On Wed, 16 Dec 2015, Karl Forner wrote:


If you do a local login instead of a kinit, you will see that SSSD will
switch to the new server and subsequent kinit will start using it.


Ok, I checked and it works just fine for me, thanks.

This dynamic discovery of freeipa servers by sssd is very elegant and
smart;
but I still do not understand how do you automatically switch to a replica
(ipa2) if your master (ipa1) is down
in some cases:

- to access the freeipa web ui. You have to use an url, e.g.
https://ipa1.example.com
If ipa1 is down, how do you know which url to use ?
We have no mechanism for that. Hiding IPA web ui behind a balancer is
not easy -- Kerberos does not really like balancers. You can search
archives of this list to know more.

- if you have other web apps that authenticate against the freeIPA LDAP
server.
Usually you have to provide a ldap url in the web app configuration, e.g.
ldap://ipa1.example.com.
What happens when ipa1 is down ?
That's easy and there are two different approaches here:
1. Use SSSD instead of directly talking to FreeIPA LDAP as we describe
and recommend on https://www.freeipa.org/page/Web_App_Authentication
2. Use SRV discovery syntax built-in to openldap's tools.

The latter is somewhat less known feature mandated by RFC 4516:
http://www.rfc-editor.org/rfc/rfc4516.txt

It is achieved with -H option of ldapsearch or other ldap tools if you
don't specify a host but rather use DN: dc=example,dc=com, encoded in a
way of RFC 2396: dc%3Dexample%2Cdc%3Dcom

where %3D is escape sequence for '=' and %2C is escape sequence for ','

ldapsearch -H ldap:///dc%3Dexample%2Cdc%3Dcom

would request ldapsearch to first go and resolve DNS SRV record
_ldap._tcp.example.com and then connect to the list of servers returned.

All tools from OpenLDAP client side use this technique and rotate over
list of servers. You can specify multiple servers yourself too as

  -H "ldap://ipa1.example.com ldap://ipa2.example.com ldap://ipa3.example.com";

but using DNS SRV records is more reliable because you don't need to
change your script when you decommission the servers.

However, the first syntax will not work for just any application using
libldap as they don't do this additional SRV discovery. Instead, the
second approach should work for them by passing a list of servers
separated by space instead of a single one. Again, this is LDAP library
specific and not all libraries support this. This is why we recommend
you actually use SSSD. :)

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to