Hi,
from sssd-ldap, "After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server."
I am seeing that reconnect is made to other backup servers and not just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour?
Running 1.9.2.11 on centos 6.5.
Thanks
On 09/22/2014 07:14 PM, Daniel Jung wrote:
Hi,
from sssd-ldap, "After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server."
I am seeing that reconnect is made to other backup servers and not just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour?
Running 1.9.2.11 on centos 6.5.
Thanks
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What back end are you using? IPA, AD, basic LDAP? Do you configure failover explicitly or use DNS discovery?
A sanitized sssd.conf would help to answer this.
LDAP and using explicit failover
[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldapserver-1 ldap_backup_uri = ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4 ldap_rfc2307_fallback_to_local_users = true ldap_search_base = dc=Somedomain,dc=com ldap_user_search_base = ou=People,dc=Somedomain,dc=com ldap_group_search_base ou=Group,dc=Somedomain,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem cache_credentials = true entry_cache_timeout = 600 enumerate = False min_id = 100 ldap_network_timeout = 2 ldap_search_timeout = 5 debug_level = 0x0070 debug_microseconds = true
My test is as follows: I blocked the clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client connected to ldapserver-3. I unblocked clients IP on ldapserver-2 and I see that sssd is connects to ldapserver-2.
Thanks
On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal dpal@redhat.com wrote:
On 09/22/2014 07:14 PM, Daniel Jung wrote:
Hi,
from sssd-ldap, "After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server."
I am seeing that reconnect is made to other backup servers and not just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour?
Running 1.9.2.11 on centos 6.5.
Thanks
sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
What back end are you using? IPA, AD, basic LDAP? Do you configure failover explicitly or use DNS discovery?
A sanitized sssd.conf would help to answer this.
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 09/22/2014 08:34 PM, Daniel Jung wrote:
LDAP and using explicit failover
[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldapserver-1 ldap_backup_uri = ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4 ldap_rfc2307_fallback_to_local_users = true ldap_search_base = dc=Somedomain,dc=com ldap_user_search_base = ou=People,dc=Somedomain,dc=com ldap_group_search_base ou=Group,dc=Somedomain,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem cache_credentials = true entry_cache_timeout = 600 enumerate = False min_id = 100 ldap_network_timeout = 2 ldap_search_timeout = 5 debug_level = 0x0070 debug_microseconds = true
My test is as follows: I blocked the clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client connected to ldapserver-3. I unblocked clients IP on ldapserver-2 and I see that sssd is connects to ldapserver-2.
Logic is: Prefer primary, if not available go to a first available backup server.
If you do: block clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client would connect to ldapserver-3. Unblock clients IP on ldapserver-1 and ldapserver-2 and I see that sssd is connects to ldapserver-1
Thanks
On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal <dpal@redhat.com mailto:dpal@redhat.com> wrote:
On 09/22/2014 07:14 PM, Daniel Jung wrote:
Hi, from sssd-ldap, "After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server." I am seeing that reconnect is made to other backup servers and not just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour? Running 1.9.2.11 on centos 6.5. Thanks _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What back end are you using? IPA, AD, basic LDAP? Do you configure failover explicitly or use DNS discovery? A sanitized sssd.conf would help to answer this. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
it would be greatly helpful to indicate that the first available backup server is chosen even when active server is another backup server. On Sep 22, 2014 6:46 PM, "Dmitri Pal" dpal@redhat.com wrote:
On 09/22/2014 08:34 PM, Daniel Jung wrote:
LDAP and using explicit failover
[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldapserver-1 ldap_backup_uri = ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4 ldap_rfc2307_fallback_to_local_users = true ldap_search_base = dc=Somedomain,dc=com ldap_user_search_base = ou=People,dc=Somedomain,dc=com ldap_group_search_base ou=Group,dc=Somedomain,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem cache_credentials = true entry_cache_timeout = 600 enumerate = False min_id = 100 ldap_network_timeout = 2 ldap_search_timeout = 5 debug_level = 0x0070 debug_microseconds = true
My test is as follows: I blocked the clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client connected to ldapserver-3. I unblocked clients IP on ldapserver-2 and I see that sssd is connects to ldapserver-2.
Logic is: Prefer primary, if not available go to a first available backup server.
