[Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers

[Rob Crittenden]

Guertin, David S. wrote:
> I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL
> 7 IPA servers (one master and two duplicates). I'm trying to ensure that
> if one server goes down, the remain server(s) will still allow logins.
> With the RHEL 6 clients this is easy -- the line
> 
>  
> 
>   ipa_server = _srv_, server1.ipa.middlebury.edu
> 
>  
> 
> in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything is
> fine.
> 
>  
> 
> But with the RHEL 5 clients, this doesn't work. If server 1 goes down,
> logins fail. Since RHEL 5 is using LDAP, I figured it was probably in
> the ldap_uri line in the sssd.conf file. I discovered that I could add
> multiple servers, which I did:
> 
>  
> 
>   ldap_uri = ldap://server1.ipa.middlebury.edu,
> ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu
> 
>  
> 
> But this still failed. However, if I do something similar in /etc/ldap.conf:
> 
>  
> 
>   uri ldap://server1.ipa.middlebury.edu
> ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu
> 
>  
> 
> then logins work. In fact, I don't even need the change in sssd.conf. I
> can put that back the way it was, and logins still work. It's only the
> line in /etc/ldap.conf that seems to be necessary.
> 
>  
> 
> So, I have two questions:
> 
>  
> 
> 1. Am I understanding this correctly?
> 
>  
> 
> 2. If so, is there a way to automate this so that when I run
> ipa-client-install on my RHEL 5 clients, they get the correct LDAP
> settings from the beginning, and I don't have to go and manually edit
> the ldap.conf file?

I think the SSSD guys are going to want to see your full sssd.conf.

An ipaclient-install.log for one of these clients might be handy too so
we can discern how you are configuring the client.

rob