hi,
we run various centos releases from 5.4 to 6.5. some of the early os releases packages from rhel is pretty old, older than LTM by looks of it. what would be general rule of thumb for the sssd version? run two separate latest custom version per 5 and 6? my main focus with sssd would be to ensure ldap connectivty via SRV + off auth while ldap is not available. Not sure when SRV support was introduced and how stable it is. your feedback is much appreciates.
thanks
On 05/19/2014 07:20 PM, Daniel Jung wrote:
hi,
we run various centos releases from 5.4 to 6.5. some of the early os releases packages from rhel is pretty old, older than LTM by looks of it. what would be general rule of thumb for the sssd version? run two separate latest custom version per 5 and 6? my main focus with sssd would be to ensure ldap connectivty via SRV + off auth while ldap is not available. Not sure when SRV support was introduced and how stable it is. your feedback is much appreciates.
thanks
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Latest SSSD in RHEL5 is 1.5 and will do for your use case. Using latest available SSSD that comes with corresponding RHEL6 version is recommended.
On (19/05/14 20:29), Dmitri Pal wrote:
On 05/19/2014 07:20 PM, Daniel Jung wrote:
hi,
we run various centos releases from 5.4 to 6.5. some of the early os releases packages from rhel is pretty old, older than LTM by looks of it. what would be general rule of thumb for the sssd version? run two separate latest custom version per 5 and 6? my main focus with sssd would be to ensure ldap connectivty via SRV + off auth while ldap is not available. Not sure when SRV support was introduced and how stable it is. your feedback is much appreciates.
thanks
Latest SSSD in RHEL5 is 1.5 and will do for your use case. Using latest available SSSD that comes with corresponding RHEL6 version is recommended.
Stephen Gallagher prepared yum repository with sssd-1.9 https://copr.fedoraproject.org/coprs/sgallagh/sssd-1.9-rhel5/
If you have a problem with default version from centos 5.x it might be choice. It is unofficial repository and is based on upstream sssd 1.9
LS
Thanks for the info guys. With PCI compliance issue, I would try to stick with what's avail from offiicial RHEL first. Can someone from the list share their experience with SSSD with SRV records? timeout issue/failover/offline auth are things I am interested in hearing. Any caveats or issues they had experienced in the past? I did notice there are few bugs that were fixed in the latter version of SSSD related to SRV implementation which is the reason, I was somewhat hesitant to use old package.
Thanks again guys.
On 2014-05-19 10:44 PM, Lukas Slebodnik wrote:
On (19/05/14 20:29), Dmitri Pal wrote:
On 05/19/2014 07:20 PM, Daniel Jung wrote:
hi,
we run various centos releases from 5.4 to 6.5. some of the early os releases packages from rhel is pretty old, older than LTM by looks of it. what would be general rule of thumb for the sssd version? run two separate latest custom version per 5 and 6? my main focus with sssd would be to ensure ldap connectivty via SRV + off auth while ldap is not available. Not sure when SRV support was introduced and how stable it is. your feedback is much appreciates.
thanks
Latest SSSD in RHEL5 is 1.5 and will do for your use case. Using latest available SSSD that comes with corresponding RHEL6 version is recommended.
Stephen Gallagher prepared yum repository with sssd-1.9 https://copr.fedoraproject.org/coprs/sgallagh/sssd-1.9-rhel5/
If you have a problem with default version from centos 5.x it might be choice. It is unofficial repository and is based on upstream sssd 1.9
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, May 19, 2014 at 10:59:13PM -0700, Daniel Jung wrote:
Thanks for the info guys. With PCI compliance issue, I would try to stick with what's avail from offiicial RHEL first. Can someone from the list share their experience with SSSD with SRV records? timeout issue/failover/offline auth are things I am interested in hearing. Any caveats or issues they had experienced in the past? I did notice there are few bugs that were fixed in the latter version of SSSD related to SRV implementation which is the reason, I was somewhat hesitant to use old package.
Thanks again guys.