If you do: block clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client would connect to ldapserver-3. Unblock clients IP on ldapserver-1 and ldapserver-2 and I see that sssd is connects to ldapserver-1
Thanks
On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal dpal@redhat.com wrote:
On 09/22/2014 07:14 PM, Daniel Jung wrote:
Hi,
from sssd-ldap, "After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server."
I am seeing that reconnect is made to other backup servers and not just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour?
Running 1.9.2.11 on centos 6.5.
Thanks
sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
What back end are you using? IPA, AD, basic LDAP? Do you configure failover explicitly or use DNS discovery?
A sanitized sssd.conf would help to answer this.
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
This should be indicated in the SSSD debug logs, is it not?
On 23 Sep 2014, at 07:02, Daniel Jung mimianddaniel@gmail.com wrote:
it would be greatly helpful to indicate that the first available backup server is chosen even when active server is another backup server.
On Sep 22, 2014 6:46 PM, "Dmitri Pal" dpal@redhat.com wrote: On 09/22/2014 08:34 PM, Daniel Jung wrote:
LDAP and using explicit failover
[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldapserver-1 ldap_backup_uri = ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4 ldap_rfc2307_fallback_to_local_users = true ldap_search_base = dc=Somedomain,dc=com ldap_user_search_base = ou=People,dc=Somedomain,dc=com ldap_group_search_base ou=Group,dc=Somedomain,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem cache_credentials = true entry_cache_timeout = 600 enumerate = False min_id = 100 ldap_network_timeout = 2 ldap_search_timeout = 5 debug_level = 0x0070 debug_microseconds = true
My test is as follows: I blocked the clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client connected to ldapserver-3. I unblocked clients IP on ldapserver-2 and I see that sssd is connects to ldapserver-2.
Logic is: Prefer primary, if not available go to a first available backup server.
If you do: block clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client would connect to ldapserver-3. Unblock clients IP on ldapserver-1 and ldapserver-2 and I see that sssd is connects to ldapserver-1
Thanks
On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal dpal@redhat.com wrote: On 09/22/2014 07:14 PM, Daniel Jung wrote:
Hi,
from sssd-ldap, "After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server."
I am seeing that reconnect is made to other backup servers and not just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour?
Running 1.9.2.11 on centos 6.5.
Thanks
sssd-users mailing list
sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What back end are you using? IPA, AD, basic LDAP? Do you configure failover explicitly or use DNS discovery?
A sanitized sssd.conf would help to answer this.
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Perhaps it should be mentioned in the FAILOVER section of the sssd-ldap man page as well? Also, just out of curiosity, while primary servers does NOT show the same behaviour of giving higher preference to the server listed first, why do this for the backup server list?
On Tue, Sep 23, 2014 at 12:05 AM, Jakub Hrozek jhrozek@redhat.com wrote:
This should be indicated in the SSSD debug logs, is it not?
On 23 Sep 2014, at 07:02, Daniel Jung mimianddaniel@gmail.com wrote:
it would be greatly helpful to indicate that the first available backup
server is chosen even when active server is another backup server.
On Sep 22, 2014 6:46 PM, "Dmitri Pal" dpal@redhat.com wrote: On 09/22/2014 08:34 PM, Daniel Jung wrote:
LDAP and using explicit failover
[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldapserver-1 ldap_backup_uri =
ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4
ldap_rfc2307_fallback_to_local_users = true ldap_search_base = dc=Somedomain,dc=com ldap_user_search_base = ou=People,dc=Somedomain,dc=com ldap_group_search_base ou=Group,dc=Somedomain,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem cache_credentials = true entry_cache_timeout = 600 enumerate = False min_id = 100 ldap_network_timeout = 2 ldap_search_timeout = 5 debug_level = 0x0070 debug_microseconds = true
My test is as follows: I blocked the clients IP on port 389(using iptable) on ldapserver-1 and
ldapserver-2, at which time, client connected to ldapserver-3. I unblocked clients IP on ldapserver-2 and I see that sssd is connects to ldapserver-2.
Logic is: Prefer primary, if not available go to a first available backup server.
If you do: block clients IP on port 389(using iptable) on ldapserver-1 and
ldapserver-2, at which time, client would connect to ldapserver-3. Unblock clients IP on ldapserver-1 and ldapserver-2 and I see that sssd is connects to ldapserver-1
Thanks
On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal dpal@redhat.com wrote: On 09/22/2014 07:14 PM, Daniel Jung wrote:
Hi,
from sssd-ldap, "After this timeout SSSD will periodically try to reconnect to one of
the primary servers. If it succeeds, it will replace the current active (backup) server."
