Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers

Wed, 08 Apr 2015 13:17:01 -0700 

On 04/08/2015 04:04 PM, Guertin, David S. wrote:



I have a mixed environment of RHEL 5 and RHEL 6 clients, and three 
RHEL 7 IPA servers (one master and two duplicates). I'm trying to 
ensure that if one server goes down, the remain server(s) will still 
allow logins. With the RHEL 6 clients this is easy -- the line


  ipa_server = _srv_, server1.ipa.middlebury.edu


in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything 
is fine.



But with the RHEL 5 clients, this doesn't work. If server 1 goes down, 
logins fail. Since RHEL 5 is using LDAP, I figured it was probably in 
the ldap_uri line in the sssd.conf file. I discovered that I could add 
multiple servers, which I did:



  ldap_uri = ldap://server1.ipa.middlebury.edu, 
ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu



But this still failed. However, if I do something similar in 
/etc/ldap.conf:



  uri ldap://server1.ipa.middlebury.edu 
ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu



then logins work. In fact, I don't even need the change in sssd.conf. 
I can put that back the way it was, and logins still work. It's only 
the line in /etc/ldap.conf that seems to be necessary.




If that works it means that you are not using SSSD on RHEL5 clients.

Please check your nsswitch and pam.conf to see what modules are actually 
used.


Which RHEL5 versions do you use?

If memory does not fail me if you have SSSD 1.5 (I think it was starting 
5.8) you should be able to use ipa-client-install to configure sssd and 
pass the list of the servers in the --server option.



So, I have two questions:

1. Am I understanding this correctly?


2. If so, is there a way to automate this so that when I run 
ipa-client-install on my RHEL 5 clients, they get the correct LDAP 
settings from the beginning, and I don't have to go and manually edit 
the ldap.conf file?


David Guertin






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to