[Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

Alexander Bokovoy abokovoy at redhat.com
Fri Oct 24 07:43:21 UTC 2014

On Fri, 24 Oct 2014, Orkhan Gasimov wrote:
>Awesome, it worked!
>Just one final question: how to make that script search not only in 
>ipa1.example.com's LDAP database, but also in ipa2.example.com's LDAP 
>in case ipa1 is inaccessible? It's vital for a production environment!
There are two things here:
 - ldapsearch should use DNS SRV records to discover servers
 - ldapsearch call should rotate over all servers in case of an error

First is achieved with -H option if you don't specify a host but rather
use DN: dc=example,dc=com, encoded in a way of RFC 2396:

where %3D is escape sequence for '=' and %2C is escape sequence for ','

ldapsearch -H ldap://dc%3Dexample%2Cdc%3Dcom

would request ldapsearch to first go and resolve DNS SRV record
_ldap._tcp.example.com and then connect to the list of servers returned.

All tools from OpenLDAP client side use this technique and rotate over
list of servers. You can specify multiple servers yourself too as

   -H "ldap://ipa1.example.com ldap://ipa2.example.com ldap://ipa3.example.com"

but using DNS SRV records is more reliable because you don't need to
change your script when you decommission the servers.

>I tried copying the whole section of code from " ldapsearch ..." to 
>"... done"
>and putting it after a new instance of " if [ ! -s "$tmpf" ]; then ", 
>but it didn't work (I'm not a programmer...).
>My current cron script is like this: 
>Programmers, please take a glance at the file - logically it shouldn't 
>be difficult to make necessary modifications,
>but I don't know how...
>23-Oct-14 21:40, Alexander Bokovoy пишет:
>>try adding something like this:
>>export KRB5_CCACHE
>>kinit -k -t /etc/krb5.keytab host/`hostname`
>># perform actual search
>>ldapsearch -Y GSSAPI .....
>># end of script
>>export KRB5_CCACHE

/ Alexander Bokovoy

More information about the Freeipa-users mailing list