I am having trouble with LDAP authentication fail-over. We currently have two CentOS-DS directory servers working in a multi-master setup. One Server per site. Normally, logins process fine. However, I am having trouble with the fail-over part. if ldap_SiteA.domain.local goes down, all the servers in that location, that normally point to that first, do not then look at the second entry: ldap_siteB.domain.local.
We use ldap for both logins and Sudo. Here is a copy of my /etc/ldap.conf on a CentOS 5.6 server running in Site A. (for site B, the order of servers is reversed)
Here is part of the script I wrote up to do the authentication via LDAP:
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap_siteA.domain.local,ldap_siteB.domain.local --ldapbasedn="dc=domain,dc=local" --update
echo 'sudoers: files ldap' >> /etc/nsswitch.conf
echo 'base dc=domain,dc=local
timelimit 15
bind_policy soft
bind_timelimit 30
idle_timelimit 30
uri ldaps://ldap_siteA.domain.local/
uri ldaps://ldap_siteB.domain.local/
ssl yes
tls_checkpeer no
pam_password clear
#debug used for troubleshooting
#sudoers_debug 2
sudoers_base ou=SUDOers,dc=domain,dc=local
' > /etc/ldap.conf
Am I missing something for fail-over to work properly? also, we seem to have a few hosts that like to fire off LOTS AND LOTS of connections to the ldap server. Should I adjust my timeouts better for that? use the NSCD service? both?
Thanks!
uri ldaps://ldap_siteA.domain.local/ ldaps://ldap_siteB.domain.local/Limited local replicas are better than nscd, but more complicated to setup.
If you are using ldap for uid/gid, it is good to have one or the other.
ls -l /home/gets noisy.