[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: [pamldap] RE: pamldap failover between two MS active directory server
From: "Jeremy Jin" <jin () gedco ! com>
Date: 2005-06-20 17:45:29
Message-ID: IPEILMEGOAAPCHLALLGKGEICIDAA.jin () gedco ! com
[Download RAW message or body]
This sounds like a really smart solution. Thanks. So there is only one
question unanswered (sorry I have too many questions mixed together),
When the first installed domain controller is unpluged, I change the
/etc/ldap.conf and /etc/resolv.conf on pam_ldap clients to have only the
secondary domain controller.
So it should have nothing to do with the first controller. Then I use
"getent passwd", there is no delay to show all user information. But when I
use ssh client to login, after I type password, there is still a short delay
(about 3 to 5 seconds).
This is not bad, but I am still curious to know what causes the delay. I
checked the live domain controller's ip configuration, it uses 127.0.0.1 as
its name server, so it should not contact the dead server for name
resolving.
If this question gets answered, then the failover will be perfect.
Thanks.
Jeremy
-----Original Message-----
From: owner-pamldap@padl.com [mailto:owner-pamldap@padl.com]On Behalf Of
Wade Turland
Sent: Monday, June 20, 2005 2:13 AM
To: Ivaylo Stratkov
Cc: jin@gedco.com; pamldap@padl.com
Subject: RE: [pamldap] RE: pamldap failover between two MS active directory
server
At my last employer, we had a monitoring script that would re-order the
preferred hosts. It was a dirty awk/shell script and I don't have it any
more, but something like this should work:
#!/usr/bin/perl
use strict;
use Net::LDAP;
my $sleep = 15;
while (1) {
my @conf = ();
my ($ldaphost,$binddn,$bindpw) = undef;
open(CONF, "+< /etc/ldap.conf") or die "Can't open ldap.conf: $!";
while (my $line = <CONF>) {
if ($line =~ /^host\s/) {
chomp;
my (@hosts) = split(/\s+/, $line);
shift(@hosts); # throw out 'host' keyword
$ldaphost = shift(@hosts); # we're gonna test this one
push(@hosts, $ldaphost); # move it to the end
unshift(@hosts, "host"); # put 'host' keyword back
$line = join(' ', @hosts) . "\n";
}
$line =~ /^binddn\s+(.*)/ && $binddn = $1;
$line =~ /^bindpw\s+(.*)/ && $bindpw = $1;
push(@conf, $line);
}
my $ldap = Net::LDAP->new($ldaphost, port => 389);
unless (defined $ldap) {
seek(CONF, 0, 0) && truncate(CONF,0);
print CONF @conf;
goto SLEEP;
}
# bind (maybe also search) to make sure it is actually working
my $mesg = $ldap->bind($binddn, password => $bindpw);
if ($mesg->is_error) {
seek(CONF, 0, 0) && truncate(CONF,0);
print CONF @conf;
goto SLEEP;
}
SLEEP:
close CONF;
$ldap->unbind if $ldap;
sleep $sleep;
}
Note there may be a race where the user may find an empty config, but
only when their connection would fail anyway.
Cheers,
Wade.
--
_____________________________________________
Wade Turland
UNIX Technical Specialist (Mobile)
Business Network Operations
Our Customers, Our People - Our Service
'yes' OPTUS
Phone: +61 2 9775 9892
Fax: +61 2 9775 9500
Mobile: 0423 883 885
<mailto:wade.turland@optus.net.au>
_____________________________________________
****DISCLAIMER****
This email may contain confidential information. If you are not the intended
recipient, please notify the sender immediately and delete this email from
your system. You must not disclose this email to anyone without express
permission from the sender. The contents of all emails sent to, and received
from, Optus may be scanned, stored, or disclosed to others by Optus at
Optus' discretion. Optus has exercised care to avoid errors in the
information contained in this email but does not warrant that the
information is error or omission free.
On Sun, 19 Jun 2005, Ivaylo Stratkov wrote:
> Hi Jeremy,
>
> as far as I know you are ringh - the dead server will not be remembered by
> nss_ldap and pam_ldap. BTW it won't be remembered by the name resolution
> program. What probably you can do is to reduce the timeouts. there is a
> bind_timeout in ldap.conf ( excuse me if I am not quoting the name of the
> configuration file directive correctly). Some UNIXs and LINUX have a
timeout
> directive available in the /etc/resolv.conf as well.
>
> One more thing - when your promary DNS / LDAP server is down it is not a
> clear cut which part of the delay is caused by DNS and which by LDAP part.
>
> Cheers.
