On Fri, 24 Oct 2014, Orkhan Gasimov wrote:
Awesome, it worked!

Just one final question: how to make that script search not only in ipa1.example.com's LDAP database, but also in ipa2.example.com's LDAP in case ipa1 is inaccessible? It's vital for a production environment!
There are two things here:
- ldapsearch should use DNS SRV records to discover servers
- ldapsearch call should rotate over all servers in case of an error

First is achieved with -H option if you don't specify a host but rather
use DN: dc=example,dc=com, encoded in a way of RFC 2396:
  dc%3Dexample%2Cdc%3Dcom

where %3D is escape sequence for '=' and %2C is escape sequence for ','

ldapsearch -H ldap://dc%3Dexample%2Cdc%3Dcom

would request ldapsearch to first go and resolve DNS SRV record
_ldap._tcp.example.com and then connect to the list of servers returned.

All tools from OpenLDAP client side use this technique and rotate over
list of servers. You can specify multiple servers yourself too as

  -H "ldap://ipa1.example.com ldap://ipa2.example.com ldap://ipa3.example.com";

but using DNS SRV records is more reliable because you don't need to
change your script when you decommission the servers.


I tried copying the whole section of code from " ldapsearch ..." to "... done" and putting it after a new instance of " if [ ! -s "$tmpf" ]; then ", but it didn't work (I'm not a programmer...).

My current cron script is like this: https://cloud.mail.ru/public/fdf2e60c5df8%2Fsudo.sh

Programmers, please take a glance at the file - logically it shouldn't be difficult to make necessary modifications,
but I don't know how...


23-Oct-14 21:40, Alexander Bokovoy пишет:
try adding something like this:

old_krb5_ccache=${KRB5_CCACHE}
KRB5_CCACHE=/tmp/_hostgroups_access.ccache.$$
export KRB5_CCACHE
kinit -k -t /etc/krb5.keytab host/`hostname`
# perform actual search
ldapsearch -Y GSSAPI .....

# end of script
kdestroy
KRB5_CCACHE=${old_krb5_ccache}
export KRB5_CCACHE


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to