LDAP failover

Stephen_Benjamin1 · June 13, 2014, 2:13am

That's certainly not the typical or right way of doing things, even if it works. Look at SSSD for example, which uses a pool of URI's and/or SRV records… That's how Foreman should do it.

I think there's an open RFE already? If not there should be…

···

-----Original Message----- From: "Daniel Lobato" Sent: ‎6/‎13/‎2014 7:42 To: "foreman-users@googlegroups.com" Subject: Re: [foreman-users] LDAP failover

This is not possible, however I believe this is something that Foreman
should not take care of, just like any other client for your LDAP servers.
Normally you would put all your replicated servers under the same DNS
through a load balancer, or just use an actual load balancer to put your
ldap servers behind it. Once that’s done, you can point your Authentication
Source in Foreman to that, say “ldapserversdns.innes.net” or “
ldaploadbalancer.innes.net”, whichever you prefer

Hope that answers your question

On Thu, Jun 12, 2014 at 2:20 PM, Duncan Innes duncan@innes.net wrote:

Hi,

Our main IPA server went a bit wonky this week and stopped listening to
authentication requests. Didn’t notice a problem as all our sssd clients
are configured to look at a string of replicated servers.

Failed Foreman logins was what alerted us to the problem as it was only
pointing at the failed LDAP server.

Looking at the manual, it doesn’t specifically mention being able to put a
sequence of LDAP servers in the Hosts field. Is this possible, or would an
RFE be in order?

Cheers

D

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Daniel Lobato

@elobatoss
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30

–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Josh · June 13, 2014, 2:17am

I wouldn't say that it's "not the right way of doing things." Using a
hardware load balancer (or software) for LDAP is perfectly fine. It's what
we do, and it's what many other companies do. Should Foreman allow you to
specify multiple LDAP servers or interpret SRV records? Probably.

Josh

···

On Thu, Jun 12, 2014 at 10:13 PM, Stephen Benjamin wrote:

That’s certainly not the typical or right way of doing things, even if it
works. Look at SSSD for example, which uses a pool of URI’s and/or SRV
records… That’s how Foreman should do it.

I think there’s an open RFE already? If not there should be…

From: Daniel Lobato elobatocs@gmail.com
Sent: ‎6/‎13/‎2014 7:42
To: foreman-users@googlegroups.com
Subject: Re: [foreman-users] LDAP failover

This is not possible, however I believe this is something that Foreman
should not take care of, just like any other client for your LDAP servers.
Normally you would put all your replicated servers under the same DNS
through a load balancer, or just use an actual load balancer to put your
ldap servers behind it. Once that’s done, you can point your Authentication
Source in Foreman to that, say “ldapserversdns.innes.net” or “
ldaploadbalancer.innes.net”, whichever you prefer

Hope that answers your question

On Thu, Jun 12, 2014 at 2:20 PM, Duncan Innes duncan@innes.net wrote:

Hi,

Our main IPA server went a bit wonky this week and stopped listening to
authentication requests. Didn’t notice a problem as all our sssd clients
are configured to look at a string of replicated servers.

Failed Foreman logins was what alerted us to the problem as it was only
pointing at the failed LDAP server.

Looking at the manual, it doesn’t specifically mention being able to put
a
sequence of LDAP servers in the Hosts field. Is this possible, or would
an
RFE be in order?

Cheers

D

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Daniel Lobato

@elobatoss
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Stephen_Benjamin1 · June 13, 2014, 3:43am

The main reason people set up LB's for datacenter services to begin
with is because the application doesn't support anything more than a
single server.

That's what I meant by not the right thing to do: Foreman should
have the support natively for SRV records, as well as connection
pools.

LB's themselves have drawbacks for managing data center services,
too:

It's complex and expensive, the load balancers themselves will
need to be HA too.
Without SSL offloading, then you're going to be breaking LDAPS.
The load balancer is also in a single datacenter – you'll need
an HA setup of 2x LB in each of you datacenters.
No cross-geo failover.

DNS SRV records scale globally, allow things like priority based on
geo, and are vastly simpler to setup.

···

----- Original Message ----- From: "Josh Baird" To: foreman-users@googlegroups.com Sent: Friday, June 13, 2014 8:02:43 AM Subject: Re: [foreman-users] LDAP failover

I wouldn’t say that it’s “not the right way of doing things.” Using a hardware load balancer (or software) for LDAP is perfectly fine. It’s what we do, and it’s what many other companies do. Should Foreman allow you to specify multiple LDAP servers or interpret SRV records? Probably.

Josh

On Thu, Jun 12, 2014 at 10:13 PM, Stephen Benjamin < stephen@bitbin.de > wrote:

That’s certainly not the typical or right way of doing things, even if it works. Look at SSSD for example, which uses a pool of URI’s and/or SRV records… That’s how Foreman should do it.

I think there’s an open RFE already? If not there should be…

From: Daniel Lobato
Sent: ‎6/‎13/‎2014 7:42
To: foreman-users@googlegroups.com
Subject: Re: [foreman-users] LDAP failover

This is not possible, however I believe this is something that Foreman
should not take care of, just like any other client for your LDAP servers.
Normally you would put all your replicated servers under the same DNS
through a load balancer, or just use an actual load balancer to put your
ldap servers behind it. Once that’s done, you can point your Authentication
Source in Foreman to that, say " ldapserversdns.innes.net " or "
ldaploadbalancer.innes.net ", whichever you prefer

Hope that answers your question

On Thu, Jun 12, 2014 at 2:20 PM, Duncan Innes < duncan@innes.net > wrote:

Hi,

Our main IPA server went a bit wonky this week and stopped listening to
authentication requests. Didn’t notice a problem as all our sssd clients
are configured to look at a string of replicated servers.

Failed Foreman logins was what alerted us to the problem as it was only
pointing at the failed LDAP server.

Looking at the manual, it doesn’t specifically mention being able to put a
sequence of LDAP servers in the Hosts field. Is this possible, or would an
RFE be in order?

Cheers

D

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com .
To post to this group, send email to foreman-users@googlegroups.com .
Visit this group at http://groups.google.com/group/foreman-users .
For more options, visit https://groups.google.com/d/optout .

–
Daniel Lobato

@elobatoss
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30

–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com .
To post to this group, send email to foreman-users@googlegroups.com .
Visit this group at http://groups.google.com/group/foreman-users .
For more options, visit https://groups.google.com/d/optout .

–

–
Stephen Benjamin
stephen@bitbin.de