>
> Ivaylo
>
>> From: "Jeremy Jin" <jin@gedco.com>
>> To: "Ivaylo Stratkov" <istratkov@hotmail.com>, <pamldap@padl.com>
>> Subject: [pamldap] RE: pamldap failover between two MS active directory
>> server
>> Date: Fri, 17 Jun 2005 11:13:57 -0600
>>
>> Thanks for the reply. It solved the problem to some extent.
>>
>> Though both 192.168.1.1 and 192.168.1.2 are DNS servers, but I didn't
>> configure 192.168.1.2 in /etc/resolv.conf.
>>
>> After I add 192.168.1.2 to /etc/resolv.conf. I have a test again, the
>> result
>> is better (but not ideal yet).
>>
>> If I unplug 192.168.1.1. Then I type "getent passwd". It will have a
short
>> delay to display all user names. If I remove 192.168.1.1 from
>> /etc/ldap.conf, then there is no delay to show user naems. That's good.
>>
>> Then I use ssh client to login, after I type password, after a short
delay
>> I
>> can log in.
>>
>> Now the situation is,
>>
>> 1. If the /etc/ldap.conf has both 192.168.1.1 and 192.168.1.2 and
>> 192.168.1.1 is dead.
>> nss_ldap and pam_ldap can NOT remember the dead server. Every time we
need
>> login, we have to wait for the dead server timeout.
>> We can manually remove the dead server from /etc/ldap.conf as a
>> workaround.
>>
>> 2. pam_ldap still has a delay.
>>
>> Thanks.
>>
>> Jeremy
>>
>>
>> -----Original Message-----
>> From: owner-pamldap@padl.com [mailto:owner-pamldap@padl.com]On Behalf Of
>> Ivaylo Stratkov
>> Sent: Thursday, June 16, 2005 8:54 PM
>> To: jin@gedco.com; pamldap@padl.com
>> Subject: RE: [pamldap] pamldap failover between two MS active directory
>> server
>>
>>
>>
>> Is 192.168.1.1 is your DNS as well?
>>
>>
>>> From: "Jeremy Jin" <jin@gedco.com>
>>> To: <pamldap@padl.com>
>>> Subject: [pamldap] pamldap failover between two MS active directory
>> server
>>> Date: Mon, 13 Jun 2005 09:16:18 -0600
>>>
>>> Hello,
>>>
>>> I am trying to integrate our linux boxes to windows server 2003 domain.
>> so
>>> far it works well except the problem as the subject.
>>>
>>> My environment,
>>>
>>> 2 Windows Server 2003 installed as windows2000/2003 native mode. The
>> first
>>> installed server is 192.168.1.1. The second installed server is
>>> 192.168.1.2.
>>>
>>> Linux boxes (Redhat Enterprise Linux ES 3) as LDAP client.
>>>
>>> nss_ldap and pam_ldap are included in redhat. The rpm info is,
>>>
>>> [root@mylinux /]# rpm -qa | grep ldap
>>> nss_ldap-207-11
>>> mod_authz_ldap-0.22-5
>>> openldap-devel-2.0.27-17
>>> openldap-2.0.27-17
>>> openldap-clients-2.0.27-17
>>> openldap-servers-2.0.27-17
>>> php-ldap-4.3.2-14.ent
>>>
>>> [root@mylinux /]# rpm -qa | grep pam
>>> pam_smb-1.1.7-1
>>> pam_krb5-1.73-1
>>> pam-0.75-58
>>> pam-devel-0.75-58
>>>
>>> I am surprised that I didn't see a pam_ldap RPM. But I check the files
>>> of
>>> nss_ldap and found pam_ldap.so is included in nss_ldap RPM.
>>>
>>> The host line in my /etc/ldap.conf is, "host 192.168.1.1 192.168.1.2".
>>> If
>>> the first server is down, the second one suppose to response.
>>>
>>> My testing result is,
>>>
>>> I unplugged the network cable of 192.168.1.1. I can still login the
>>> linux
>>> boxes. But it took a very long time (much longer than bind_timelimit
>>> setting
>>> in /etc/ldap.conf). This result is not reasonable in a production
>>> environment. So I tried to remove 192.168.1.1 in the host line. So the
>> host
>>> line is only "host 192.168.1.2". I hope I can login without delay. But
>>> it
>>> is
>>> very strange that it still took a long time to login.
>>>
>>> So what is the best way to do failover? In case the first server is
>>> down,
>>> how can I make sure users login without long time delay.
>>>
>>> Thanks in advance.
>>>
>>> JJ
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic