On 04/08/2015 04:04 PM, Guertin, David S. wrote:


I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA servers (one master and two duplicates). I'm trying to ensure that if one server goes down, the remain server(s) will still allow logins. With the RHEL 6 clients this is easy -- the line

  ipa_server = _srv_, server1.ipa.middlebury.edu

in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything is fine.

But with the RHEL 5 clients, this doesn't work. If server 1 goes down, logins fail. Since RHEL 5 is using LDAP, I figured it was probably in the ldap_uri line in the sssd.conf file. I discovered that I could add multiple servers, which I did:

ldap_uri = ldap://server1.ipa.middlebury.edu, ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu

But this still failed. However, if I do something similar in /etc/ldap.conf:

uri ldap://server1.ipa.middlebury.edu ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu

then logins work. In fact, I don't even need the change in sssd.conf. I can put that back the way it was, and logins still work. It's only the line in /etc/ldap.conf that seems to be necessary.


If that works it means that you are not using SSSD on RHEL5 clients.
Please check your nsswitch and pam.conf to see what modules are actually used.

Which RHEL5 versions do you use?
If memory does not fail me if you have SSSD 1.5 (I think it was starting 5.8) you should be able to use ipa-client-install to configure sssd and pass the list of the servers in the --server option.

So, I have two questions:

1. Am I understanding this correctly?

2. If so, is there a way to automate this so that when I run ipa-client-install on my RHEL 5 clients, they get the correct LDAP settings from the beginning, and I don't have to go and manually edit the ldap.conf file?

David Guertin





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to