Hi,
Our main IPA server went a bit wonky this week and stopped listening to
authentication requests. Didn't notice a problem as all our sssd clients
are configured to look at a string of replicated servers.
Failed Foreman logins was what alerted us to the problem as it was only
pointing at the failed LDAP server.
Looking at the manual, it doesn't specifically mention being able to put a
sequence of LDAP servers in the Hosts field. Is this possible, or would an
RFE be in order?
Cheers
D
Guys,
I wouldn't get hung up on which is the more 'right' way to do it. I would
certainly prefer to use the SRV records, but our WIndows team control that
and won't make changes in case it causes problems (even though we're a
subdomain of the main corporate domain - unix.example.com). I'm in the
same situation with our IPA clients - I have to specify a list of IPA
servers to authenticate against, or there's no failover.
Is it feasible to add another LDAP source that points to a replicated copy
of the main one? It looks to me like users are tied to one of the LDAP
sources as you can't delete the LDAP source if any of it's users still
exist.
Cheers
D
This is not possible, however I believe this is something that Foreman
should not take care of, just like any other client for your LDAP servers.
Normally you would put all your replicated servers under the same DNS
through a load balancer, or just use an actual load balancer to put your
ldap servers behind it. Once that's done, you can point your Authentication
Source in Foreman to that, say "ldapserversdns.innes.net" or "
ldaploadbalancer.innes.net", whichever you prefer 
Hope that answers your question
Hi,
Our main IPA server went a bit wonky this week and stopped listening to
authentication requests. Didn’t notice a problem as all our sssd clients
are configured to look at a string of replicated servers.Failed Foreman logins was what alerted us to the problem as it was only
pointing at the failed LDAP server.Looking at the manual, it doesn’t specifically mention being able to put a
sequence of LDAP servers in the Hosts field. Is this possible, or would an
RFE be in order?Cheers
D
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
Daniel Lobato
@elobatoss
blog.daniellobato.me
daniellobato.me
GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
To explain our setup a little bit, we have 8 IPA servers in 4 separate
network zones, geo and firewall separated. There are a pair in each zone
which we would ideally use as the main failover pair, but some zones can
also see the pair in a neighbouring zone, so we use them in the list too.
Lists aren't ideal - I know that part. Failover isn't the most elegant in
my experience - all too easy to end up authenticating against your worst
possible source (server4) even when the main sources (server 1 & 2) are
back online.
Thankfully, failover is extremely rare as IPA has been very robust for us,
so using the most local pair in a Foreman authentication setup would be
fine. I'm still negotiating with Windows to look at setting up SRV records
for the Unix subdomain, but it seems a long way off for now.
Cheers
D
>
> This is not possible, however I believe this is something that Foreman
should not take care of, just like any other client for your LDAP servers.
> Normally you would put all your replicated servers under the same DNS
through a load balancer, or just use an actual load balancer to put your
ldap servers behind it. Once that's done, you can point your Authentication
Source in Foreman to that, say "ldapserversdns.innes.net" or "
ldaploadbalancer.innes.net", whichever you prefer
Why not support SRV records instead?
Ohad
>
> Hope that answers your question
>
>
>>
>> Hi,
>>
>> Our main IPA server went a bit wonky this week and stopped listening to
authentication requests. Didn't notice a problem as all our sssd clients
are configured to look at a string of replicated servers.
>>
>> Failed Foreman logins was what alerted us to the problem as it was only
pointing at the failed LDAP server.
>>
>> Looking at the manual, it doesn't specifically mention being able to put
a sequence of LDAP servers in the Hosts field. Is this possible, or would
an RFE be in order?
>>
>> Cheers
>>
>> D
>>
>> –
>> You received this message because you are subscribed to the Google
Groups "Foreman users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
>> To post to this group, send email to foreman-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/foreman-users.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> –
> Daniel Lobato
>
> @elobatoss
> blog.daniellobato.me
> daniellobato.me
>
> GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
>
> –
> You received this message because you are subscribed to the Google Groups
"Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
Didn't mean to derail the conversation – supporting a connection
pool (list of servers) and SRV records would be ideal, but for now you could
implement Daniel's LB recommendation.
Adding a second auth source won't solve the problem really, because users are
tied to a specific auth source once they're created. You could just change
the server to point to a working one in the Foreman configuration. It's manual,
but if it's infrequent it might be good enough for now.
From: “Duncan Innes” duncan@innes.net
To: foreman-users@googlegroups.com
Sent: Friday, June 13, 2014 1:39:33 PM
Subject: [foreman-users] Re: LDAP failover
Guys,
I wouldn’t get hung up on which is the more ‘right’ way to do it. I would certainly prefer to use the SRV records, but our WIndows team control that and won’t make changes in case it causes problems (even though we’re a subdomain of the main corporate domain - unix.example.com). I’m in the same situation with our IPA clients - I have to specify a list of IPA servers to authenticate against, or there’s no failover.
Is it feasible to add another LDAP source that points to a replicated copy of the main one? It looks to me like users are tied to one of the LDAP sources as you can’t delete the LDAP source if any of it’s users still exist.
Cheers
D
–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com .
To post to this group, send email to foreman-users@googlegroups.com .
Visit this group at http://groups.google.com/group/foreman-users .
For more options, visit https://groups.google.com/d/optout .
–
Stephen Benjamin
stephen@bitbin.de