The bugs we fixed in 1.9 were mostly related to recovery after the SRV record could not be resolved. IIRC also a better way to handle per-request timeouts was added after the RHEL5 version was released. In the general case (not taking features like AD sites into account), the failover code has been fairly stable.
thanks for the response guys. just one more question on the topic of SRV records, does sssd implementation folllow srv rfc closely? would i need to dig into the code to find this? On May 20, 2014 3:28 AM, "Jakub Hrozek" jhrozek@redhat.com wrote:
On Mon, May 19, 2014 at 10:59:13PM -0700, Daniel Jung wrote:
Thanks for the info guys. With PCI compliance issue, I would try to stick with what's avail from offiicial RHEL first. Can someone from the list share their experience with SSSD with SRV records? timeout issue/failover/offline auth are things I am interested in hearing. Any caveats or issues they had experienced in the past? I did notice there are few bugs that were fixed in the latter version of SSSD related to SRV implementation which is the reason, I was somewhat hesitant to use old package.
Thanks again guys.
The bugs we fixed in 1.9 were mostly related to recovery after the SRV record could not be resolved. IIRC also a better way to handle per-request timeouts was added after the RHEL5 version was released. In the general case (not taking features like AD sites into account), the failover code has been fairly stable. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, May 20, 2014 at 11:01:42PM -0700, Daniel Jung wrote:
thanks for the response guys. just one more question on the topic of SRV records, does sssd implementation folllow srv rfc closely? would i need to dig into the code to find this?
As far as I know it does, the code was modeled after the RFC. Is there any particular functionality that you are concerned about?
Hi Jakub,
I was curious on how the servers with same priority with weights were implemented, the wording in RFC on this algorithm was a bit hard to visualize for me and whether this was strictly followed. Also, at which timeout setting is applied for cases where selected server is not reachable and next server is selected and connected? Would this be same timeout setting when using multiple servers with URI instead of DN?
Thanks for all the information.
On Wed, May 21, 2014 at 3:14 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, May 20, 2014 at 11:01:42PM -0700, Daniel Jung wrote:
thanks for the response guys. just one more question on the topic of SRV records, does sssd implementation folllow srv rfc closely? would i need
to
dig into the code to find this?
As far as I know it does, the code was modeled after the RFC. Is there any particular functionality that you are concerned about? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, May 22, 2014 at 01:55:44PM -0700, Daniel Jung wrote:
Hi Jakub,
I was curious on how the servers with same priority with weights were implemented, the wording in RFC on this algorithm was a bit hard to visualize for me and whether this was strictly followed.
You can see the implementation of the weight selection here: https://git.fedorahosted.org/cgit/sssd.git/tree/src/resolv/async_resolv.c#n2...
Even if you're not a C programmer, maybe the comments will show how we follow the RFC. The intent of the code is to share the load from several clients according to the sum of the weights on the same priority level. So if you had two servers A and B with the same priority with weights of 70 and 30 respectively, 70% of clients should select server A and 30% should select server B.
Also, at which timeout setting is applied for cases where selected server is not reachable and next server is selected and connected? Would this be same timeout setting when using multiple servers with URI instead of DN?
There are several timeouts at play, depending on how exactly the server is unreachable and what the provider is. For DNS resolution itself, dns_resolver_timeout is applied. Once you have an IP address and start connecting to an LDAP server, we try for ldap_network_timeout seconds.
There are different timeouts for Kerberos, you can see them all in the sssd-ldap and sssd-krb5 man pages.
Thanks for all the information.
On Wed, May 21, 2014 at 3:14 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, May 20, 2014 at 11:01:42PM -0700, Daniel Jung wrote:
thanks for the response guys. just one more question on the topic of SRV records, does sssd implementation folllow srv rfc closely? would i need
to
dig into the code to find this?
As far as I know it does, the code was modeled after the RFC. Is there any particular functionality that you are concerned about? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Daniel Jung -
Dmitri Pal -
Jakub Hrozek -
Lukas Slebodnik