On 04/08/2015 04:04 PM, Guertin, David S. wrote:
I have a mixed environment of RHEL 5 and RHEL 6 clients, and three
RHEL 7 IPA servers (one master and two duplicates). I'm trying to
ensure that if one server goes down, the remain server(s) will still
allow logins. With the RHEL 6 clients this is easy -- the line
ipa_server = _srv_, server1.ipa.middlebury.edu
in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything
is fine.
But with the RHEL 5 clients, this doesn't work. If server 1 goes down,
logins fail. Since RHEL 5 is using LDAP, I figured it was probably in
the ldap_uri line in the sssd.conf file. I discovered that I could add
multiple servers, which I did:
ldap_uri = ldap://server1.ipa.middlebury.edu,
ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu
But this still failed. However, if I do something similar in
/etc/ldap.conf:
uri ldap://server1.ipa.middlebury.edu
ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu
then logins work. In fact, I don't even need the change in sssd.conf.
I can put that back the way it was, and logins still work. It's only
the line in /etc/ldap.conf that seems to be necessary.
If that works it means that you are not using SSSD on RHEL5 clients.
Please check your nsswitch and pam.conf to see what modules are actually
used.
Which RHEL5 versions do you use?
If memory does not fail me if you have SSSD 1.5 (I think it was starting
5.8) you should be able to use ipa-client-install to configure sssd and
pass the list of the servers in the --server option.
So, I have two questions:
1. Am I understanding this correctly?
2. If so, is there a way to automate this so that when I run
ipa-client-install on my RHEL 5 clients, they get the correct LDAP
settings from the beginning, and I don't have to go and manually edit
the ldap.conf file?
David Guertin
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project