[Freeipa-users] openldap certs?
Jakub Hrozek
jhrozek at redhat.com
Thu May 22 15:02:38 UTC 2014
On Thu, May 22, 2014 at 10:36:45AM -0400, Bret Wortman wrote:
> I found that our slower system was using FQDNs for the list of IPA
> servers; our faster system was using IPs. I'm switching now, letting
> Puppet distribute the update and will see if it helps.
>
> By enumeration, do you mean are we spelling out our IPA servers?
> Yes. We only have 3 and they look something like this:
I suspect there are some DNS issues or failover issues on the 'slow'
network. Can you post the domain logs?
If you are concerned about some private data in the logs, feel free to
send them to me directly.
>
> [domain/foo.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = foo.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = rm266ws-a.foo.net
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63
Even with the IP addresses, the first server instance is "_srv_" which
means the SSSD would try to get the server list from the DNS.
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
>
> domains = foo.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> On the other hand, if you meant something else, then I hope the
> answer's in the file. ;-)
More information about the Freeipa-users
mailing list