[Freeipa-users] LDAP server failover via altServer attribute?

"Răzvan Corneliu C.R. VILT" razvan.vilt at me.com
Fri May 20 19:45:32 UTC 2016 

Hi guys,

Regarding the Macs, there are a few notes:

1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient and cn=KerberosKDC,cn=config)
2) The LDAP replicas can be also configured in cn=config and it is cached by OpenDirectory in the following format:

dn: cn=ldapreplicas, cn=config, dc=example, dc=com
objectClass: apple-configuration
apple-ldap-replica: ldap://192.168.1.1 <ldap://192.168.1.1>
apple-ldap-replica: ldap://192.168.2.2 <ldap://192.168.2.2>
apple-ldap-writable-replica: ldap://192.168.1.1 <ldap://192.168.1.1>
apple-ldap-writable-replica: ldap://192.168.2.2 <ldap://192.168.2.2>
apple-xml-plist: base64 encode of:
---------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>GUID</key>
	<string>01234567-89AB-CDEF-0123-456789ABCDEF</string>
	<key>IPaddresses</key><!-- of the master ipa host if there are multiple interfaces for it -->
	<array>
		<string>192.168.1.1</string>
                <string>10.0.0.1</string>
	</array>
	<key>PrimaryMaster</key>
	<string>ipa-server.example.org</string>
	<key>ReplicaName</key>
	<string>Master</string>
	<key>Replicas</key>
	<array>
           <string>ipa-bkserver.example.org</string>
        <array>
       <!-- use only <array/> if there are no replicas -->
</dict>
</plist>
----------------------

3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.


If you do this manually instead of OpenDirectory compatible way, your machine doesn't create an account for itself in IPA so service access without login are not available, it doesn't download the root CA automatically and you don't get SSO out of the box.


> On 20 mai 2016, at 22:13, Guillermo Fuentes <guillermo.fuentes at modernizingmedicine.com> wrote:
> 
> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = yes" and removing the KDC server ("kdc = xxx") entries from the /Library/Preferences/edu.mit.Kerberos config file does the trick.
> 
> For LDAP, although you can enable it, I can't see it documented anywhere so I'm assuming that isn't the recommended way for the Mac. This can be enabled by running this for the LDAP server you're using:
> sudo odutil set configuration /LDAPv3/ipa1.example.com <http://ipa1.example.com/> module ldap option "Use DNS replicas" "true"
> 
> Adding the altServer values with the Directory Manager credentials worked and I'm happy to report that the failover on the Mac works great with FreeIPA!
> 
> As suggested by Rob, for three servers, on server ipa1:
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://ipa2.example.com <http://ipa2.example.com/>
> -
> add: altServer
> altServer: ldap://ipa3.example.com <http://ipa3.example.com/>
> 
> modifying entry ""
> ^D
> 
> The altServer values didn't replicate so I had to add them to each of the FreeIPA servers.
> 
> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute to look for replicas in case of failover: 
> sudo odutil set configuration /LDAPv3/ipa1.example.com <http://ipa1.example.com/> module ldap option "Use altServer replicas" "true"
> 
> And, viola! Highly available authentication with a FreeIPA cluster for the Mac!
> 
> Thanks so much for your help!
> Guillermo
> 
> 
> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> Martin Basti wrote:
> Hello,
> 
> IPA uses SRV records for failover to another replica/LDAP.
> 
> I don't know how it works on MACs, but in case that there is no
> possibility to use SRV, you may need to file a RFE ticket
> (https://fedorahosted.org/freeipa/newticket <https://fedorahosted.org/freeipa/newticket>)
> 
> Agreed, SRV records are the preferred mechanism. I was curious though so played with this a bit and it is possible to add altServer values:
> 
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://gyre.example.com <http://gyre.example.com/>
> 
> modifying entry ""
> ^D
> 
> $ ldapsearch -LLL -x -b "" -s base altServer
> dn:
> altServer: ldap://gyre.example.com <http://gyre.example.com/>
> 
> My test rig is a single master so I don't know if this replicates or not.
> 
> rob
> 
> 
> Martin
> 
> 
> On 19.05.2016 17:43, Guillermo Fuentes wrote:
> Hello all,
> 
> As OS X allows LDAP server failover via the altServer attribute
> (RFC4512) from RootDSE, it would be great to be able to configure our
> Macs to connect to a single FreeIPA server and add other FreeIPA
> servers as multiple altServer values.
> The current schema doesn't seem to support adding this attribute.
> Can this be done in a way I'm missing?
> 
> Thanks in advance!
> 
> GUILLERMO FUENTES
> SR. SYSTEMS ADMINISTRATOR
> 
> 561-880-2998 x1337 <tel:561-880-2998%20x1337>
> 
> guillermo.fuentes at modmed.com <mailto:guillermo.fuentes at modmed.com> <mailto:guillermo.fuentes at modmed.com <mailto:guillermo.fuentes at modmed.com>>
> 
> 
> [ Modernizing Medicine ] <http://www.modmed.com/ <http://www.modmed.com/>>
> [ Facebook ] <http://www.facebook.com/modernizingmedicine <http://www.facebook.com/modernizingmedicine>>              [
> LinkedIn ] <http://www.linkedin.com/company/modernizing-medicine/ <http://www.linkedin.com/company/modernizing-medicine/>>              [
> YouTube ] <http://www.youtube.com/user/modernizingmedicine <http://www.youtube.com/user/modernizingmedicine>>             [
> Twitter ] <https://twitter.com/modmed_EMA <https://twitter.com/modmed_EMA>>              [ Blog ]
> <http://www.modmed.com/BlogBeyondEMR <http://www.modmed.com/BlogBeyondEMR>>           [ Instagram ]
> <http://instagram.com/modernizing_medicine <http://instagram.com/modernizing_medicine>>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org <http://freeipa.org/> for more info on the project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160520/1336578a/attachment.htm>

More information about the Freeipa-users mailing list