What we're finding is if ldap1 dies for some reason, the clients don't
failover to ldap2.
We don't know if the problem is client side or server side.
When ldap1 dies, do you see any activity in ldap2's access log? If not,
you know the clients aren't making the switch to ldap2.
On one of your Linux LDAP clients, try doing this while ldap1 is down:
# service nscd stop
# strace getent passwd
Among the tons of output should be some indication of what LDAP servers
are being tried.
Coe, Colin C. (Unix Engineer) wrote:
Hi all
We are currently using Sun's Directory server and have had some
problems with clients failing over to the other master if one fails.
The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the
Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1.
/etc/ldap.conf
host 1.1.1.1 2.2.2.2
port 636
ldap_version 3
base o=unix,dc=company,dc=com
scope sub
timelimit 5
bind_timelimit 3
ssl on
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt
idle_timelimit 3600
/etc/openldap/ldap.conf
BASE o=unix,dc=company,dc=com
HOST ldap1.company.com ldap2.company.com
PORT 636
SASL_SECPROPS "noanonymous,noplain"
SIZELIMIT 0
TIMELIMIT 0
DEREF never
TLS_CACERT /etc/ssl/ldap/cacert.pem
TLS_REQCERT demand
We're using the bog standard nscd daemons provided by the OS vendors.
We also use IDSync to synchronise user passwords from AD to LDAP but
not from LDAP to AD.
What we're finding is if ldap1 dies for some reason, the clients don't
failover to ldap2.
We don't know if the problem is client side or server side. Would
Fedora Directory Server, set up in a similar manner, also not failover
properly? While we're prepared to look at Fed DS, there is a feeling
that it too will behave in the same manner, given they are both forks
of the same project.
Comments?
Thanks
CC
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
