centos 5.x and ldap failover

Question

I am having trouble with LDAP authentication fail-over. We currently have two CentOS-DS directory servers working in a multi-master setup. One Server per site. Normally, logins process fine. However, I am having trouble with the fail-over part. if ldap_SiteA.domain.local goes down, all the servers in that location, that normally point to that first, do not then look at the second entry: ldap_siteB.domain.local.

We use ldap for both logins and Sudo. Here is a copy of my /etc/ldap.conf on a CentOS 5.6 server running in Site A. (for site B, the order of servers is reversed)

Here is part of the script I wrote up to do the authentication via LDAP:

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap_siteA.domain.local,ldap_siteB.domain.local --ldapbasedn="dc=domain,dc=local" --update
echo 'sudoers:    files ldap' >> /etc/nsswitch.conf
echo 'base dc=domain,dc=local
timelimit 15
bind_policy soft
bind_timelimit 30
idle_timelimit 30
uri ldaps://ldap_siteA.domain.local/ 
uri ldaps://ldap_siteB.domain.local/
ssl yes
tls_checkpeer no
pam_password clear
#debug used for troubleshooting
#sudoers_debug 2
sudoers_base    ou=SUDOers,dc=domain,dc=local
' > /etc/ldap.conf

Am I missing something for fail-over to work properly? also, we seem to have a few hosts that like to fire off LOTS AND LOTS of connections to the ldap server. Should I adjust my timeouts better for that? use the NSCD service? both?

Thanks!

score 1 · Accepted Answer · answered Aug 23 '11 at 18:37

1

uri ldaps://ldap_siteA.domain.local/ ldaps://ldap_siteB.domain.local/

Limited local replicas are better than nscd, but more complicated to setup.
If you are using ldap for uid/gid, it is good to have one or the other.
ls -l /home/ gets noisy.

answered Aug 23 '11 at 18:37

84104

12,905
6
45
76

so your saying to put the URI's all on one line? – Brian Aug 23 '11 at 18:46
Yes, as per `man ldap.conf`. – 84104 Aug 23 '11 at 19:18

centos 5.x and ldap failover

1 Answers1