[Freeipa-users] How to failover to IPA replica server
Rob Crittenden
rcritten at redhat.com
Sun Feb 10 01:53:13 UTC 2013
Rajnesh Kumar Siwal wrote:
> We have setup an IPA replica server on the environment using the
> following command:-
> #ipa-replica-install --setup-dns --setup-ca --forwarder=192.168.1.204
> /var/lib/ipa/replica-info-ipa2.labs.local.gpg
>
> There is a client authenticating against it.
> If I shutdown the ipa1 (Master server), the client does not falls back
> and authenticate against ipa2 (the replica)
We are working on fixing this now. Once a client is enrolled then sssd
will handle the fallback but during installation things can fail if it
tries to contact a downed server.
> Logs that can be seen at IPA2 :-
> [09/Feb/2013:15:52:50 +0000] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't
> contact LDAP server)
> [09/Feb/2013:15:56:02 +0000] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
> is not connected)
> [09/Feb/2013:15:56:02 +0000] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't
> contact LDAP server)
Seems like this should be expected, it can't connect to do replication.
>
>
> nslookup from the IPA client :-
> [root at testvm ~]# nslookup -type=srv _kerberos._tcp.labs.local
> Server: 192.168.1.207
> Address: 192.168.1.207#53
>
> _kerberos._tcp.labs.local service = 0 100 88 ipa2.labs.local.
> _kerberos._tcp.labs.local service = 0 100 88 ipa.labs.local.
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Please suggest how to use ipa2 for authentication purpose.
>
enrollment != authentication. Once enrolled sssd takes over and it
handles failover very well.
rob
More information about the Freeipa-users
mailing list