List Info

Thread: RE: Failover between masters
RE: Failover between masters
country flaguser name
Australia		 2007-03-28 19:35:22 
See inline comments

> 
> Coe, Colin C. (Unix Engineer) wrote:
> >
> > Hi all
> >
> > We are currently using Sun's Directory server and
have had some
> > problems with clients failing over to the other
master if 
> one fails.  
> > The clients are a minxute of RHEL 3 WS and Solaris
8 
> (SPARC), and the 
> > Sun Directory servers are both Solars 9 (SPARC)
running 
> Directory One 5.1.
> >
> > /etc/ldap.conf
> > host 1.1.1.1 2.2.2.2
> > port 636
> > ldap_version 3
> > base o=unix,dc=company,dc=com
> > scope sub
> > timelimit 5
> > bind_timelimit 3
> > ssl on
> > pam_filter objectclass=posixAccount
> > pam_login_attribute uid
> > pam_member_attribute memberUid
> > pam_password crypt
> > idle_timelimit 3600
> >
> > /etc/openldap/ldap.conf
> > BASE o=unix,dc=company,dc=com
> > HOST ldap1.company.com ldap2.company.com
> > PORT 636
> > SASL_SECPROPS "noanonymous,noplain"
> > SIZELIMIT 0
> > TIMELIMIT 0
> > DEREF never
> > TLS_CACERT      /etc/ssl/ldap/cacert.pem
> > TLS_REQCERT     demand
> >
> > We're using the bog standard nscd daemons provided
by the 
> OS vendors.
> > We also use IDSync to synchronise user passwords
from AD to 
> LDAP but 
> > not from LDAP to AD.
> >
> > What we're finding is if ldap1 dies for some
reason, the 
> clients don't
> > failover to ldap2. 
> >
> > We don't know if the problem is client side or
server side.  Would
> > Fedora Directory Server, set up in a similar
manner, also 
> not failover 
> > properly?
> >
> It wouldn't make any difference.  I'm pretty sure
failover is 
> a properly 
> of the client.  Are you sure you have the multiple
hosts configured 
> correctly in your ldap.conf files?

No, I'm not 100% sure that the clients are set right.  My
sanitised
/etc/ldap and /etc/openldap/ldap.conf are shown above.  Can
you suggest
any improvements to them?

> >
> > While we're prepared to look at Fed DS, there is a
feeling 
> that it too
> > will behave in the same manner, given they are
both forks 
> of the same 
> > project.
> >
> > Comments?
> >
> > Thanks
> >
> > CC
> >

NOTICE: This email and any attachments are confidential. 
They may contain legally privileged information or 
copyright material. You must not read, copy, use or 
disclose them without authorisation. If you are not an 
intended recipient, please contact us at once by return 
email and then delete both messages and all attachments.

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
Re: Failover between masters
user name
 2007-03-28 20:09:32 
Coe, Colin C. (Unix Engineer) wrote:
> See inline comments
>
>   
>> Coe, Colin C. (Unix Engineer) wrote:
>>     
>>> Hi all
>>>
>>> We are currently using Sun's Directory server
and have had some
>>> problems with clients failing over to the other
master if 
>>>       
>> one fails.  
>>     
>>> The clients are a minxute of RHEL 3 WS and
Solaris 8 
>>>       
>> (SPARC), and the 
>>     
>>> Sun Directory servers are both Solars 9 (SPARC)
running 
>>>       
>> Directory One 5.1.
>>     
>>> /etc/ldap.conf
>>> host 1.1.1.1 2.2.2.2
>>> port 636
>>> ldap_version 3
>>> base o=unix,dc=company,dc=com
>>> scope sub
>>> timelimit 5
>>> bind_timelimit 3
>>> ssl on
>>> pam_filter objectclass=posixAccount
>>> pam_login_attribute uid
>>> pam_member_attribute memberUid
>>> pam_password crypt
>>> idle_timelimit 3600
>>>
>>> /etc/openldap/ldap.conf
>>> BASE o=unix,dc=company,dc=com
>>> HOST ldap1.company.com ldap2.company.com
>>> PORT 636
>>> SASL_SECPROPS "noanonymous,noplain"
>>> SIZELIMIT 0
>>> TIMELIMIT 0
>>> DEREF never
>>> TLS_CACERT      /etc/ssl/ldap/cacert.pem
>>> TLS_REQCERT     demand
>>>
>>> We're using the bog standard nscd daemons
provided by the 
>>>       
>> OS vendors.
>>     
>>> We also use IDSync to synchronise user
passwords from AD to 
>>>       
>> LDAP but 
>>     
>>> not from LDAP to AD.
>>>
>>> What we're finding is if ldap1 dies for some
reason, the 
>>>       
>> clients don't
>>     
>>> failover to ldap2. 
>>>
>>> We don't know if the problem is client side or
server side.  Would
>>> Fedora Directory Server, set up in a similar
manner, also 
>>>       
>> not failover 
>>     
>>> properly?
>>>
>>>       
>> It wouldn't make any difference.  I'm pretty sure
failover is 
>> a properly 
>> of the client.  Are you sure you have the multiple
hosts configured 
>> correctly in your ldap.conf files?
>>     
>
> No, I'm not 100% sure that the clients are set right. 
My sanitised
> /etc/ldap and /etc/openldap/ldap.conf are shown above. 
Can you suggest
> any improvements to them?
>   
I don't know.  I'm not familiar with failover
configuration.
>   
>>> While we're prepared to look at Fed DS, there
is a feeling 
>>>       
>> that it too
>>     
>>> will behave in the same manner, given they are
both forks 
>>>       
>> of the same 
>>     
>>> project.
>>>
>>> Comments?
>>>
>>> Thanks
>>>
>>> CC
>>>
>>>       
>
> NOTICE: This email and any attachments are
confidential. 
> They may contain legally privileged information or 
> copyright material. You must not read, copy, use or 
> disclose them without authorisation. If you are not an

> intended recipient, please contact us at once by return

> email and then delete both messages and all
attachments.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>   

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
Re: Failover between masters
user name
 2007-03-30 10:31:15 
On 3/28/07, Coe, Colin C. (Unix Engineer) <Colin.Coewoodside.com.au> wrote:
> No, I'm not 100% sure that the clients are set right. 
My sanitised
> /etc/ldap and /etc/openldap/ldap.conf are shown above. 
Can you suggest
> any improvements to them?

We're using RHEL 3 and CentOS 4 with ldap.conf files pretty
much like
you described, and failover works.

The only difference I see is that in
/etc/openldap/ldap.conf, instead of
HOST ldap1.company.com ldap2.company.com
we use
URI ldaps://ldap1.company.com ldaps://ldap2.company.com
But that shouldn't make any difference.

On Fedora 6, instead of setting up /etc/ldap.conf as
Host 1.1.1.1 2.2.2.2
we instead have to use
uri ldaps://1.1.1.1/ ldaps://2.2.2.2/

I'm assuming that the new version of nss_ldap parses the
config file
differently but haven't bothered tracking down details. 
(nss_ldap is
version 207 on RHEL 3, 226 on CentOS 4, and 253 on Fedora
6.)

Josh Kelley

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )