On 8/13/20 2:35 PM, Louis Bohm via FreeIPA-users wrote:
Addig the DNS fixed it.
Just one more question. Should I be updating the file
/etc/openldap/ldap.conf to include both masters on the URL line on the
clients? The only master that was listed there was the first master
created.
Hi,
ldap.conf is used to set system-wide defaults for LDAP clients. For
instance, if you run ldapsearch without the -H ldapuri option,
ldapsearch will use the URI read from the config file. If the -H option
is provided, it will take precedence over the config file.
The ipa CLI doesn't rely on this file to find the server to talk to
(anyway, it doesn't use ldap directly but rather xml rpc or json rpc).
It is trying first the server configured in /etc/ipa/default.conf in the
xmlrpc_uri directive, or the servers found using the ldap DNS SRV
records (see the man page for ipa(1)). So from a purely IPA point of
view, no need to update /etc/openldap/ldap.conf.
Hope this clarifies,
flo
Louis
-<<—->>-
Louis Bohm
[email protected] <mailto:[email protected]>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
On Aug 12, 2020, at 7:29 AM, Florence Blanc-Renaud <[email protected]
<mailto:[email protected]>> wrote:
On 8/12/20 1:16 PM, Louis Bohm via FreeIPA-users wrote:
Yes the client was installed not using the —server option. So it
looks like my issue is DNS. We have DNS external to the IPA hosts.
Is there a simple way for me to get a list of all the DNS records
that need to be added to our DNS system from IPA?
Yes, please see my 2nd link that mentions ipa
dns-update-system-records --dry-run:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external
flo
Louis
-<<—->>-
Louis Bohm
[email protected] <mailto:[email protected]>
<mailto:[email protected]>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
On Aug 12, 2020, at 5:02 AM, Florence Blanc-Renaud <[email protected]
<mailto:[email protected]> <mailto:[email protected]>> wrote:
On 8/11/20 11:16 PM, Louis Bohm via FreeIPA-users wrote:
Environment:
2 IPA Masters running Centos 8 and IPA Server 4.8.0.13
Client running Lentos 8 and IPA Client 4.8.0.13
The masters were setup as MultiMasters (I think I have it correct).
If I shutdown the first master (ipa01) so only ipa02 is running
then try to login to the client I cannot. Found I needed to add
both hosts to the IPA_server line in the SSSD.conf under the domain
section to make that work.
Now if I try to add a user via the command line on the client I get
the following error:
ipa: ERROR: cannot connect to
'https://ipa01.bos1.domain.com/ipa/json': [Errno 113] No route to host
Do I need to list both IPA servers some where else? If so where?
I did try adding both IPA servers on the URL line of openldap.conf
(only ipa01 was listed).
Hi,
you can find more information in "Failover, Load balancing and High
Availability in IdM" [1]
On the client-side, it depends on how the client was installed. If
DNS auto-discovery was used (no --server option provided), then
sssd.conf should contain the keyword _srv_ in the list of configured
servers (ipa_server= _srv_, ...). In this case, SSSD is using the
DNS to find the appropriate server, please see sssd-ipa man page,
especially the SERVICE DISCOVERY section.
This requires the client to use a proper DNS server. If the DNS is
provided by the IPA servers, make sure that /etc/resolv.conf on the
client contains ipa01 and ipa02 (otherwise when ipa01 is down, the
client won't be able to use the DNS). If the DNS is external, make
sure that it contains the proper records as explained in "Updating
DNS records systematically when using external DNS" [2]
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/load-balancing
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external
Louis
-<<—->>-
Louis Bohm
[email protected] <mailto:[email protected]>
<mailto:[email protected]> <mailto:[email protected]>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
<mailto:[email protected]>
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
