to function if the master is down for whatever reason. So, I tried to specify 2 servers in the setup-authentification servername section, separated by a comma, but it doesn't seem to work.
So, is it possible to specifying 2 ldap servers in the config ?
If a ldap server goes down, what are the fall-back for authentification ? I have check "cache information", but in my tests, if the ldap server is down, pretty much nothing works correctly.
Regards,
On Mon, 13 Dec 2010, Nicolas Ross wrote:
Hi !
We are planing on deploying an ldap master and replica to serve as our new authentication server for our soon to be RedHat cluster. But, we need to be able to function if the master is down for whatever reason. So, I tried to specify 2 servers in the setup-authentification servername section, separated by a comma, but it doesn't seem to work.
So, is it possible to specifying 2 ldap servers in the config ?
If a ldap server goes down, what are the fall-back for authentification ? I have check "cache information", but in my tests, if the ldap server is down, pretty much nothing works correctly.
It works, but the Red Hat tools don't create the optimal configuration files. The following works in our environment (two LDAP servers, TLS required). I set the various timelimit values low to facilitate a fairly robust failover:
# /etc/ldap.conf # # failover doesn't seem to work work using the newer, and # recommended, 'uri' directive. host ldap1.you.com ldap2.you.com port 389 base dc=you,dc=com # encrypt queries over the wire; our servers require it ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts # set time limits fairly low to get benefit of failover bind_timelimit 30 idle_timelimit 120 timelimit 30 # eof
It works, but the Red Hat tools don't create the optimal configuration files. The following works in our environment (two LDAP servers, TLS required). I set the various timelimit values low to facilitate a fairly robust failover:
# /etc/ldap.conf # # failover doesn't seem to work work using the newer, and # recommended, 'uri' directive. host ldap1.you.com ldap2.you.com port 389 base dc=you,dc=com # encrypt queries over the wire; our servers require it ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts # set time limits fairly low to get benefit of failover bind_timelimit 30 idle_timelimit 120 timelimit 30 # eof
It was a routing problem. I was indeed able to add a second ldap server (off-site), and it worked.
Regardsm
-
Nicolas Ross -
Paul Heinlein