I am seeing that reconnect is made to other backup servers and not
just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour?
Running 1.9.2.11 on centos 6.5.
Thanks
sssd-users mailing list
sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What back end are you using? IPA, AD, basic LDAP? Do you configure failover explicitly or use DNS discovery?
A sanitized sssd.conf would help to answer this.
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 09/23/2014 12:49 PM, Daniel Jung wrote:
Perhaps it should be mentioned in the FAILOVER section of the sssd-ldap man page as well? Also, just out of curiosity, while primary servers does NOT show the same behaviour of giving higher preference to the server listed first, why do this for the backup server list?
AFAIU if you are connected to the primary server there is no need to fail over so it sticks until something goes wrong. With backup servers it will try to get back to one of the primary servers before falling back again to one of the secondary ones. I suspect that as it fails to connect any primary server it starts to follow the list from the beginning.
I remember reading all this somewhere. Just do not recall where... Please file a ticket.
On Tue, Sep 23, 2014 at 12:05 AM, Jakub Hrozek <jhrozek@redhat.com mailto:jhrozek@redhat.com> wrote:
This should be indicated in the SSSD debug logs, is it not? On 23 Sep 2014, at 07:02, Daniel Jung <mimianddaniel@gmail.com <mailto:mimianddaniel@gmail.com>> wrote: > it would be greatly helpful to indicate that the first available backup server is chosen even when active server is another backup server. > > On Sep 22, 2014 6:46 PM, "Dmitri Pal" <dpal@redhat.com <mailto:dpal@redhat.com>> wrote: > On 09/22/2014 08:34 PM, Daniel Jung wrote: >> LDAP and using explicit failover >> >> [domain/LDAP] >> id_provider = ldap >> auth_provider = ldap >> ldap_schema = rfc2307 >> ldap_uri = ldap://ldapserver-1 >> ldap_backup_uri = ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4 >> ldap_rfc2307_fallback_to_local_users = true >> ldap_search_base = dc=Somedomain,dc=com >> ldap_user_search_base = ou=People,dc=Somedomain,dc=com >> ldap_group_search_base ou=Group,dc=Somedomain,dc=com >> ldap_tls_reqcert = demand >> ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem >> cache_credentials = true >> entry_cache_timeout = 600 >> enumerate = False >> min_id = 100 >> ldap_network_timeout = 2 >> ldap_search_timeout = 5 >> debug_level = 0x0070 >> debug_microseconds = true >> >> My test is as follows: >> I blocked the clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client connected to ldapserver-3. I unblocked clients IP on ldapserver-2 and I see that sssd is connects to ldapserver-2. > > Logic is: > Prefer primary, if not available go to a first available backup server. > > If you do: > block clients IP on port 389(using iptable) on ldapserver-1 and ldapserver-2, at which time, client would connect to ldapserver-3. Unblock clients IP on ldapserver-1 and ldapserver-2 and I see that sssd is connects to ldapserver-1 >> >> >> >> Thanks >> >> >> On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal <dpal@redhat.com <mailto:dpal@redhat.com>> wrote: >> On 09/22/2014 07:14 PM, Daniel Jung wrote: >>> Hi, >>> >>> from sssd-ldap, >>> "After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server." >>> >>> I am seeing that reconnect is made to other backup servers and not just to primary servers. Quick search on the tickets on backup server didnt find anything. Was this already fixed in the recent version or is this wanted behaviour? >>> >>> Running 1.9.2.11 on centos 6.5. >>> >>> Thanks >>> >>> >>> _______________________________________________ >>> sssd-users mailing list >>> >>> sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >> >> What back end are you using? IPA, AD, basic LDAP? >> Do you configure failover explicitly or use DNS discovery? >> >> A sanitized sssd.conf would help to answer this. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> _______________________________________________ >> sssd-users mailing list >> sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> >> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Sep 23, 2014 at 09:49:53AM -0700, Daniel Jung wrote:
Perhaps it should be mentioned in the FAILOVER section of the sssd-ldap man page as well?
Feel free to raise a ticket: https://fedorahosted.org/sssd/newticket
Also, just out of curiosity, while primary servers does NOT show the same behaviour of giving higher preference to the server listed first, why do this for the backup server list?
I agree with Dmitri's response here.
sssd-users@lists.fedorahosted.org